Installation – Blue Lance https://bluelance.com Wed, 03 Jun 2026 17:45:11 +0000 en-US hourly 1 https://wordpress.org/?v=7.0 https://bluelance.com/wp-content/uploads/2025/11/fevicon-ic-1.png Installation – Blue Lance https://bluelance.com 32 32 Prerequisites for Azure Log Connector https://bluelance.com/docs/prerequisites-for-azurelogconnector/ Thu, 28 May 2026 16:23:10 +0000 https://bluelance.com/?post_type=docs&p=15895 Prerequisites for Azure Log Connector

Before installing and configuring Azure Log Connector, several prerequisites must be in place in both your Microsoft Azure environment and your LT Auditor MP deployment. This article covers everything that needs to be confirmed or prepared before proceeding with installation.

LT Auditor MP prerequisites:

RequirementDetails
LT Auditor MP ServerMust be installed and running
Network Access — InboundLT Auditor MP syslog listener must be active on the configured port (default: 5050)
Download Packagelta-mp-azurelogcollector.zip obtained from your administrator or Blue Lance

[Your administrator should confirm the exact download location for the Azure Log Connector package in your environment.]

Server requirements:

The machine where Azure Log Connector will be installed must meet the following requirements:

RequirementDetails
Operating SystemWindows Server 2019 or newer
Internet ConnectivityOutbound HTTPS access to Microsoft Graph and Office 365 Management APIs
Administrative AccessLocal administrator privileges required for installation and configuration
Network Access — OutboundMust be able to reach the LT Auditor MP syslog listener on the configured port (default: 5050)
Azure Portal AccessAccess to the Azure Portal to create and configure the App Registration

Required outbound network access:

Azure Log Connector requires outbound HTTPS access to the following Microsoft API endpoints. Confirm these are not blocked by your firewall or proxy:

EndpointPurpose
https://graph.microsoft.comMicrosoft Graph API — Entra ID sign-in logs, audit logs, identity protection events
https://manage.office.comOffice 365 Management API — SharePoint Online and OneDrive activity logs
https://login.microsoftonline.comMicrosoft identity platform — authentication for the App Registration

Test connectivity from the Azure Log Connector server to each endpoint:

Test-NetConnection -ComputerName graph.microsoft.com -Port 443

Test-NetConnection -ComputerName manage.office.com -Port 443

Test-NetConnection -ComputerName login.microsoftonline.com -Port 443

All three should return a successful result. If any connection fails, work with your network team to allow outbound HTTPS traffic to those endpoints.

[Your administrator should confirm whether outbound internet access from the installation server requires proxy configuration, and if so, ensure the proxy settings are configured before proceeding.]

Microsoft Entra ID prerequisites:

RequirementDetails
Active Entra ID TenantAn active Microsoft Entra ID (Azure AD) tenant
Azure Portal AccessGlobal Administrator or Application Administrator privileges to create App Registrations
App RegistrationA dedicated App Registration created for Azure Log Connector
API PermissionsMicrosoft Graph and Office 365 Management API permissions granted with admin consent
Client SecretA client secret generated for the App Registration

Required API permissions:

The App Registration used by Azure Log Connector requires the following permissions. All permissions are Application type — not Delegated — as Azure Log Connector runs as a background service without a signed-in user. All permissions require Admin Consent from a Global Administrator.

Microsoft Graph — Application Permissions:

PermissionPurpose
AuditLog.Read.AllRead Entra ID audit logs and sign-in logs
Directory.Read.AllRead directory objects including users, groups, and roles
Application.Read.AllRead application registrations and service principals
Domain.Read.AllRead domain information
Files.Read.AllRead files across the organization
GroupMember.Read.AllRead group memberships
IdentityProvider.Read.AllRead identity provider configurations
IdentityRiskyServicePrincipal.Read.AllRead risky service principal detections
IdentityRiskyUser.Read.AllRead risky user detections
Policy.Read.AllRead conditional access and other policies
RoleManagementAlert.Read.DirectoryRead role management alerts
User.Export.AllExport user data
User.Read.AllRead user profiles
UserAuthenticationMethod.Read.AllRead user authentication methods including MFA

Office 365 Management APIs — Application Permissions:

PermissionPurpose
ActivityFeed.ReadRead SharePoint Online and OneDrive activity logs

This is a significantly broader set of permissions than the previous EntraConnector module required, reflecting the expanded scope of Azure Log Connector across both Entra ID and Microsoft 365. All permissions require Admin Consent before they become active.

Microsoft 365 license requirements:

Access to certain log categories requires appropriate Microsoft licensing. Confirm the following with your Microsoft licensing administrator:

Log CategoryMinimum License Required
Entra ID Audit LogsMicrosoft Entra ID Free
Sign-In LogsMicrosoft Entra ID P1 or P2
Risky Sign-Ins & Identity ProtectionMicrosoft Entra ID P2
SharePoint Online Activity LogsMicrosoft 365 Business Standard or above
OneDrive Activity LogsMicrosoft 365 Business Standard or above
Conditional Access ActivityMicrosoft Entra ID P1 or P2

[Your administrator should confirm your organization’s current Microsoft 365 and Entra ID license tiers and which log categories are available before configuring Azure Log Connector.]

Roles required for setup:

TaskRequired Role
Create the App RegistrationGlobal Administrator or Application Administrator
Grant Admin Consent for API permissionsGlobal Administrator
Install Azure Log ConnectorLocal Administrator on the installation server
Configure Azure Log Connector in LT Auditor MPLT Auditor MP Administrator

[Your administrator should coordinate with your Azure or Microsoft 365 administrator to complete the App Registration steps if they do not have access to the Azure Portal.]

Information to gather before installation:

Before proceeding to the App Registration and installation steps, gather the following. You will need all of these values during configuration:

ItemWhere to Find ItNotes
Tenant IDAzure Portal → Microsoft Entra ID → OverviewAlso called Directory ID
Client IDAzure Portal → App Registrations → your app → OverviewAlso called Application ID
Client SecretAzure Portal → App Registrations → your app → Certificates & SecretsCopy immediately — only shown once
LT Auditor MP Server IP or HostnameYour LT Auditor MP installationNeeded during configuration
Syslog PortLT Auditor MP
Configure → Transformation Rules		Default: 5050
Syslog ProtocolLT Auditor MP
Configure → Transformation Rules		UDP, TCP, or TLS

The Client Secret value is only displayed once at the time of creation. Copy it immediately and store it securely. If the secret is lost, a new one must be generated.

Prerequisites checklist:

Before proceeding to the next article, confirm all of the following:

  • [ ] Installation server meets Windows Server 2019 or newer requirement
  • [ ] Outbound HTTPS access confirmed to all three Microsoft API endpoints
  • [ ] LT Auditor MP server is installed and running
  • [ ] LT Auditor MP syslog listener is active on the configured port
  • [ ] Azure Portal access with appropriate privileges is available
  • [ ] Microsoft 365 and Entra ID license tiers confirmed
  • [ ] Tenant ID, Client ID, and Client Secret are ready to hand
  • [ ] LT Auditor MP syslog port and protocol are confirmed

[Your administrator should complete this checklist before proceeding to the Registering the App in Microsoft Entra ID article to avoid interruptions during setup.]

]]> Installing Azure Log Connector https://bluelance.com/docs/installing-azure-log-connector/ Wed, 03 Jun 2026 17:30:16 +0000 https://bluelance.com/?post_type=docs&p=16262 Azure Log Connector is installed as a Windows service using the provided MSI installation package. The service must be fully configured before it is started for the first time.

Prerequisites:

Before installing, confirm the prerequisites checklist in the Prerequisites for Azure Log Connector article is complete, and that your App Registration in Microsoft Entra ID is fully configured with all required API permissions granted.

Step 1 — Run the installer:

Locate the installation package:

LTA_AzureLogCollector.msi

Right-click the MSI file and select Install. Follow the installation wizard prompts to complete the installation.

By default, the application installs to:

C:\Program Files\Blue Lance 2-0\LTA_AzureLogCollector

The installation process does not automatically start the LTA_AzureLogCollector Windows service. The service must be configured before it is started for the first time. Do not attempt to start the service until configuration is complete.

Step 2 — Run the configuration utility:

  1. Open Command Prompt or PowerShell as Administrator
  2. Navigate to the installation directory:

cd “C:\Program Files\Blue Lance 2-0\LTA_AzureLogCollector”

  1. Run the configuration utility:

Lta.Entra.Agent.exe –configure

  1. Enter the following information when prompted:
PromptValue to Enter
Tenant IDThe Directory (tenant) ID from your App Registration
Client IDThe Application (client) ID from your App Registration
Client SecretThe client secret value generated in your App Registration
AgentIdA unique identifier for this collector — defaults to the local machine name
Syslog HostThe hostname or IP address of your LT Auditor MP server
Syslog PortThe LT Auditor MP syslog listener port — default: 5050
ProtocolThe syslog transport protocol — UDP, TCP, or TLS — default: TCP

[Your administrator should confirm the correct Syslog Host, Port, and Protocol values for your LT Auditor MP environment before running the configuration utility.]

Step 3 — Start the service:

After configuration is complete, start the Windows service using one of the following methods:

Using the command line:

net start LTA_AzureLogCollector

Using the Services console:

  1. Open Services (services.msc)
  2. Locate LT Auditor MP Azure Log Collector
  3. Click Start

Step 4 — Verify the service is running:

Confirm the service started successfully:

sc query LTA_AzureLogCollector

The service should show as Running. If the service fails to start, review the application logs for errors:

C:\Program Files\Blue Lance 2-0\LTA_AzureLogCollector\logs

Check for:

  • Authentication failures — confirm Tenant ID, Client ID, and Client Secret are correct
  • API permission errors — confirm Admin Consent has been granted for all permissions
  • Network connectivity issues — confirm outbound HTTPS access to Microsoft API endpoints
  • Syslog connection errors — confirm the LT Auditor MP server is reachable on the configured port

Step 5 — Verify events are arriving in LT Auditor MP:

After the service starts successfully:

  1. Allow at least one polling cycle to complete (default: 5 minutes)
  2. Log in to the LT Auditor MP Web UI
  3. Navigate to View
  4. Select the Azure Log Connector environment and category
  5. Set the date range to Last Hour
  6. Confirm that Azure log events are appearing in the event list

If no events appear after several polling cycles, refer to the verification and troubleshooting steps in the Configuring Polling Settings article.

]]>