ContraForce Offboarding Procedure

The article covers the required steps to offboard ContraForce.

ContraForce Offboarding Procedure

During onboarding, ContraForce may deploy resources to a tenant's Microsoft Entra directory and an Azure subscription. If, for any reason, all ContraForce resources must be removed from an Azure environment, the following steps should be taken:

• Removal of consented ContraForce Enterprise applications from the onboarded Microsoft Entra directory

• For Sentinel deployments: Removal of the resource group and resources used for Incident notifications

Removing ContraForce Enterprise applications from Microsoft Entra

Enterprise applications that have been consented can be deleted through the Microsoft Entra admin center or Microsoft Azure > Microsoft Entra ID portal.

To offboard ContraForce, remove the following Enterprise applications:

Removal of ContraForce resources from the Azure subscription

If an existing Microsoft Sentinel workspace was previously onboarded, there will be resources ContraForce deployed to the Azure subscription that contains the Sentinel workspace.

• The rg-contraforce-apollo resource group and any resources within it. The Azure portal can be used to do this

• Resources deployed to the resource group containing the onboarded Microsoft Sentinel workspace

  • API Connection: microsoftsentinel-Publish-Incident-To-Apollo

  • Logic App: Publish-Incident-To-Apollo

  • Sentinel Automation Rule: Run-Playbook-Publish-Incident-To-Apollo

Finally, the Azure portal can be used to remove any subscription-level Azure RBAC role assignments for the following service principal(s):

• ContraForce API