![ContraForce_Full_Logo_Reversed.png]](https://docs.contraforce.com/hs-fs/hubfs/ContraForce_Full_Logo_Reversed.png?height=39&name=ContraForce_Full_Logo_Reversed.png){kind=logo}
ContraForce Offboarding Procedure
The article covers the required steps to offboard ContraForce.
ContraForce Offboarding Procedure
During onboarding, ContraForce may deploy resources to a tenant's Microsoft Entra directory and an Azure subscription. If, for any reason, all ContraForce resources must be removed from an Azure environment, the following steps should be taken:
-
Removal of consented ContraForce Enterprise applications from the onboarded Microsoft Entra directory
-
For Sentinel deployments, removal of the resource group and resources used for Incident notifications
- For Agent deployment, removal of the cf-rg-agent-center and cf-rg-agent resource groups.
Removing ContraForce Enterprise applications from Microsoft Entra
Enterprise applications that have been consented can be deleted through the Microsoft Entra admin center or Microsoft Azure > Microsoft Entra ID portal.
To offboard ContraForce, remove the following Enterprise applications:
| Name | Application ID |
|
ContraForce API |
24d97bc0-8f2b-45d5-8e0b-7fe286732ef2 |
|
ContraForce Portal |
8b7cb435-9526-47ee-b79a-34433f0daad2 |
|
ContraForce Sentinel Hunting |
6bf1c74d-7ade-4671-a507-166936f89a1f |
|
ContraForce for MDE |
6efccc6a-f0d3-49e5-92d0-17d4afa9ba52 |
|
ContraForce Gamebooks for MDE |
ad7b0e79-3c37-4408-bf8f-eb89522cc920 |
|
ContraForce Gamebooks for Identity |
36b0d51c-4c0f-4810-9cc4-bfbd40c7dd4a |
|
ContraForce User Management |
460b65b7-3a5e-4a2c-98d0-e48fd35374a9 |
|
ContraForce Gamebooks for Email |
44dbf6fe-45e3-48a3-bac3-f8d4cf1dba6d |
Removal of ContraForce resources from the Azure subscription
If an existing Microsoft Sentinel workspace was previously onboarded, there will be resources ContraForce deployed to the Azure subscription that contains the Sentinel workspace.
-
The
rg-contraforce-apolloresource group and any resources within it. The Azure portal can be used to do this -
Resources deployed to the resource group containing the onboarded Microsoft Sentinel workspace
-
API Connection:
microsoftsentinel-Publish-Incident-To-Apollo -
Logic App:
Publish-Incident-To-Apollo -
Sentinel Automation Rule:
Run-Playbook-Publish-Incident-To-Apollo
-
Finally, the Azure portal can be used to remove any resource group-level Azure RBAC role assignments for the following service principal(s):
-
ContraForce API
Removal of ContraForce Agent Resource Groups
Lastly, if agents were created, there will be resources ContraForce deployed to the Azure subscription that contains the agent center. The Azure portal can be used to delete these.
-
The
cf-rg-agent-centerresource group and any resources within it. -
The
cf-rg-agent-*resource groups created for each agent and any resources within them.
If you have any questions, please contact the ContraForce support team through email at support@contraforce.com or by submitting a ticket here.