Pre-Onboarding Requirements
Complete these items before starting the onboarding wizard.Customer Information
- Customer domain confirmed
- Customer Microsoft tenant identified
- Module selection determined (XDR or XDR + SIEM)
- Customer licensing tier verified (Defender for Endpoint Plan 1, Plan 2, or Defender for Business)
- Notification email or distribution list confirmed
Credentials & Permissions
- Global Administrator credentials available for the customer’s Microsoft Entra tenant (required to consent enterprise applications)
- Subscription Owner access confirmed on the customer’s Azure subscription (XDR + SIEM only)
Environment Details (XDR + SIEM Only)
- Azure subscription ID documented
- Microsoft Sentinel workspace name confirmed
- Sentinel workspace region noted
ContraForce Platform Readiness
- Parent tenant platform onboarding completed (Platform Onboarding Guide)
- Organization-level groups created and ready for workspace assignment (User & Group Management)
- Role assignments planned for this customer workspace (Roles & Permissions Reference)
Onboarding Steps
Step 1: Create the Customer Workspace
- Navigate to Workspaces page in ContraForce
- Click Add Workspace (or use a pre-onboarded workspace if one was created earlier)
- Enter the workspace name and basic configuration details
- Confirm the workspace appears in the workspace list
Tip: You can pre-onboard workspaces before the customer is ready. This creates a placeholder that streamlines deployment day. See Workspace Manager for details.
Step 2: Launch the Onboarding Wizard
- Click the gear icon on the customer workspace row
- Select the Modules tab
- Click Configure or Start Onboarding Wizard
Step 3: Consent Core Enterprise Applications
Sign in with the customer’s Global Admin credentials and consent the following applications:- ContraForce API — Core platform connectivity
- ContraForce Portal — User interface access
Troubleshooting: If the consent popup doesn’t appear, disable the pop-up blocker for portal.contraforce.com. If consent fails with a permissions error, verify the account has Global Administrator privileges.
Step 4: Select and Configure the Module
Choose the appropriate module based on the customer’s environment: XDR Module (Defender XDR only)- Select XDR module in the wizard
- Deployment completes in approximately 15–20 minutes
- No Azure resources are deployed
- Select XDR + SIEM module in the wizard
- Deployment completes in approximately 30–45 minutes
- Azure resources will be provisioned (see Step 6)
Step 5: Consent Module Enterprise Applications
Consent additional enterprise applications required for the selected module. For XDR Module:- ContraForce for Microsoft Defender for Endpoint (MDE)
- ContraForce Gamebooks for Microsoft Defender for Endpoint
- ContraForce Gamebooks for Identity
- ContraForce Gamebooks for Email
- ContraForce Sentinel Hunting
Step 6: Deploy Azure Resources (XDR + SIEM Only)
Skip this step if you selected the XDR-only module.- Select the customer’s Azure subscription from the dropdown
- Select the customer’s Microsoft Sentinel workspace
- Click Deploy to provision Apollo infrastructure (incident streaming)
- Wait 2–5 minutes for deployment to complete — do not close the browser
- Verify Azure Lighthouse delegation completed successfully
- Confirm Apollo resource group (
rg-contraforce-apollo) shows Active status
Troubleshooting: If deployment fails, verify the account has Subscription Owner access. Check for restrictive Azure Policies that may block Lighthouse delegations. If an existing Lighthouse delegation conflicts, remove it and retry.
Step 7: Add Users and Groups
- Assign organization-level groups to the workspace with appropriate roles (recommended over individual users)
- Add at least one user with the Admin role during onboarding
- Add customer-specific users at the workspace level if the customer needs portal access
- Create customer-specific groups if needed
| Role | Best For |
|---|---|
| Admin | Team leads, workspace owners |
| Incident Responder | SOC analysts who need response capabilities |
| Incident Analyst | Junior analysts, read-only access |
| Data Source Admin | Integration specialists |
| Content Admin | Detection engineers (SIEM only) |
Step 8: Consent User Management Service Principal
This enables post-onboarding user management for the workspace.- Navigate to Workspaces page
- Click the gear icon on the workspace row
- Locate the User Management service principal
- Click Consent and complete the Microsoft consent flow with admin credentials
Post-Onboarding Verification
Complete these checks immediately after onboarding to confirm a successful deployment.Core Functionality
- Navigate to the Command Dashboard and verify incidents are appearing (allow 5–15 minutes for initial sync)
- Open an incident and confirm the Workbench loads with entity context and timeline
- Verify Gamebook response actions are available on an incident (do not execute on production entities)
- Navigate to the Endpoints page and confirm devices are listed (Defender for Endpoint customers)
- Verify partner team members can access the workspace
- Test access with a non-admin account to confirm role-based permissions work correctly
Module-Specific Verification (XDR + SIEM Only)
- Confirm Sentinel incidents are syncing alongside Defender XDR incidents
- Navigate to Content Management System (CMS) and verify the detection rule library is accessible
- Deploy an initial set of detection rules matching the customer’s data sources (CMS Module Guide)
- Verify log search is functional
Configure Notifications (XDR + SIEM Only)
- Navigate to Settings → Notifications
- Select the customer workspace
- Enable severity-level filters appropriate for the customer’s SLA
- Add the confirmed notification email or distribution list
- Save notification preferences
- Confirm a test notification is received (check spam/junk if not received)
Note: For XDR-only deployments, notification options are limited. Full notification customization requires the XDR + SIEM module.
Optional Post-Onboarding Enhancements
These items are not required for go-live but are recommended for a complete deployment.Security Delivery Agents (SDAs)
- Deploy Agent Center infrastructure via Azure AI Foundry (Agent Center Deployment Guide)
- Configure first Security Delivery Agent (SDA)
- Set agent mode (Manual → Automatic → Autonomous based on comfort level)
- Verify agent is processing incidents by checking On Queue status
Required roles: Organizational Admin + Workspace Owner. Required permissions: Subscription Owner in Azure.
Partner API Integration
- Review API Documentation for ITSM or SOAR integration requirements
- Configure API connectivity if the customer requires ticketing or workflow integration
Go-Live Communication
- Notify the customer that ContraForce is live on their environment
- Share relevant documentation links with the customer team
- Confirm the customer knows how to reach your delivery team
- Document any customer-specific configuration notes or permission exceptions
- Schedule a follow-up check-in within 7 days to review initial incident volume and rule tuning
Quick Reference Links
Need help? Contact us at [email protected].