ContraForce Onboarding and Permissions Overview

To begin onboarding with ContraForce, the first step is to sign the Microsoft Customer Agreement (MCA). This agreement grants ContraForce consent to deploy the necessary security infrastructure to connect your environment to the ContraForce Portal.

What is the purpose of the Microsoft Customer Agreement?

The primary purpose of using the Microsoft Customer Agreement is the simplified billing of the associated Azure resources deployed by ContraForce during onboarding. By signing the MCA, ContraForce can manage the billing of all deployed resources in a streamlined predictable manner.

What is the purpose of Global Admin?

From the customer side, a Global Admin is needed to sign the agreement. Once signed, the agreement will grant ContraForce the Global Admin role. This is shown in the screenshot below. ContraForce only requires the Global Admin role to assign the Owner role to a newly created Subscription. Once the primary ContraForce subscription is created, the Global Admin role is removed from your authorized partner relationships.

Authorize partner - blacked out

Onboarding Consent Flow

After the MCA is signed, there are two main groups of API permissions that are granted. The first is the ContraForce API and the second is the ContraForce Portal. Both of these are set up as app registrations within Microsoft Entra ID.

In the sections below, every permission needed by ContraForce is listed and explained. The ContraForce Portal permission set builds upon the permissions that are granted within the ContraForce API as the ContraForce API is a component of the ContraForce Portal.

ContraForce API Permissions

Log Analytics 

API / Permission Name

Description

ContraForce Usage

Data.Read

Read Log Analytics data as user

Log Analytics data retrieval and processing

Microsoft Graph

API / Permission Name

Description

ContraForce Usage

Group.ReadWrite.All

Read and write all groups

Security Group creation during deployment

Directory.Read.All

Read directory data

ContraForce service principles fetching, resource deployment

User.Read.All

Read all users' full profiles

User assignment in Incident Case management

AppRoleAssignment.ReadWrite.All

Manage app permission grants and app role assignments

Security Group subscription assignment, service principle and user subscription assignment

ContraForce Portal Permissions

ContraForce API

API / Permission Name

Description

ContraForce Usage

Api.Access

API Access

Enables API usage

Microsoft Graph

API / Permission Name

Description

ContraForce Usage

Directory.Read.All

Read directory data

RBAC

email

View users' email address

Integration between Azure AD user profile and ContraForce portal

offline_access

Maintain access to data you have given it access to

App token refreshing

openid

Sign users in

Portal Authentication

profile

View users' basic profile

Integration between Azure AD user profile and ContraForce portal

User.Read

Sign in and read user profile

Integration between Azure AD user profile and ContraForce portal

User.Read.All

Read all users' full profiles

Integration between Azure AD user profile and ContraForce portal

Note that all permission types are delegated.

Delegated permissions are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests. The app is delegated with the permission to act as a signed-in user when it makes calls to the target resource.

Some delegated permissions can be consented to by non-administrators. But some high-privileged permissions require administrator consent. To learn which administrator roles can consent to delegated permissions, see Administrator role permissions in Azure Active Directory (Azure AD).

If you have any further questions about the Microsoft Customer Agreement or onboarding with ContraForce, please let us know! We are more than happy to answer any additional questions.