Before you begin:

Confirm the following:

• You have access to the Azure Portal with Global Administrator or Application Administrator privileges
• You have a secure location ready to store the Client Secret value — it is only shown once
• You have completed the prerequisites checklist in the Prerequisites for Azure Log Connector article

Step 1 — Create the App Registration:

1. Sign in to the Azure Portal
2. In the search bar, type Microsoft Entra ID and select it
3. In the left navigation menu, click App Registrations
4. Click New Registration
5. Configure the registration:
   • Name — enter LT Auditor ^MP Azure Log Collector
   • Supported Account Types — select Accounts in this organizational directory only (Single Tenant)
   • Redirect URI — leave blank
6. Click Register

Step 2 — Record your Tenant ID and Client ID:

On the App Registration overview page, locate and copy the following values:

Store these securely — you will need them during the Azure Log Connector configuration step.

Step 3 — Configure API permissions:

1. In the left navigation menu, click API Permissions
2. Click Add a Permission

Add Microsoft Graph permissions:

1. Select Microsoft Graph
2. Select Application Permissions
3. Search for and add each of the following permissions:

4. Click Add Permissions

Add Office 365 Management API permission:

1. Click Add a Permission again
2. Select Office 365 Management APIs
3. Select Application Permissions
4. Add the following permission:

5. Click Add Permissions

After adding all permissions, the API Permissions page will list all 15 permissions with a status of Not granted.

Step 4 — Grant Admin Consent:

All application permissions require Admin Consent from a Global Administrator before they become active.

1. On the API Permissions page, click Grant admin consent for [Your Organization Name]
2. Click Yes to confirm
3. Confirm all 15 permissions update to show a green checkmark and status of Granted for [Your Organization Name]

If the Grant admin consent button is greyed out, you do not have sufficient privileges. Contact your Global Administrator to complete this step.

Step 5 — Create a Client Secret:

1. In the left navigation menu, click Certificates & Secrets
2. Click New Client Secret
3. Configure the secret:
   • Description — enter LT Auditor ^MP Collector
   • Expires — select an expiration period (recommended: 24 months)
4. Click Add

Copy the secret Value immediately. It is only displayed once. If you navigate away before copying it, you will need to delete the secret and create a new one.

Store the Client Secret securely alongside the Tenant ID and Client ID recorded in Step 2.

Step 6 — Verify the App Registration:

Before proceeding to installation, confirm the following:

1. The application name shows as LT Auditor ^MP Azure Log Collector
2. The Application (client) ID and Directory (tenant) ID are recorded
3. All 15 API permissions are listed and show status Granted
4. All permissions are listed as Application type — not Delegated
5. The client secret is listed with a future expiry date and the value has been copied and stored

Managing secret expiry:

Client secrets expire based on the duration selected at creation. To avoid service interruptions:

• Note the secret expiry date and set a reminder 30 days before it expires
• When renewal is needed, generate a new secret in Certificates & Secrets, update the Azure Log Connector configuration with the new value, and delete the old secret

[Your administrator should document the secret expiry date and assign ownership of the renewal process to ensure Azure Log Connector is not interrupted by an expired secret.]

Summary of values to retain:

Running the configuration utility:

1. Open Command Prompt or PowerShell as Administrator
2. Navigate to the installation directory:

cd “C:\Program Files\Blue Lance 2-0\LTA_AzureLogCollector”

3. Run the configuration utility:

Lta.Entra.Agent.exe –configure

4. Enter the following values at each prompt:

Tenant ID: Enter the Directory (tenant) ID from your App Registration:

Tenant ID: <your-tenant-id>

Client ID: Enter the Application (client) ID from your App Registration:

Client ID (Application ID): <your-client-id>

Client Secret: Enter the client secret value generated in your App Registration:

Client Secret: <your-client-secret>

AgentId: A unique identifier for this collector instance. Defaults to the local machine name if left blank:

AgentId: <machine-name or custom identifier>

Syslog Host: The hostname or IP address of your LT Auditor ^MP server:

Syslog Host: <LT Auditor MP hostname or IP>

Syslog Port: The port your LT Auditor ^MP syslog listener is configured on. Default is 5050:

Syslog Port: 5050

Protocol: The syslog transport protocol. Default is TCP:

Protocol (UDP, TCP, or TLS): TCP

5. After all prompts are completed, the configuration utility saves the settings to the application configuration files in the installation directory

Restarting the service after configuration:

If the service was already running when configuration changes were made, restart it to apply the new settings:

net stop LTA_AzureLogCollector

net start LTA_AzureLogCollector

Confirm the service returns to a Running state after the restart:

sc query LTA_AzureLogCollector

Updating configuration after initial setup:

If any configuration values need to be changed after the initial setup — for example, when a client secret is renewed, the LT Auditor ^MP server address changes, or the syslog port is updated — rerun the configuration utility:

Lta.Entra.Agent.exe –configure

Work through all prompts again, entering the updated values where needed and confirming unchanged values. Restart the service after completing the updated configuration.

Verifying the configuration:

After completing configuration and starting the service, verify it is connecting successfully to both Microsoft APIs and the LT Auditor ^MP server:

1. Review the application logs for successful startup and API connection messages:

C:\Program Files\Blue Lance 2-0\LTA_AzureLogCollector\logs

2. Look for:
   
   • Successful authentication to Microsoft Graph
   • Successful authentication to the Office 365 Management API
   • Syslog connection established to LT Auditor ^MP
   • First polling cycle completed
3. In the LT Auditor ^MP Web UI, navigate to View, select the Azure Log Connector environment, and confirm events are appearing after the first polling cycle completes
   

Common configuration issues:

Using TLS for secure syslog transmission:

If your LT Auditor ^MP transformation rule is configured for TLS, select TLS when prompted for the protocol during configuration. Ensure that:

• The LT Auditor ^MP server TLS certificate is valid and trusted
• Any required CA certificates are available on the Azure Log Connector server
• The configured port matches the TLS listener port in LT Auditor ^MP

Blue Lance recommends using TLS for syslog transmission in production environments to encrypt audit data in transit between Azure Log Connector and the LT Auditor ^MP server.

[Your administrator should document the configured Syslog Host, Port, Protocol, and AgentId values for future reference and include them in your change management records.]

Locating the configuration file:

The appsettings.json file is located in the Azure Log Connector installation directory:

C:\Program Files\Blue Lance 2-0\LTA_AzureLogCollector\appsettings.json

Open the file using a text editor running as Administrator. After making any changes, save the file and restart the service for changes to take effect:

net stop LTA_AzureLogCollector

net start LTA_AzureLogCollector

Polling configuration section:

The polling behavior is defined in the Polling section of appsettings.json:

“Polling”: {

  “IntervalSeconds”: 300,

  “BatchSize”: 250,

  “LookbackMinutesOnStart”: 60,

  “PullSignIns”: true,

  “PullDirectoryAudits”: true,

  “PullProvisioning”: false,

  “PullSharePoint”: true,

  “SaveRawResponses”: false,

  “SharePointDelayMinutes”: 30,

  “SharePointLookbackDays”: 7

}

Polling settings reference:

IntervalSeconds How often in seconds the connector checks Microsoft Azure for new events.

BatchSize The maximum number of records retrieved from the Microsoft API during each polling cycle.

LookbackMinutesOnStart When the service starts or restarts, it retrieves events going back the specified number of minutes. This prevents events from being missed during downtime or restart periods.

PullSignIns Controls whether Azure Sign-In logs are collected.

Requires Microsoft Entra ID P1 or P2 license.

PullDirectoryAudits Controls whether Microsoft Entra ID audit logs are collected.

Available with Microsoft Entra ID Free and above.

PullProvisioning Controls whether Azure provisioning logs are collected.

[Your administrator should enable this setting if your organization uses Azure AD provisioning and provisioning activity is in scope for monitoring.]

PullSharePoint Controls whether SharePoint Online and OneDrive activity logs are collected.

Requires Microsoft 365 Business Standard or above and the ActivityFeed.Read Office 365 Management API permission.

SaveRawResponses When enabled, saves raw Microsoft API responses locally for troubleshooting purposes.

Enable SaveRawResponses only when actively troubleshooting API or collection issues. Leaving it enabled in normal operation will consume significant disk space over time.

SharePointDelayMinutes Introduces a delay before collecting SharePoint and OneDrive events. This allows Microsoft 365 audit events sufficient time to become available in the Office 365 Management API before the connector attempts to retrieve them.

SharePointLookbackDays Specifies how many days back the connector searches for SharePoint and OneDrive events during startup or recovery operations.

Recommended configuration:

For most environments the following settings are recommended:

“Polling”: {

  “IntervalSeconds”: 300,

  “BatchSize”: 250,

  “LookbackMinutesOnStart”: 60,

  “PullSignIns”: true,

  “PullDirectoryAudits”: true,

  “PullProvisioning”: false,

  “PullSharePoint”: true,

  “SaveRawResponses”: false,

  “SharePointDelayMinutes”: 30,

  “SharePointLookbackDays”: 7

}

These settings provide near real-time monitoring while maintaining efficient API usage against Microsoft Graph and the Office 365 Management API.

[Your administrator should adjust PullProvisioning to true if Azure AD provisioning activity is in scope for your environment, and review license availability before enabling PullSignIns and PullSharePoint.]

Applying configuration changes:

After editing and saving appsettings.json, restart the service to apply the changes:

net stop LTA_AzureLogCollector

net start LTA_AzureLogCollector

Confirm the service restarts successfully:

sc query LTA_AzureLogCollector

Review the application logs to confirm the updated polling settings are active:

C:\Program Files\Blue Lance 2-0\LTA_AzureLogCollector\logs