ContraForce uses a modular application architecture designed around the principle of least privilege. Rather than requesting all permissions through a single application, ContraForce distributes responsibilities across purpose-built enterprise applications registered in your Microsoft Entra ID tenant. Each application only receives the permissions necessary for its specific function.This means you only grant permissions for the capabilities you actually use. For example, if you don’t use Gamebooks to respond to endpoint threats, you never need to consent the ContraForce Gamebooks for MDE application.
All enterprise applications require a Cloud App Admin, Application Admin, or Global Admin in the target Microsoft Entra tenant to complete the consent flow.
The core service principal that enables communication between ContraForce services and Microsoft APIs including Microsoft Graph and Azure Resource Manager. This application coordinates all platform operations — from onboarding your workspace to managing Azure resources.App ID:24d97bc0-8f2b-45d5-8e0b-7fe286732ef2
Handles user authentication through Microsoft’s OpenID Connect implementation and retrieves basic profile information for signed-in users. This application enables secure sign-in to ContraForce using your Microsoft work account.App ID:8b7cb435-9526-47ee-b79a-34433f0daad2
ContraForce for MDE (Microsoft Defender for Endpoint)
Provides visibility into Microsoft Defender for Endpoint data, enabling endpoint monitoring, incident ingestion, and threat intelligence display in the ContraForce portal. This application powers the Endpoints page and provides device health, alert, and security posture data.App ID:6efccc6a-f0d3-49e5-92d0-17d4afa9ba52
Requires Microsoft Defender for Endpoint to be deployed and active in the target tenant. Compatible with Microsoft 365 Business Premium, E3, E5, or standalone MDE licenses.
Calls the Log Analytics API to send direct queries to a Microsoft Sentinel workspace on behalf of the signed-in user. This enables deeper incident context via raw event and evidence logs, and powers the Advanced Hunting page in ContraForce.App ID:6bf1c74d-7ade-4671-a507-166936f89a1f
Only required for the XDR + SIEM module. Not needed for XDR-only deployments.
These enterprise applications enable Gamebook response actions. Each application is scoped to a specific entity type, ensuring least-privilege access for automated incident response.
Service Provider Mode: Application permissions enable MSPs/MSSPs to execute endpoint response actions in customer tenants without requiring a user to be actively signed in. For customer workspaces connected to a partner workspace, click both Consent and Consent for Partner during onboarding.
Enables automated session invalidation and account lockout without user presence
User.EnableDisableAccount.All
Yes
Enable and disable user accounts
Directory.Read.All
Yes
Read directory data
AuditLog.Read.All
Yes
Read all audit log data
RoleManagement.Read.Directory
Yes
Read all directory RBAC settings
Password Reset always requires delegated permissions (on-behalf-of flow with a signed-in user). This action cannot be performed using application-only permissions, even in Service Provider Mode.
ContraForce Gamebooks for Email (Microsoft 365 Response)
Facilitates email response actions through the delete email Gamebook. This application can delete malicious emails from user mailboxes and purge phishing messages across the organization.App ID:44dbf6fe-45e3-48a3-bac3-f8d4cf1dba6d
Manages user access to your ContraForce workspace through security group membership and Portal role assignments. This application is consented after initial onboarding when you need to add or manage users.App ID:460b65b7-3a5e-4a2c-98d0-e48fd35374a9
ContraForce uses two types of Microsoft Entra ID permissions:
Type
Description
Use Case
Delegated
Runs on behalf of a signed-in user. The application can only do what the signed-in user has permission to do.
Interactive portal sessions, on-behalf-of flows
Application
Runs without a user context. The application acts with its own identity.
Background operations, service provider automation
By default, ContraForce requests delegated permissions. Application permissions are available for select Gamebook applications to support Service Provider Mode, where MSPs/MSSPs need to execute response actions in customer tenants without requiring an operator to be signed into each tenant.
After onboarding, you can review and manage enterprise application permissions in two locations:From the ContraForce Portal:
Navigate to Settings → Permissions to consent additional service principals or review existing consent status.From Microsoft Entra Admin Center:
Go to Enterprise Applications to review all ContraForce applications registered in your tenant and their granted permissions.
If you need to revoke consent for any ContraForce enterprise application:
Go to Azure Portal → Microsoft Entra ID → Enterprise Applications
Find the ContraForce application you want to revoke
Click Properties
Set Enabled for users to sign-in to No (to disable) or Delete the application entirely
Revoking consent will disable the associated ContraForce capabilities for that workspace. For example, revoking the ContraForce for MDE application will cause the Endpoints page to stop showing devices.
