Technical
      Back to home
      1. Knowledge Base
      2. Technical

      ContraForce API Service Principal

      This article provides an overview of the ContraForce API Service Principal.

      ContraForce API Overview

      ContraForce services use the ContraForce API service principal whenever we call another API service, such as the Microsoft Graph or Azure Resource Manager. The ContraForce API calls other ContraForce service principals and occasionally direct resource endpoints (such as when calling the Azure Resource Manager endpoints with the user_impersonation scope during onboarding).

      This service principal requires three admin Read-Only Microsoft Graph scopes to validate the presence of ContraForce service principals in a Microsoft Entra tenant and to validate appropriate role assignment for each.

      If you have any questions, contact us at support@contraforce.com. 

      Client ID` 24d97bc0-8f2b-45d5-8e0b-7fe286732ef2
      API Microsoft Graph
      Permission AdvancedQuery.Read
      Type Delegated
      Admin Consent Required No
      Purpose This permission is used to enable querying of raw event and incident data on behalf of the signed in user.

       

      Client ID` 24d97bc0-8f2b-45d5-8e0b-7fe286732ef2
      API Microsoft Graph
      Permission openid
      Type Delegated
      Admin Consent Required No
      Purpose Allows the app to sign in using OpenID Connect.

       

      Client ID` 24d97bc0-8f2b-45d5-8e0b-7fe286732ef2
      API Microsoft Graph
      Permission profile
      Type Delegated
      Admin Consent Required No
      Purpose Used to view the signed in user’s name and object ID.

       

      Client ID` 24d97bc0-8f2b-45d5-8e0b-7fe286732ef2
      API Microsoft Graph
      Permission Application.Read.All
      Type Delegated
      Admin Consent Required Yes
      Purpose Used to evaluate which ContraForce service principals/apps have been consented to.

       

      Client ID` 24d97bc0-8f2b-45d5-8e0b-7fe286732ef2
      API Microsoft Graph
      Permission RoleManagement.Read.Directory
      Type Delegated
      Admin Consent Required Yes
      Purpose Used to evaluate user roles for Portal role access.

       

      Client ID` 24d97bc0-8f2b-45d5-8e0b-7fe286732ef2
      API Microsoft Graph
      Permission User.Read.All
      Type Delegated
      Admin Consent Required Yes
      Purpose Allows the service principal to read profile data for all users in a directory. Used to auto-populate usernames and Object IDs when performing user management operations in the Portal.

       

      Client ID` 24d97bc0-8f2b-45d5-8e0b-7fe286732ef2
      API Azure Service Management
      Permission user_impersonation
      Type Delegated
      Admin Consent Required No
      Purpose Used to perform Azure resource onboarding and deployment activities on behalf of a signed in user.