ContraForce uses a modular application architecture designed around the principle of least privilege. Rather than requesting all permissions through a single application, ContraForce distributes responsibilities across purpose-built enterprise applications registered in your Microsoft Entra ID tenant. Each application only receives the permissions necessary for its specific function.This means you only grant permissions for the capabilities you actually use. For example, if you don’t use Gamebooks to respond to endpoint threats, you never need to consent the ContraForce Gamebooks for MDE application.
Consent model. ContraForce enterprise applications are consented with application (app-only) Microsoft Graph permissions. Admin consent for Microsoft Graph application permissions must be granted by a Global Administrator — Cloud Application Administrator and Application Administrator cannot grant it. Global Administrator is required for the one-time consent only and is not retained; activate it just-in-time with Privileged Identity Management (PIM) and deactivate afterward.Because actions run as the application (no signed-in user required), operator control is enforced through Gamebook approval gates — only Workspace Owners can approve high-impact actions — and a complete audit trail in the Gamebooks History page.
The core service principal that enables communication between ContraForce services and Microsoft APIs including Microsoft Graph and Azure Resource Manager. This application coordinates all platform operations — from onboarding your workspace to managing Azure resources.App ID:24d97bc0-8f2b-45d5-8e0b-7fe286732ef2
Enables refresh token acquisition for persistent sessions
profile
No
Retrieves signed-in user’s name and object ID
Application.Read.All
Yes
Evaluates which ContraForce service principals have been consented
RoleManagement.Read.All
Yes
Evaluates user roles for Portal access control
RoleManagement.ReadWrite.Directory
Yes
Assigns the password-reset directory role to the Gamebooks for Identity app when a customer enables the service-provider password reset add-on
User.Read.All
Yes
Reads user profile data for user management operations
user_impersonation (Azure Service Management)
No
Used throughout platform operation, not only at onboarding: backs Microsoft Sentinel access; enumeration of subscriptions, resource groups, and identity role assignments; and, with AI Agents, reading model capacities and quotas and pushing agent model and harness updates
Handles user authentication through Microsoft’s OpenID Connect implementation and retrieves basic profile information for signed-in users. This application enables secure sign-in to ContraForce using your Microsoft work account.App ID:8b7cb435-9526-47ee-b79a-34433f0daad2
ContraForce for MDE (Microsoft Defender for Endpoint)
Provides visibility into Microsoft Defender for Endpoint data, enabling endpoint monitoring, incident ingestion, and threat intelligence display in the ContraForce portal. This application provides device health, alert, and security posture data from Defender for Endpoint.App ID:6efccc6a-f0d3-49e5-92d0-17d4afa9ba52
Requires Microsoft Defender for Endpoint to be deployed and active in the target tenant. Compatible with Microsoft 365 Business Premium, E3, E5, or standalone MDE licenses.
Calls the Log Analytics API to send direct queries to a Microsoft Sentinel workspace on behalf of the signed-in user. This enables deeper incident context via raw event and evidence logs, and powers the Advanced Hunting page in ContraForce.App ID:6bf1c74d-7ade-4671-a507-166936f89a1f
Only required for the XDR + SIEM module. Not needed for XDR-only deployments.
These enterprise applications enable Gamebook response actions. Each application is scoped to a specific entity type, ensuring least-privilege access for automated incident response.
Service Provider Mode: Application permissions enable MSPs/MSSPs to execute endpoint response actions in customer tenants without requiring a user to be actively signed in. For each module, click Consent on the workspace Modules tab to grant these permissions.
These are consented only if a customer enables the optional service-provider password reset add-on (Identity module → Allow service provider to reset passwords). The add-on lets the Reset Password Gamebook run app-only, without an on-behalf-of signed-in user. Enabling it is a customer decision and must be authorized by a Global Administrator or Privileged Role Administrator in the customer tenant.
Permission
Admin Consent
Purpose
User-PasswordProfile.ReadWrite.All
Yes
Sets a new password on a user’s passwordProfile so Reset Password can run app-only
Directory role grant. Enabling the add-on also assigns the Authentication Administrator Entra directory role to the ContraForce Gamebooks for Identity service principal in your tenant. This is a privileged role: it allows password and authentication-method management for non-administrator users only — it cannot reset passwords for Global Administrators or other higher-privileged roles, and a pre-flight check blocks those targets. The assignment is made only with explicit customer consent, and turning the add-on off removes it.Because this grant is a directory role rather than a Microsoft Graph application permission, it does not appear in the enterprise-app permission audit scripts. See Auditing Enterprise App Permissions for how to review it.
When the add-on is not enabled, Reset Password runs through the delegated (on-behalf-of) flow and requires a signed-in user with sufficient privileges. The modern Graph resetPassword endpoint does not support application-only calls, so app-only resets use the passwordProfile path enabled by the add-on above.
ContraForce Gamebooks for Email (Microsoft 365 Response)
Facilitates email response actions through the delete email Gamebook. This application can delete malicious emails from user mailboxes and purge phishing messages across the organization.App ID:44dbf6fe-45e3-48a3-bac3-f8d4cf1dba6d
Group-to-workspace mapping is managed directly in the ContraForce portal under Settings → User Management. ContraForce no longer provisions a separate User Management enterprise application for group management.
ContraForce uses two types of Microsoft Entra ID permissions:
Type
Description
Use Case
Application (app-only)
Runs without a user context. The application acts with its own identity.
The default for ContraForce enterprise applications — automated investigation and response actions that execute without a signed-in user
Delegated
Runs on behalf of a signed-in user. The application can only do what the signed-in user has permission to do.
Portal sign-in (OIDC) and the specific on-behalf-of flows that require a user, such as password reset
ContraForce enterprise applications are consented with application (app-only) permissions, so response actions can execute in a customer tenant without requiring an operator to be signed in. Because these actions run unattended, operator control is enforced through Gamebook approval gates and a complete audit trail in the Gamebooks History page. A small number of flows use delegated permissions with a signed-in user — for example, password reset runs on-behalf-of by default, unless a customer enables the service-provider password reset add-on, which lets it run app-only via a customer-consented passwordProfile permission and directory role (see ContraForce Gamebooks for Identity).
After onboarding, you can review and manage enterprise application permissions in two locations:From the ContraForce Portal:
Navigate to Settings → Permissions to consent additional service principals or review existing consent status.From Microsoft Entra Admin Center:
Go to Enterprise Applications to review all ContraForce applications registered in your tenant and their granted permissions.
If you need to revoke consent for any ContraForce enterprise application:
Go to Azure Portal → Microsoft Entra ID → Enterprise Applications
Find the ContraForce application you want to revoke
Click Properties
Set Enabled for users to sign-in to No (to disable) or Delete the application entirely
Revoking consent will disable the associated ContraForce capabilities for that workspace. For example, revoking the ContraForce for MDE application will stop Defender for Endpoint device and incident data from appearing in ContraForce.
Verify the account has the Global Administrator role. Admin consent for Microsoft Graph application permissions cannot be granted by Cloud Application Administrator or Application Administrator
Application shows “Not Configured”
Consent flow incomplete
Re-run consent from workspace settings (gear icon)
Gamebook actions unavailable
Service principal not consented
Consent the relevant Gamebooks application for the entity type