Overview
ContraForce uses a modular application architecture designed around the principle of least privilege. Rather than requesting all permissions through a single application, ContraForce distributes responsibilities across purpose-built enterprise applications registered in your Microsoft Entra ID tenant. Each application only receives the permissions necessary for its specific function.
This means you only grant permissions for the capabilities you actually use. For example, if you don’t use Gamebooks to respond to endpoint threats, you never need to consent the ContraForce Gamebooks for MDE application.
All enterprise applications require a Global Administrator in the target Microsoft Entra tenant to complete the consent flow.
Quick Reference
| Application | App ID | Required For | Consent Timing |
|---|
| ContraForce API | 24d97bc0-8f2b-45d5-8e0b-7fe286732ef2 | All deployments | Onboarding (Step 1) |
| ContraForce Portal | 8b7cb435-9526-47ee-b79a-34433f0daad2 | All deployments | Onboarding (Step 1) |
| ContraForce for MDE | 6efccc6a-f0d3-49e5-92d0-17d4afa9ba52 | Endpoint visibility | Module consent |
| ContraForce Gamebooks for MDE | ad7b0e79-3c37-4408-bf8f-eb89522cc920 | Endpoint response actions | Module consent |
| ContraForce Gamebooks for Identity | 36b0d51c-4c0f-4810-9cc4-bfbd40c7dd4a | User response actions | Module consent |
| ContraForce Gamebooks for Email | 44dbf6fe-45e3-48a3-bac3-f8d4cf1dba6d | Email response actions | Module consent |
| ContraForce Sentinel Hunting | 6bf1c74d-7ade-4671-a507-166936f89a1f | Log search & threat hunting | Module consent (XDR + SIEM only) |
| ContraForce User Management | 460b65b7-3a5e-4a2c-98d0-e48fd35374a9 | Post-onboarding user management | Post-onboarding |
Applications by Module
All Deployments
XDR Module
XDR + SIEM Module
Every ContraForce deployment requires these two core applications:
- ContraForce API — Core platform connectivity
- ContraForce Portal — User authentication and portal access
Core applications plus:
- ContraForce for MDE — Endpoint visibility and incident data
- ContraForce Gamebooks for MDE — Endpoint response actions
- ContraForce Gamebooks for Identity — User response actions
- ContraForce Gamebooks for Email — Email response actions
- ContraForce User Management — Post-onboarding user management
Everything in XDR, plus:
- ContraForce Sentinel Hunting — Log Analytics queries and threat hunting
Core Applications
ContraForce API
The core service principal that enables communication between ContraForce services and Microsoft APIs including Microsoft Graph and Azure Resource Manager. This application coordinates all platform operations — from onboarding your workspace to managing Azure resources.
App ID: 24d97bc0-8f2b-45d5-8e0b-7fe286732ef2
Delegated Permissions
| Permission | Admin Consent | Purpose |
|---|
offline_access | No | Enables refresh token acquisition for persistent sessions |
openid | No | Allows sign-in using OpenID Connect |
profile | No | Retrieves signed-in user’s name and object ID |
Application.Read.All | Yes | Evaluates which ContraForce service principals have been consented |
RoleManagement.Read.Directory | Yes | Evaluates user roles for Portal access control |
User.Read.All | Yes | Reads user profile data for user management operations |
user_impersonation (Azure Service Management) | No | Performs Azure resource onboarding and deployment |
Application Permissions
| Permission | Admin Consent | Purpose |
|---|
SecurityEvents.Read.All | Yes | Reads security alerts and incidents |
User.Read.All | Yes | Reads user profile data |
ContraForce Portal
Handles user authentication through Microsoft’s OpenID Connect implementation and retrieves basic profile information for signed-in users. This application enables secure sign-in to ContraForce using your Microsoft work account.
App ID: 8b7cb435-9526-47ee-b79a-34433f0daad2
Delegated Permissions
| Permission | Admin Consent | Purpose |
|---|
offline_access | No | Enables refresh token acquisition |
openid | No | Allows sign-in using OpenID Connect |
profile | No | Retrieves signed-in user’s name and object ID |
Detection & Visibility Applications
ContraForce for MDE (Microsoft Defender for Endpoint)
Provides visibility into Microsoft Defender for Endpoint data, enabling endpoint monitoring, incident ingestion, and threat intelligence display in the ContraForce portal. This application powers the Endpoints page and provides device health, alert, and security posture data.
App ID: 6efccc6a-f0d3-49e5-92d0-17d4afa9ba52
Requires Microsoft Defender for Endpoint to be deployed and active in the target tenant. Compatible with Microsoft 365 Business Premium, E3, E5, or standalone MDE licenses.
Delegated Permissions
| Permission | API | Admin Consent | Purpose |
|---|
ThreatHunting.Read.All | Microsoft Graph | Yes | Enables threat hunting queries |
SecurityAlert.Read.All | Microsoft Graph | Yes | Displays security alerts |
SecurityIncident.Read.All | Microsoft Graph | Yes | Displays security incidents |
SecurityIncident.ReadWrite.All | Microsoft Graph | Yes | Manages security incidents |
Incident.Read | Microsoft Threat Protection | Yes | Reads threat protection incidents |
Incident.ReadWrite | Microsoft Threat Protection | Yes | Manages threat protection incidents |
AdvancedQuery.Read | WindowsDefenderATP | Yes | Queries raw event and incident data |
Alert.Read | WindowsDefenderATP | Yes | Displays Defender alerts |
Machine.Read | WindowsDefenderATP | Yes | Retrieves endpoint profile details |
Score.Read | WindowsDefenderATP | Yes | Displays Threat and Vulnerability Management scores |
Vulnerability.Read | WindowsDefenderATP | Yes | Displays vulnerability information |
ContraForce Sentinel Hunting
Calls the Log Analytics API to send direct queries to a Microsoft Sentinel workspace on behalf of the signed-in user. This enables deeper incident context via raw event and evidence logs, and powers the Advanced Hunting page in ContraForce.
App ID: 6bf1c74d-7ade-4671-a507-166936f89a1f
Only required for the XDR + SIEM module. Not needed for XDR-only deployments.
Delegated Permissions
| Permission | API | Admin Consent | Purpose |
|---|
Data.Read | Log Analytics API | Yes | Queries Log Analytics workspace data for incident evidence and threat hunting |
Response Applications (Gamebooks)
These enterprise applications enable Gamebook response actions. Each application is scoped to a specific entity type, ensuring least-privilege access for automated incident response.
ContraForce Gamebooks for MDE
Enables automated response actions targeting endpoint entities, including device isolation, antivirus scans, and file quarantine operations.
App ID: ad7b0e79-3c37-4408-bf8f-eb89522cc920
Delegated Permissions (Default)
| Permission | Admin Consent | Purpose |
|---|
Machine.Isolate | Yes | Isolates endpoints from the network |
Machine.Offboard | Yes | Offboards endpoints from Defender |
Machine.Scan | Yes | Initiates Microsoft Defender Antivirus scans |
Machine.StopAndQuarantine | Yes | Stops file execution and quarantines malicious files |
Alert.ReadWrite | Yes | Reads and writes Defender alerts |
Application Permissions (Service Provider Mode)
| Permission | Admin Consent | Purpose |
|---|
Machine.Isolate | Yes | Isolates endpoints without user presence |
Machine.Scan | Yes | Initiates scans without user presence |
Machine.StopAndQuarantine | Yes | Quarantines files without user presence |
Service Provider Mode: Application permissions enable MSPs/MSSPs to execute endpoint response actions in customer tenants without requiring a user to be actively signed in. For customer workspaces connected to a partner workspace, click both Consent and Consent for Partner during onboarding.
Enabled Gamebook Actions
| Action | Description |
|---|
| Isolate Device | Disconnects the endpoint from the network while maintaining Defender connectivity |
| Unisolate Device | Restores full network connectivity to a previously isolated endpoint |
| Quick Scan | Initiates a quick antivirus scan on the endpoint |
| Full Scan | Initiates a comprehensive antivirus scan on the endpoint |
| Quarantine File | Stops a file from executing and quarantines it |
| Offboard Device | Removes the endpoint from Defender for Endpoint management |
ContraForce Gamebooks for Identity
Enables automated response actions targeting user entities, including session invalidation, account lockout, and password reset capabilities.
App ID: 36b0d51c-4c0f-4810-9cc4-bfbd40c7dd4a
Delegated Permissions (Default)
| Permission | Admin Consent | Purpose |
|---|
User.ReadWrite.All | Yes | Invalidates user sessions and locks accounts |
User.AuthenticationMethod.ReadWrite.All | Yes | Resets user passwords |
User.ManagedIdentities.All | Yes | Manages user identities |
UserAuthenticationMethod.ReadWrite | Yes | Resets user passwords |
Application Permissions (Service Provider Mode)
| Permission | Admin Consent | Purpose |
|---|
User.ReadWrite.All | Yes | Enables automated session invalidation and account lockout without user presence |
Password Reset always requires delegated permissions (on-behalf-of flow with a signed-in user). This action cannot be performed using application-only permissions, even in Service Provider Mode.
Enabled Gamebook Actions
| Action | Description |
|---|
| Disable Account | Blocks the user from signing in to any Microsoft service |
| Enable Account | Restores sign-in access for a previously disabled account |
| Reset Password | Generates a new temporary password for the user |
| Revoke Sessions | Invalidates all active refresh tokens and session cookies |
ContraForce Gamebooks for Email (Microsoft 365 Response)
Facilitates email response actions through the delete email Gamebook. This application can delete malicious emails from user mailboxes and purge phishing messages across the organization.
App ID: 44dbf6fe-45e3-48a3-bac3-f8d4cf1dba6d
This application does not have the ability to send email. It requires Microsoft 365 Exchange licenses to be active in the target tenant.
Enabled Gamebook Actions
| Action | Description |
|---|
| Soft Delete Email | Removes a malicious or suspicious email from the user’s mailbox |
Management Applications
ContraForce User Management
Manages user access to your ContraForce workspace through security group membership and Portal role assignments. This application is consented after initial onboarding when you need to add or manage users.
App ID: 460b65b7-3a5e-4a2c-98d0-e48fd35374a9
Delegated Permissions
| Permission | Admin Consent | Purpose |
|---|
Group.ReadWrite.All | Yes | Creates security groups for Sentinel workspace access |
GroupMember.ReadWrite.All | Yes | Manages security group membership for Portal users |
How to Consent
- Navigate to the Workspaces page
- Click the gear icon on the right side of the workspace row
- Locate the User Management service principal
- Click Consent and complete the Microsoft consent flow with admin credentials
Permission Types Explained
ContraForce uses two types of Microsoft Entra ID permissions:
| Type | Description | Use Case |
|---|
| Delegated | Runs on behalf of a signed-in user. The application can only do what the signed-in user has permission to do. | Interactive portal sessions, on-behalf-of flows |
| Application | Runs without a user context. The application acts with its own identity. | Background operations, service provider automation |
Managing Permissions
After onboarding, you can review and manage enterprise application permissions in two locations:
From the ContraForce Portal:
Navigate to Settings → Permissions to consent additional service principals or review existing consent status.
From Microsoft Entra Admin Center:
Go to Enterprise Applications to review all ContraForce applications registered in your tenant and their granted permissions.
Revoking Consent
If you need to revoke consent for any ContraForce enterprise application:
- Go to Azure Portal → Microsoft Entra ID → Enterprise Applications
- Find the ContraForce application you want to revoke
- Click Properties
- Set Enabled for users to sign-in to No (to disable) or Delete the application entirely
Revoking consent will disable the associated ContraForce capabilities for that workspace. For example, revoking the ContraForce for MDE application will cause the Endpoints page to stop showing devices.
Troubleshooting
| Issue | Likely Cause | Resolution |
|---|
| Consent popup doesn’t appear | Pop-up blocker active | Disable pop-up blocker for portal.contraforce.com |
| Consent fails with permissions error | Insufficient privileges | Verify the account has Global Administrator role |
| Application shows “Not Configured” | Consent flow incomplete | Re-run consent from workspace settings (gear icon) |
| Gamebook actions unavailable | Service principal not consented | Consent the relevant Gamebooks application for the entity type |
| User management unavailable post-onboarding | User Management SP not consented | Consent the User Management service principal from workspace settings |
| Endpoints page empty | MDE application not consented | Consent the ContraForce for MDE application |
Questions about enterprise applications or permissions? Contact us at [email protected].
