Part 1: MSP / Service Provider
Grant Microsoft access, set up your Agent Center, connect your own security tools, and pre-onboard customer workspaces.
Part 2: Customer Admin
Your service provider has pre-onboarded your workspace. Click the invite link, grant consent, and consent each module on the Modules tab.
Before You Begin
What both sides need
| Requirement | Who needs it |
|---|---|
| Microsoft Entra Global Administrator | First sign-in from each tenant requires an admin to grant ContraForce consent (one-time) |
Pop-ups allowed for portal.contraforce.com | Microsoft consent prompts open in popup windows |
| Active Microsoft 365 license with Defender capabilities (Business Premium, E3, or E5) | Customer side, for Defender-based detection and response |
What service providers also need
| Requirement | Why |
|---|---|
| ContraForce sign-up link | Provided by your account team to start your own onboarding |
| Customer’s Microsoft Entra tenant ID | Required to pre-onboard a workspace for them |
| Customer’s primary point-of-contact email | Receives the invite that starts the customer’s onboarding |
What customers also need
| Requirement | Why |
|---|---|
| Invite email from your service provider | The link in this email is your onboarding entry point |
| Azure Subscription Owner | Only required if Microsoft Sentinel is among the pre-selected detection modules |
How the Two Parts Connect
Module Reference
The detection and response modules your customer ends up using depend on what your service provider pre-selects when adding the workspace from the Workspace Center → Onboarding tab. Use this matrix to decide what to pre-select.| Capability | Defender for Endpoint | Sentinel |
|---|---|---|
| Defender for Endpoint incidents | ✓ | ✓ |
| Entity enrichment | ✓ | ✓ |
| Gamebook response actions | ✓ | ✓ |
| Multi-tenant management | ✓ | ✓ |
| Sentinel incidents | – | ✓ |
| Detection rules (CMS) | – | ✓ |
| Email notifications | – | ✓ |
| Log search | – | ✓ |
| Azure Lighthouse | – | ✓ |
Selecting Sentinel as a detection module triggers ContraForce to deploy the supporting Azure infrastructure in the customer’s subscription automatically. The customer doesn’t run a separate Azure deployment step.
Per-module deep-dives
Microsoft Sentinel Module
What Sentinel adds and what gets deployed in the customer’s Azure subscription
Defender for Endpoint Module
Defender for Endpoint detection and response details
CrowdStrike Modules
CrowdStrike detection and response options
SentinelOne Module
SentinelOne detection and response
CMS Module
Content Management System for Sentinel detection rules (Sentinel only)
Notifications Module
Email notifications for incidents (Sentinel only)
Verifying a Successful Deployment
There is no completion screen. A workspace is onboarded when its status light turns green on its card in the Workspace Center. Run these checks once the customer has consented their modules.Immediate verification
- The customer’s card moves from the Onboarding tab to the Workspaces tab in your Workspace Center
- The card’s status light goes blue (pre-onboarded) to green (live). An amber light means a module or agent is still missing
- You received the real-time notification that the customer’s workspace is live
- Incidents start appearing on the Command Dashboard within 5 to 15 minutes
If incidents don’t appear
- Check the source system (Defender, Sentinel, CrowdStrike) for active incidents. ContraForce syncs existing incidents, so if there are none in the source, none will appear in ContraForce
- Verify each pre-selected module shows as consented on the customer’s Modules tab
- For Sentinel customers, allow a few extra minutes after module consent for the Azure infrastructure to finish deploying
Common Issues
| Issue | Likely cause | Solution |
|---|---|---|
| Consent popup doesn’t appear | Pop-up blocker | Allow pop-ups for portal.contraforce.com |
| Consent fails with permissions error | Non-admin user | Forward the admin consent link to a Global Admin |
| Sign In Failed page | Consent skipped or stuck session | See troubleshooting in Part 1 or Part 2 |
| No incidents appearing | No active incidents in source | Check Defender/Sentinel/CrowdStrike console |
| Customer card stays blue on the Onboarding tab | Customer hasn’t consented their modules yet | Resend the invite or contact the POC |
Next Steps After Onboarding
Incident Management
Learn how to triage and respond to incidents
What Are Gamebooks?
Automated response workflows
Command Dashboard
Monitor security posture across workspaces
Multi-Tenant Features
Manage multiple customers efficiently
Questions about onboarding? Contact us at support@contraforce.com.