Technical
      Back to home
      1. Knowledge Base
      2. Technical

      ContraForce API Enterprise Application

      This article provides an overview of the ContraForce API enterprise application.

      ContraForce API Overview

      ContraForce services use the ContraForce API enterprise application whenever we call another API service, such as the Microsoft Graph or Azure Resource Manager. The ContraForce API calls other ContraForce enterprise application and occasionally direct resource endpoints (such as when calling the Azure Resource Manager endpoints with the user_impersonation scope during onboarding).

      This service principal requires three admin Read-Only Microsoft Graph scopes to validate the presence of ContraForce enterprise application in a Microsoft Entra tenant and to validate appropriate role assignment for each.

       

      Client ID` 24d97bc0-8f2b-45d5-8e0b-7fe286732ef2
      API Microsoft Graph
      Permission openid
      Type Delegated
      Admin Consent Required No
      Purpose Allows the app to sign in using OpenID Connect.

       

      Client ID` 24d97bc0-8f2b-45d5-8e0b-7fe286732ef2
      API Microsoft Graph
      Permission profile
      Type Delegated
      Admin Consent Required No
      Purpose Used to view the signed in user’s name and object ID.

       

      Client ID` 24d97bc0-8f2b-45d5-8e0b-7fe286732ef2
      API Microsoft Graph
      Permission Application.Read.All
      Type Delegated
      Admin Consent Required Yes
      Purpose Used to evaluate which ContraForce service principals/apps have been consented to.

       

      Client ID` 24d97bc0-8f2b-45d5-8e0b-7fe286732ef2
      API Microsoft Graph
      Permission RoleManagement.Read.Directory
      Type Delegated
      Admin Consent Required Yes
      Purpose Used to evaluate user roles for Portal role access.

       

      Client ID` 24d97bc0-8f2b-45d5-8e0b-7fe286732ef2
      API Microsoft Graph
      Permission User.Read.All
      Type Delegated
      Admin Consent Required Yes
      Purpose Allows the service principal to read profile data for all users in a directory. Used to auto-populate usernames and Object IDs when performing user management operations in the Portal.

       

      Client ID` 24d97bc0-8f2b-45d5-8e0b-7fe286732ef2
      API Azure Service Management
      Permission user_impersonation
      Type Delegated
      Admin Consent Required No
      Purpose Used to perform Azure resource onboarding and deployment activities on behalf of a signed in user.

       

      If you have any questions, please contact us at support@contraforce.com.