> ## Documentation Index
> Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Enterprise Applications Reference

> Complete reference for all ContraForce enterprise applications, their permissions, and what each enables in your environment.

## Overview

ContraForce uses a modular application architecture designed around the **principle of least privilege**. Rather than requesting all permissions through a single application, ContraForce distributes responsibilities across purpose-built enterprise applications registered in your Microsoft Entra ID tenant. Each application only receives the permissions necessary for its specific function.

This means you only grant permissions for the capabilities you actually use. For example, if you don't use Gamebooks to respond to endpoint threats, you never need to consent the ContraForce Gamebooks for MDE application.

<Warning>
  **Consent model.** ContraForce enterprise applications are consented with **application (app-only)** Microsoft Graph permissions. Admin consent for Microsoft Graph application permissions must be granted by a **Global Administrator** — Cloud Application Administrator and Application Administrator cannot grant it. Global Administrator is required for the one-time consent only and is not retained; activate it just-in-time with Privileged Identity Management (PIM) and deactivate afterward.

  Because actions run as the application (no signed-in user required), operator control is enforced through **Gamebook approval gates** — only Workspace Owners can approve high-impact actions — and a complete **audit trail** in the Gamebooks History page.
</Warning>

## Quick Reference

| Application                        | App ID                                 | Required For                | Consent Timing                   |
| ---------------------------------- | -------------------------------------- | --------------------------- | -------------------------------- |
| ContraForce API                    | `24d97bc0-8f2b-45d5-8e0b-7fe286732ef2` | All deployments             | First sign-in (core app consent) |
| ContraForce Portal                 | `8b7cb435-9526-47ee-b79a-34433f0daad2` | All deployments             | First sign-in (core app consent) |
| ContraForce for MDE                | `6efccc6a-f0d3-49e5-92d0-17d4afa9ba52` | Endpoint visibility         | Module consent                   |
| ContraForce Gamebooks for MDE      | `ad7b0e79-3c37-4408-bf8f-eb89522cc920` | Endpoint response actions   | Module consent                   |
| ContraForce Gamebooks for Identity | `36b0d51c-4c0f-4810-9cc4-bfbd40c7dd4a` | User response actions       | Module consent                   |
| ContraForce Gamebooks for Email    | `44dbf6fe-45e3-48a3-bac3-f8d4cf1dba6d` | Email response actions      | Module consent                   |
| ContraForce Sentinel Hunting       | `6bf1c74d-7ade-4671-a507-166936f89a1f` | Log search & threat hunting | Module consent (XDR + SIEM only) |

## Applications by Module

<Tabs>
  <Tab title="All Deployments">
    Every ContraForce deployment requires these two core applications:

    * **ContraForce API** — Core platform connectivity
    * **ContraForce Portal** — User authentication and portal access
  </Tab>

  <Tab title="Defender Module">
    Core applications plus:

    * **ContraForce for MDE** — Endpoint visibility and incident data
    * **ContraForce Gamebooks for MDE** — Endpoint response actions
    * **ContraForce Gamebooks for Identity** — User response actions
    * **ContraForce Gamebooks for Email** — Email response actions
  </Tab>

  <Tab title="XDR + SIEM Module">
    Everything in XDR, plus:

    * **ContraForce Sentinel Hunting** — Log Analytics queries and threat hunting
  </Tab>
</Tabs>

***

## Core Applications

### ContraForce API

The core service principal that enables communication between ContraForce services and Microsoft APIs including Microsoft Graph and Azure Resource Manager. This application coordinates all platform operations — from onboarding your workspace to managing Azure resources.

**App ID:** `24d97bc0-8f2b-45d5-8e0b-7fe286732ef2`

#### Delegated Permissions

| Permission                                      | Admin Consent | Purpose                                                                                                                                                                                                                                                                         |
| ----------------------------------------------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `offline_access`                                | No            | Enables refresh token acquisition for persistent sessions                                                                                                                                                                                                                       |
| `profile`                                       | No            | Retrieves signed-in user's name and object ID                                                                                                                                                                                                                                   |
| `Application.Read.All`                          | Yes           | Evaluates which ContraForce service principals have been consented                                                                                                                                                                                                              |
| `RoleManagement.Read.All`                       | Yes           | Evaluates user roles for Portal access control                                                                                                                                                                                                                                  |
| `RoleManagement.ReadWrite.Directory`            | Yes           | Assigns the password-reset directory role to the *Gamebooks for Identity* app when a customer enables the service-provider password reset add-on                                                                                                                                |
| `User.Read.All`                                 | Yes           | Reads user profile data for user management operations                                                                                                                                                                                                                          |
| `user_impersonation` (Azure Service Management) | No            | Used throughout platform operation, not only at onboarding: backs Microsoft Sentinel access; enumeration of subscriptions, resource groups, and identity role assignments; and, with AI Agents, reading model capacities and quotas and pushing agent model and harness updates |

***

### ContraForce Portal

Handles user authentication through Microsoft's OpenID Connect implementation and retrieves basic profile information for signed-in users. This application enables secure sign-in to ContraForce using your Microsoft work account.

**App ID:** `8b7cb435-9526-47ee-b79a-34433f0daad2`

#### Delegated Permissions

| Permission       | Admin Consent | Purpose                                       |
| ---------------- | ------------- | --------------------------------------------- |
| `offline_access` | No            | Enables refresh token acquisition             |
| `openid`         | No            | Allows sign-in using OpenID Connect           |
| `profile`        | No            | Retrieves signed-in user's name and object ID |

***

## Detection & Visibility Applications

### ContraForce for MDE (Microsoft Defender for Endpoint)

Provides visibility into Microsoft Defender for Endpoint data, enabling endpoint monitoring, incident ingestion, and threat intelligence display in the ContraForce portal. This application provides device health, alert, and security posture data from Defender for Endpoint.

**App ID:** `6efccc6a-f0d3-49e5-92d0-17d4afa9ba52`

<Note>
  Requires Microsoft Defender for Endpoint to be deployed and active in the target tenant. Compatible with Microsoft 365 Business Premium, E3, E5, or standalone MDE licenses.
</Note>

#### Delegated Permissions

| Permission                       | API                         | Admin Consent | Purpose                                             |
| -------------------------------- | --------------------------- | ------------- | --------------------------------------------------- |
| `ThreatHunting.Read.All`         | Microsoft Graph             | Yes           | Enables threat hunting queries                      |
| `SecurityAlert.Read.All`         | Microsoft Graph             | Yes           | Displays security alerts                            |
| `SecurityIncident.Read.All`      | Microsoft Graph             | Yes           | Displays security incidents                         |
| `SecurityIncident.ReadWrite.All` | Microsoft Graph             | Yes           | Manages security incidents                          |
| `Incident.Read`                  | Microsoft Threat Protection | Yes           | Reads threat protection incidents                   |
| `Incident.ReadWrite`             | Microsoft Threat Protection | Yes           | Manages threat protection incidents                 |
| `AdvancedHunting.Read`           | Microsoft Threat Protection | Yes           | Queries raw event and incident data                 |
| `Alert.Read`                     | WindowsDefenderATP          | Yes           | Displays Defender alerts                            |
| `Machine.Read`                   | WindowsDefenderATP          | Yes           | Retrieves endpoint profile details                  |
| `Score.Read`                     | WindowsDefenderATP          | Yes           | Displays Threat and Vulnerability Management scores |
| `Vulnerability.Read`             | WindowsDefenderATP          | Yes           | Displays vulnerability information                  |
| `File.Read.All`                  | WindowsDefenderATP          | Yes           | Read file profiles                                  |

#### Application Permissions

| Permission                       | API                         | Admin Consent | Purpose                                             |
| -------------------------------- | --------------------------- | ------------- | --------------------------------------------------- |
| `SecurityAlert.Read.All`         | Microsoft Graph             | Yes           | Displays security alerts                            |
| `SecurityIncident.Read.All`      | Microsoft Graph             | Yes           | Displays security incidents                         |
| `SecurityIncident.ReadWrite.All` | Microsoft Graph             | Yes           | Manages security incidents                          |
| `ThreatHunting.Read.All`         | Microsoft Graph             | Yes           | Enables threat hunting queries                      |
| `Incident.ReadWrite.All`         | Microsoft Threat Protection | Yes           | Manages threat protection incidents                 |
| `Incident.Read.All`              | Microsoft Threat Protection | Yes           | Reads threat protection incidents                   |
| `AdvancedHunting.Read.All`       | Microsoft Threat Protection | Yes           | Queries raw event and incident data                 |
| `Alert.Read.All`                 | WindowsDefenderATP          | Yes           | Displays Defender alerts                            |
| `Machine.Read.All`               | WindowsDefenderATP          | Yes           | Retrieves endpoint profile details                  |
| `Vulnerability.Read.All`         | WindowsDefenderATP          | Yes           | Displays vulnerability information                  |
| `Score.Read.All`                 | WindowsDefenderATP          | Yes           | Displays Threat and Vulnerability Management scores |
| `File.Read.All`                  | WindowsDefenderATP          | Yes           | Read file profiles                                  |

***

### ContraForce Sentinel Hunting

Calls the Log Analytics API to send direct queries to a Microsoft Sentinel workspace on behalf of the signed-in user. This enables deeper incident context via raw event and evidence logs, and powers the Advanced Hunting page in ContraForce.

**App ID:** `6bf1c74d-7ade-4671-a507-166936f89a1f`

<Note>
  Only required for the **XDR + SIEM module**. Not needed for XDR-only deployments.
</Note>

#### Delegated Permissions

| Permission  | API               | Admin Consent | Purpose                                                                       |
| ----------- | ----------------- | ------------- | ----------------------------------------------------------------------------- |
| `Data.Read` | Log Analytics API | Yes           | Queries Log Analytics workspace data for incident evidence and threat hunting |

***

## Response Applications (Gamebooks)

These enterprise applications enable Gamebook response actions. Each application is scoped to a specific entity type, ensuring least-privilege access for automated incident response.

### ContraForce Gamebooks for MDE

Enables automated response actions targeting **endpoint entities**, including device isolation, antivirus scans, and file quarantine operations.

**App ID:** `ad7b0e79-3c37-4408-bf8f-eb89522cc920`

#### Delegated Permissions (on-behalf-of flows)

| Permission                  | Admin Consent | Purpose                                              |
| --------------------------- | ------------- | ---------------------------------------------------- |
| `Machine.Isolate`           | Yes           | Isolates endpoints from the network                  |
| `Machine.Offboard`          | Yes           | Offboards endpoints from Defender                    |
| `Machine.Scan`              | Yes           | Initiates Microsoft Defender Antivirus scans         |
| `Machine.StopAndQuarantine` | Yes           | Stops file execution and quarantines malicious files |
| `Machine.ReadWrite`         | Yes           | Read and write machine information                   |
| `User.Read`                 | Yes           | Sign in and read user profile                        |

#### Application Permissions (Default)

| Permission                  | Admin Consent | Purpose                                  |
| --------------------------- | ------------- | ---------------------------------------- |
| `Machine.Isolate`           | Yes           | Isolates endpoints without user presence |
| `Machine.Scan`              | Yes           | Initiates scans without user presence    |
| `Machine.StopAndQuarantine` | Yes           | Quarantines files without user presence  |
| `Machine.ReadWrite.All`     | Yes           | Read and write all machine information   |
| `Machine.Offboard`          | Yes           | Offboards endpoints from Defender        |

<Tip>
  **Service Provider Mode:** Application permissions enable MSPs/MSSPs to execute endpoint response actions in customer tenants without requiring a user to be actively signed in. For each module, click **Consent** on the workspace **Modules** tab to grant these permissions.
</Tip>

#### Enabled Gamebook Actions

| Action           | Description                                                                       |
| ---------------- | --------------------------------------------------------------------------------- |
| Isolate Device   | Disconnects the endpoint from the network while maintaining Defender connectivity |
| Unisolate Device | Restores full network connectivity to a previously isolated endpoint              |
| Quick Scan       | Initiates a quick antivirus scan on the endpoint                                  |
| Full Scan        | Initiates a comprehensive antivirus scan on the endpoint                          |
| Quarantine File  | Stops a file from executing and quarantines it                                    |
| Offboard Device  | Removes the endpoint from Defender for Endpoint management                        |

***

### ContraForce Gamebooks for Identity

Enables automated response actions targeting **user entities**, including session invalidation, account lockout, password reset, and MFA reset capabilities.

**App ID:** `36b0d51c-4c0f-4810-9cc4-bfbd40c7dd4a`

#### Delegated Permissions (on-behalf-of flows)

| Permission                               | Admin Consent | Purpose                                                                       |
| ---------------------------------------- | ------------- | ----------------------------------------------------------------------------- |
| `User.ReadWrite.All`                     | Yes           | Invalidates user sessions and locks accounts                                  |
| `UserAuthenticationMethod.ReadWrite.All` | Yes           | Resets user passwords and removes a user's registered MFA methods (Reset MFA) |
| `User.ReadWrite`                         | Yes           | Read and write access to user profile                                         |
| `User.Read`                              | Yes           | Sign in and read user profile                                                 |
| `User.EnableDisableAccount.All`          | Yes           | Enable and disable user accounts                                              |
| `Directory.Read.All`                     | Yes           | Read directory data                                                           |
| `AuditLog.Read.All`                      | Yes           | Read audit log data                                                           |

#### Application Permissions (Default)

| Permission                      | Admin Consent | Purpose                                                                          |
| ------------------------------- | ------------- | -------------------------------------------------------------------------------- |
| `User.ReadWrite.All`            | Yes           | Enables automated session invalidation and account lockout without user presence |
| `User.EnableDisableAccount.All` | Yes           | Enable and disable user accounts                                                 |
| `Directory.Read.All`            | Yes           | Read directory data                                                              |
| `AuditLog.Read.All`             | Yes           | Read all audit log data                                                          |
| `RoleManagement.Read.Directory` | Yes           | Read all directory RBAC settings                                                 |

#### Application Permissions (Service Provider Password Reset add-on)

These are consented **only if** a customer enables the optional **service-provider password reset** add-on (Identity module → **Allow service provider to reset passwords**). The add-on lets the **Reset Password** Gamebook run app-only, without an on-behalf-of signed-in user. Enabling it is a customer decision and must be authorized by a **Global Administrator** or **Privileged Role Administrator** in the customer tenant.

| Permission                           | Admin Consent | Purpose                                                                              |
| ------------------------------------ | ------------- | ------------------------------------------------------------------------------------ |
| `User-PasswordProfile.ReadWrite.All` | Yes           | Sets a new password on a user's `passwordProfile` so Reset Password can run app-only |

<Warning>
  **Directory role grant.** Enabling the add-on also assigns the **Authentication Administrator** Entra directory role to the *ContraForce Gamebooks for Identity* service principal in your tenant. This is a privileged role: it allows password and authentication-method management for **non-administrator** users only — it **cannot** reset passwords for Global Administrators or other higher-privileged roles, and a pre-flight check blocks those targets. The assignment is made only with explicit customer consent, and turning the add-on off removes it.

  Because this grant is a **directory role** rather than a Microsoft Graph application permission, it does **not** appear in the enterprise-app permission audit scripts. See [Auditing Enterprise App Permissions](/guides/technical/auditing-enterprise-app-permissions#directory-role-assignments) for how to review it.
</Warning>

<Note>
  When the add-on is **not** enabled, **Reset Password** runs through the **delegated** (on-behalf-of) flow and requires a signed-in user with sufficient privileges. The modern Graph `resetPassword` endpoint does not support application-only calls, so app-only resets use the `passwordProfile` path enabled by the add-on above.
</Note>

#### Enabled Gamebook Actions

| Action          | Description                                                                                                |
| --------------- | ---------------------------------------------------------------------------------------------------------- |
| Disable Account | Blocks the user from signing in to any Microsoft service                                                   |
| Enable Account  | Restores sign-in access for a previously disabled account                                                  |
| Reset Password  | Generates a new temporary password for the user                                                            |
| Reset MFA       | Deletes the user's registered multi-factor authentication methods, forcing re-registration at next sign in |
| Revoke Sessions | Invalidates all active refresh tokens and session cookies                                                  |

***

### ContraForce Gamebooks for Email (Microsoft 365 Response)

Facilitates email response actions through the delete email Gamebook. This application can delete malicious emails from user mailboxes and purge phishing messages across the organization.

**App ID:** `44dbf6fe-45e3-48a3-bac3-f8d4cf1dba6d`

#### Delegated Permissions

| Permission       | Admin Consent | Purpose                                                                                                                                      |
| ---------------- | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
| `Mail.ReadWrite` | No            | Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail. |

#### Application Permissions

| Permission       | Admin Consent | Purpose                                                                                                                                      |
| ---------------- | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
| `Mail.ReadWrite` | Yes           | Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail. |

<Note>
  This application does **not** have the ability to send email. It requires Microsoft 365 Exchange licenses to be active in the target tenant.
</Note>

#### Enabled Gamebook Actions

| Action            | Description                                                     |
| ----------------- | --------------------------------------------------------------- |
| Soft Delete Email | Removes a malicious or suspicious email from the user's mailbox |

***

## Managing Users and Groups

Group-to-workspace mapping is managed directly in the ContraForce portal under **Settings → User Management**. ContraForce no longer provisions a separate User Management enterprise application for group management.

***

## Permission Types Explained

ContraForce uses two types of Microsoft Entra ID permissions:

| Type                       | Description                                                                                                   | Use Case                                                                                                                                 |
| -------------------------- | ------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- |
| **Application (app-only)** | Runs without a user context. The application acts with its own identity.                                      | The default for ContraForce enterprise applications — automated investigation and response actions that execute without a signed-in user |
| **Delegated**              | Runs on behalf of a signed-in user. The application can only do what the signed-in user has permission to do. | Portal sign-in (OIDC) and the specific on-behalf-of flows that require a user, such as password reset                                    |

ContraForce enterprise applications are consented with **application (app-only)** permissions, so response actions can execute in a customer tenant without requiring an operator to be signed in. Because these actions run unattended, operator control is enforced through **Gamebook approval gates** and a complete **audit trail** in the Gamebooks History page. A small number of flows use delegated permissions with a signed-in user — for example, **password reset** runs on-behalf-of by default, unless a customer enables the **service-provider password reset** add-on, which lets it run app-only via a customer-consented `passwordProfile` permission and directory role (see [ContraForce Gamebooks for Identity](#contraforce-gamebooks-for-identity)).

***

## Managing Permissions

After onboarding, you can review and manage enterprise application permissions in two locations:

**From the ContraForce Portal:**
Navigate to **Settings → Permissions** to consent additional service principals or review existing consent status.

**From Microsoft Entra Admin Center:**
Go to **Enterprise Applications** to review all ContraForce applications registered in your tenant and their granted permissions.

***

## Revoking Consent

If you need to revoke consent for any ContraForce enterprise application:

1. Go to **Azure Portal → Microsoft Entra ID → Enterprise Applications**
2. Find the ContraForce application you want to revoke
3. Click **Properties**
4. Set **Enabled for users to sign-in** to **No** (to disable) or **Delete** the application entirely

<Warning>
  Revoking consent will disable the associated ContraForce capabilities for that workspace. For example, revoking the ContraForce for MDE application will stop Defender for Endpoint device and incident data from appearing in ContraForce.
</Warning>

***

## Troubleshooting

| Issue                                | Likely Cause                    | Resolution                                                                                                                                                                                            |
| ------------------------------------ | ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Consent popup doesn't appear         | Pop-up blocker active           | Disable pop-up blocker for `portal.contraforce.com`                                                                                                                                                   |
| Consent fails with permissions error | Insufficient privileges         | Verify the account has the **Global Administrator** role. Admin consent for Microsoft Graph application permissions cannot be granted by Cloud Application Administrator or Application Administrator |
| Application shows "Not Configured"   | Consent flow incomplete         | Re-run consent from workspace settings (gear icon)                                                                                                                                                    |
| Gamebook actions unavailable         | Service principal not consented | Consent the relevant Gamebooks application for the entity type                                                                                                                                        |
| Defender for Endpoint data missing   | MDE application not consented   | Consent the ContraForce for MDE application                                                                                                                                                           |

***

## Related Resources

<CardGroup cols={2}>
  <Card title="Audit Permissions" icon="clipboard-check" href="/guides/technical/auditing-enterprise-app-permissions">
    Independently verify enterprise application permissions in your tenant
  </Card>

  <Card title="Platform Onboarding" icon="rocket" href="/guides/onboarding/platform-onboarding">
    Step-by-step guide to onboarding your parent workspace
  </Card>

  <Card title="Customer Workspace Onboarding" icon="building" href="/onboarding-customer-workspaces">
    Onboard customer workspaces with the right modules
  </Card>

  <Card title="Azure Resources Deployed" icon="cloud" href="/guides/technical/azure-resources-deployed">
    Complete reference of all Azure resources ContraForce deploys
  </Card>

  <Card title="Roles & Permissions" icon="shield" href="/guides/general-support/roles-and-permissions-reference">
    ContraForce platform roles and what each can do
  </Card>
</CardGroup>

Questions about enterprise applications or permissions? Contact us at [support@contraforce.com](mailto:support@contraforce.com).
