Skip to main content
This article documents all Azure resources that ContraForce provisions during the onboarding process. Use this reference to understand what’s deployed in your environment, verify deployments, and plan for offboarding if needed.
The resources deployed depend on your module selection (XDR vs XDR + SIEM) and whether you enable AI Agents. Not all resources apply to every deployment.

Deployment Overview

ContraForce deploys resources across several Azure components:

Enterprise Applications

Service principals in Microsoft Entra ID for API access and authentication

Azure Lighthouse

Cross-tenant delegation for MSSP management scenarios

Apollo Infrastructure

Real-time incident notification system for Sentinel

Agent Infrastructure

AI agent hosting environment (optional)

Resources by Module

Resource CategoryXDR ModuleXDR + SIEM ModuleWith AI Agents
Core Enterprise Applications
Defender Enterprise Applications
Azure Lighthouse
Apollo Resource Group
Sentinel Resource Deployments
Agent Center Resource Group
Per-Agent Resource Groups

Phase 1: Initial Onboarding

The first phase provisions core enterprise applications required for all ContraForce deployments.

Enterprise Applications

These applications are provisioned and consented during initial setup:
ApplicationApplication IDPurpose
ContraForce API24d97bc0-8f2b-45d5-8e0b-7fe286732ef2Core platform API access
ContraForce Portal8b7cb435-9526-47ee-b79a-34433f0daad2User authentication and portal access
These two applications are required for all ContraForce deployments, regardless of module selection. They are consented during the first step of the onboarding wizard.

Permissions Granted

ApplicationPermission TypePermissions
ContraForce APIApplicationSecurityEvents.Read.All, User.Read.All
ContraForce PortalDelegatedUser.Read, openid, profile

Phase 2: Module-Specific Applications

Additional enterprise applications are consented based on your module selection and enabled features.

Microsoft Defender XDR Applications

ApplicationApplication IDPurpose
ContraForce for MDE6efccc6a-f0d3-49e5-92d0-17d4afa9ba52Defender for Endpoint data access
ContraForce Gamebooks for MDEad7b0e79-3c37-4408-bf8f-eb89522cc920Endpoint response actions

Identity Applications

ApplicationApplication IDPurpose
ContraForce Gamebooks for Identity36b0d51c-4c0f-4810-9cc4-bfbd40c7dd4aUser response actions (disable, reset password)
ContraForce User Management460b65b7-3a5e-4a2c-98d0-e48fd35374a9User and group management

Microsoft Sentinel Applications

ApplicationApplication IDPurpose
ContraForce Sentinel Hunting6bf1c74d-7ade-4671-a507-166936f89a1fLog Analytics queries for threat hunting

Email Applications

ApplicationApplication IDPurpose
ContraForce Gamebooks for Email44dbf6fe-45e3-48a3-bac3-f8d4cf1dba6dEmail response actions (soft delete)

Phase 3: Microsoft Sentinel Core Components

For XDR + SIEM deployments, additional Azure resources establish the connection between your Sentinel environment and ContraForce.
This phase only applies to XDR + SIEM module deployments. XDR-only deployments skip this phase.

Azure Lighthouse Delegation

Azure Lighthouse enables cross-tenant management without credential sharing.
ResourceTypeDescription
ContraForceLighthouseDeploymentARM TemplateAssigns Sentinel resource group to ContraForce tenant

What Lighthouse Enables

  • Cross-tenant visibility into your Sentinel workspace
  • Incident management without logging into your tenant
  • Centralized management for MSSPs
Azure Lighthouse is the Microsoft-recommended approach for MSSP scenarios. It provides secure delegated access without sharing credentials or creating guest accounts.

Role Assignments

PrincipalRoleScope
ContraForce APISentinel ContributorSentinel Resource Group
ContraForce APIReaderSentinel Resource Group

Resource Provider Registrations

The following resource providers are registered in your subscription:
Resource ProviderPurpose
Microsoft.NetworkNetwork resources for Apollo deployment
Microsoft.StorageStorage accounts for Apollo deployment

Phase 4: Apollo Resource Group

Apollo enables real-time Sentinel incident notifications. A dedicated resource group is created with supporting infrastructure.

Resource Group Details

PropertyValue
Namerg-contraforce-apollo
PurposeReal-time incident notification infrastructure
LocationSame region as your Sentinel workspace

Resources Deployed

ResourceTypePurpose
Function AppMicrosoft.Web/sitesProcesses incident events
App Service PlanMicrosoft.Web/serverfarmsHosts the Function App
ResourceTypePurpose
Log Analytics WorkspaceMicrosoft.OperationalInsights/workspacesApollo diagnostics and logging
Application InsightsMicrosoft.Insights/componentsFunction App monitoring
ResourceTypePurpose
Storage AccountMicrosoft.Storage/storageAccountsFunction App storage
ResourceTypePurpose
Apollo Role DefinitionMicrosoft.Authorization/roleDefinitionsCustom role for Apollo access
Role AssignmentMicrosoft.Authorization/roleAssignmentsApollo RG to Lighthouse delegation

Apollo Architecture

Phase 5: Sentinel Resource Group Deployments

Resources are also deployed directly into your existing Sentinel resource group to enable incident streaming.

Resources in Sentinel Resource Group

ResourceTypeName
API ConnectionMicrosoft.Web/connectionsmicrosoftsentinel-Publish-Incident-To-Apollo
Logic AppMicrosoft.Logic/workflowsPublish-Incident-To-Apollo
Automation RuleMicrosoft.SecurityInsights/automationRulesRun-Playbook-Publish-Incident-To-Apollo

How Incident Streaming Works

1

Incident Created

A new incident is created in Microsoft Sentinel
2

Automation Rule Triggers

The Run-Playbook-Publish-Incident-To-Apollo automation rule detects the new incident
3

Logic App Executes

The Publish-Incident-To-Apollo Logic App is triggered
4

Incident Sent

The Logic App sends incident data to the Apollo Function App
5

ContraForce Updated

The incident appears in the ContraForce Command Page in near real-time

Phase 6: Agent Center Resource Group (Optional)

If you deploy ContraForce AI Agents, a dedicated resource group hosts the core agent infrastructure.
AI Agents are an optional feature. Most deployments do not include agent infrastructure. Skip this section if you haven’t enabled AI Agents.

Resource Group Details

PropertyValue
Namerg-cf-agent-center
PurposeCore infrastructure for ContraForce AI agents
LocationConfigured during agent deployment

Resources Deployed

ResourceTypePurpose
AI FoundryMicrosoft.MachineLearningServices/workspacesAI model management
CosmosDBMicrosoft.DocumentDB/databaseAccountsAgent data storage
ResourceTypePurpose
Container Apps EnvironmentMicrosoft.App/managedEnvironmentsAgent runtime environment
Container App (Infrastructure)Microsoft.App/containerAppsInfrastructure management
Log Analytics WorkspaceMicrosoft.OperationalInsights/workspacesContainer Apps logging
ResourceTypePurpose
Virtual Network (VNET)Microsoft.Network/virtualNetworksNetwork isolation
Azure SubnetSubnetContainer Apps subnet
Private Endpoint SubnetSubnetPrivate endpoints
Cosmos DNS ZoneMicrosoft.Network/privateDnsZonesCosmosDB DNS resolution
Key Vault DNS ZoneMicrosoft.Network/privateDnsZonesKey Vault DNS resolution
CosmosDB Private EndpointMicrosoft.Network/privateEndpointsSecure CosmosDB access
Key Vault Private EndpointMicrosoft.Network/privateEndpointsSecure Key Vault access
ResourceTypePurpose
Key VaultsMicrosoft.KeyVault/vaultsSecret management
Managed IdentityMicrosoft.ManagedIdentity/userAssignedIdentitiesContainer App authentication
ResourceTypePurpose
Storage AccountMicrosoft.Storage/storageAccountsInfrastructure management storage

Phase 7: Per-Agent Resource Groups (Optional)

A dedicated resource group is created for each AI agent deployed per workspace.

Resource Group Naming

PropertyPattern
Name Formatrg-cf-agent-{agent-id}
Examplerg-cf-agent-abc123

Resources Per Agent

ResourceTypePurpose
AI Foundry ProjectMicrosoft.MachineLearningServices/workspaces/projectsAgent-specific AI project
OpenAI Model DeploymentMicrosoft.CognitiveServices/accounts/deploymentsLLM for agent reasoning
Container AppMicrosoft.App/containerAppsAgent application runtime
Each workspace can have multiple agents, each with its own resource group. Monitor your Azure costs if you deploy many agents across many workspaces.

Complete Resource Summary

By Deployment Type

Enterprise Applications:
  • ContraForce API
  • ContraForce Portal
  • ContraForce for MDE
  • ContraForce Gamebooks for MDE
  • ContraForce Gamebooks for Identity
  • ContraForce User Management
  • ContraForce Gamebooks for Email
Azure Resources: None

Enterprise Application Quick Reference

ApplicationApp IDRequired For
ContraForce API24d97bc0-8f2b-45d5-8e0b-7fe286732ef2All deployments
ContraForce Portal8b7cb435-9526-47ee-b79a-34433f0daad2All deployments
ContraForce for MDE6efccc6a-f0d3-49e5-92d0-17d4afa9ba52Endpoint visibility
ContraForce Gamebooks for MDEad7b0e79-3c37-4408-bf8f-eb89522cc920Endpoint response
ContraForce Gamebooks for Identity36b0d51c-4c0f-4810-9cc4-bfbd40c7dd4aUser response
ContraForce User Management460b65b7-3a5e-4a2c-98d0-e48fd35374a9User management
ContraForce Sentinel Hunting6bf1c74d-7ade-4671-a507-166936f89a1fThreat hunting
ContraForce Gamebooks for Email44dbf6fe-45e3-48a3-bac3-f8d4cf1dba6dEmail response

Verifying Deployed Resources

Check Enterprise Applications

1

Open Entra ID

Navigate to entra.microsoft.com
2

Go to Enterprise Applications

Click Identity > Applications > Enterprise applications
3

Search for ContraForce

Search for “ContraForce” to see all provisioned applications
4

Verify Status

Each application should show “Enabled” status

Check Azure Resources

1

Open Azure Portal

Navigate to portal.azure.com
2

Search Resource Groups

Search for “contraforce” or “cf-agent” in resource groups
3

Verify Resources

Open each resource group and confirm expected resources exist

Check Role Assignments

1

Navigate to Sentinel Resource Group

Find your Sentinel resource group in Azure Portal
2

Open Access Control

Click Access control (IAM)
3

View Role Assignments

Click Role assignments tab
4

Find ContraForce

Search for “ContraForce” to verify assignments

Cost Considerations

Included Resources

Most ContraForce resources have minimal Azure cost impact:
Resource TypeTypical Cost
Enterprise ApplicationsFree
Azure LighthouseFree
Role AssignmentsFree
Logic App (Consumption)~$0.01-1/month
Function App (Consumption)~$1-5/month

Potentially Significant Costs

AI Agent deployments can incur significant Azure costs depending on usage:
  • AI Foundry / OpenAI: Pay-per-token pricing
  • Container Apps: Compute costs based on usage
  • CosmosDB: Storage and throughput costs
Monitor your Azure spending if you enable AI Agents.

Troubleshooting

Common Issues

IssuePossible CauseSolution
Missing enterprise appsConsent incompleteRe-run consent flow in workspace settings
Apollo resource group missingDeployment failedCheck deployment history in Azure; contact support
Logic App not runningDisabled or failedEnable the Logic App in Azure Portal
No incidents syncingAutomation rule disabledEnable the automation rule in Sentinel
Role assignment missingManual removalRe-run onboarding or manually add assignments

Viewing Deployment History

1

Open Subscription

Navigate to your Azure subscription
2

Go to Deployments

Click Deployments in the left navigation
3

Find ContraForce Deployments

Search for “ContraForce” or “Apollo”
4

Review Status

Check deployment status and error messages

Sentinel Onboarding

Complete SIEM module deployment guide

XDR Onboarding

XDR module deployment guide

Enterprise Applications

Service principal details and permissions

Offboarding Procedure

How to remove all ContraForce resources
Questions about deployed resources? Contact us at [email protected].