Overview  

Note: As part of Azure’s ongoing modernization efforts, the legacy custom data collection API will be retired in September 2026. Learn more.  

Setup instructions 

Go to the Azure Portal to begin the setup.

Step 1: Create an app registration 

To authenticate API requests to the Azure Logs Ingestion API, you need to create an Azure app registration.

1. Navigate to App registrations in the Azure portal and click New registration.
   
2. Complete the registration form:
   
1. Name: ZohoVaultLogging
   
2. Supported account types: Choose the default option (single tenant)
   
3. Redirect URI: Leave this field blank
   
4. Click Register.
   
3. After the app is registered:
   
1. Open the newly created application.
   
2. Go to Expose an API.
   
3. Click Add next to the Application ID URI.
   
4. Accept and save the default suggested URI.
   

Step 2:  Create a client secret

1. In the Azure portal, navigate to App registrations and select your application.
   
2. Go to Manage and click Certificates & secrets, then click New client secret.
   
3. Enter a description and choose the desired expiration period.
   
4. Click Add to generate the secret.
   
5. Once created, copy the generated value immediately and store it securely in Zoho Vault. This value will be required later as the "Client Secret Value".
   

Info: Save the following for later:

1. Application (client) ID

2. Client secret ID

3. Client secret value

4. Directory (tenant) ID on the App registrations page. 

Step 3:  Create a log analytics workspace 

A log analytics workspace serves as the main resource in Azure Monitor for gathering and retaining log data. If you already have an existing workspace, you can skip this step.

1. In the Azure portal, navigate to Log Analytics workspaces.
   
2. Click Create and provide the following details:
   
1. Subscription: Select your Azure subscription.
   
2. Resource group: Choose an existing resource group or create a new one.
   
3. Name: Enter a meaningful name (for example, ZohoVaultLogsWorkspace).
   
4. Region: Select the appropriate region.
   
3. Click Review + Create, then select Create to complete the setup.
   

Step 4:  Assign a role to app registration

1. In the Azure portal, open your log analytics workspace (for example, ZohoVaultLogsWorkspace).
   
2. Navigate to Access control (IAM) and select Role assignments.
   
3. Click Add, then click Add role assignment.
   
4. In the role search bar, type Log Analytics Contributor and select the role.
   
5. Click + Select members, then choose the ZohoVaultLogging application from the list.
   
6. Review the details and complete the role assignment to grant access.
   

Step 5:  Create a data collection endpoint

1. In the Azure portal, search for Data Collection Endpoints and click Create.
   
2. Configure the following details:
   
1. Subscription: Select your Azure subscription.
   
2. Resource Group: Choose the same resource group that you plan to use for the data collection rule.
   
3. Region: Select the appropriate region.
   
4. Name: Provide a meaningful name (for example, ZohoVaultLogsEndpoint).
   
3. Review the configuration and complete the creation process.
   

1. In the Azure portal, open your log analytics workspace (for example, ZohoVaultLogsWorkspace).
   
2. Under Settings, select Tables and click Create.
   
3. Choose New custom log (Direct ingest).
   
4. Enter a table name. In this example, we use ZohoVaultLogs.
   
5. Create a new data collection rule when prompted.
   
6. Save the JSON file below on your computer.
   
7. When prompted, upload the JSON file below as a data sample:
   

Step 7: Assign app permissions to the DCR 

1. In the Azure portal, navigate to Data collection rules and open your rule (for example, ZohoVaultDCR).
   
2. Select Access control (IAM) and go to Role assignments.
   
3. Click Add then select Add role assignment.
   
4. Search for and select the Monitoring Metrics Publisher role.
   
5. Click +Select members, choose the ZohoVaultLogging application from the list, and complete the assignment.
   
6. Repeat this process and add "Monitoring Contributor" and "Monitoring Reader".
   

Step 8: Assign app permissions to the DCE 

1. In the Azure portal, navigate to Data collection endpoints and open your endpoint (for example, ZohoVaultLogsEndpoint).
   
2. Select Access control (IAM) and go to Role assignments.
   
3. Click Add, then select Add role assignment.
   
4. Search for and select the Monitoring Metrics Publisher role.
   
5. Click Select members, choose the ZohoVaultLogging application from the list, and complete the assignment.
   
6. Repeat the same steps to assign the "Monitoring Contributor" role to the ZohoVaultLogging application.
   

Step 9:  Configuring MS Sentinel (DCR-based) in Zoho Vault    

After completing the Azure configuration, you need to configure the integration in Zoho Vault to stream logs to Microsoft Sentinel.

1. Log into your Zoho Vault account as a Super Admin.
   
2. Navigate to Settings and select SIEM Integration.
   
3. Under MS Sentinel DCR-Based, click Edit Configurations.
   
4. Enter the required Azure details:
   
1. Azure tenant ID: Located in the Subscriptions section of the Azure portal.
   
2. Logs ingestion endpoint: Found in Data Collection Endpoints.
   
3. Azure client ID (application ID): Located on the Overview page of the app registration you created earlier (e.g., ZohoVaultLogging).
   
4. Azure client secret: Use the client secret value generated under Certificates & Secrets in the app registration.
   
5. Data Collection Rule ID: Found in Data Collection Rules as the immutable ID.
   
6. Stream name: Navigate to Data Collection Rules, open your DCR, and select JSON View.
   
7. Copy the stream name (e.g., Custom-ZohoVaultLogs_CL).
   
8. Is Azure US Government Cloud: Enable this toggle only if you are using Azure US Government Cloud.
   

Info: Azure US Government provides a dedicated cloud environment designed for U.S. government agencies and their partners. It supports workloads that must comply with specific U.S. government regulations and compliance requirements. Learn more.