Epona365 Office 25.1 Advanced deployment (Epona365 Advanced offer)

Date: 20 May 2026 Version of Epona365 Office 25.1.179

This document is written for the Azure administrator who will run — or prepare the subscription for — an Epona365 Advanced deployment.

Contents

• When to pick the Advanced offer
• Summary of what is configurable
• Two ways to use Advanced
• Pre-deployment checklist
• UI walkthrough — step by step
• Per-resource requirements (for "Select existing")
  • Virtual Network and subnets
  • User-assigned Managed Identity
  • Storage Account
  • Key Vault — application secrets
  • Key Vault — application settings
  • Application Insights and Log Analytics
  • SQL database
  • AI Foundry (AIServices account)
• Role assignments reference
• Post-deployment steps
• Troubleshooting

When to pick the Advanced offer

Pick Advanced when any of these apply:

• You already have a Virtual Network you need Epona365 to live in (hub-spoke, on-prem connectivity, strict IP plan, NSG policies, etc.).
• You have corporate standards for Key Vault, Storage Account, SQL Server, Log Analytics, or AI Foundry and want to bring those resources yourself.
• A subset of the required resources is shared across multiple applications and you don't want Epona365 to own them.
• You need to pick an internal-only (no public endpoint) Container Apps environment.

If none of these apply and you'd rather let the deployment create everything for you, use the Regular Epona25.1 offer instead — see installation.md.

Summary of what is configurable

Every resource in the Epona365 stack except the Container Apps managed environment and the Container Apps themselves can be either created by the deployment or supplied by you.

Resource	"Create by deployment"	"Select existing"	Notes
Virtual Network + subnets	✅	✅	See service endpoint / delegation requirements
User-assigned Managed Identity	✅	✅	Used by every container app
Storage Account	✅	✅	Deployment always creates the required queues / tables / blob containers on the chosen account
Key Vault — application secrets	✅	✅
Key Vault — application settings	✅	✅
Application Insights + Log Analytics (coupled)	✅	✅	Selecting existing Application Insights also reuses its connected workspace
SQL database (+ its SQL Server)	✅	✅	Only when filing suggestions is enabled. Existing database selection implies the existing SQL Server it lives on
AI Foundry AIServices account	✅	✅	Deployment always deploys models and project on the chosen account
Container Apps managed environment	✅	❌	Always created by the deployment
Container Apps (web + 7 workers)	✅	❌	Always created by the deployment

Every new/existing dropdown defaults to "Create by deployment". If you leave all dropdowns at their defaults, the Advanced offer produces the same result as the Simple offer.

Resource-group scope: every existing resource you select must live in the same resource group as the deployment. Cross-resource-group selection is not supported on this offer — the UI's resource pickers will let you select resources from other RGs, but the deployment will fail to find them. The deploying principal needs Reader on every existing resource (for metadata reads) plus the permissions listed under Role assignments reference.

Two ways to use Advanced

There are two separate axes: who creates each resource, and who creates the RBAC role assignments on existing resources.

1. Who creates each resource

Per-resource dropdown — "Create by deployment" vs. "Select existing".

2. Role assignments on existing resources

A single top-level toggle controls this for all existing resources at once:

• Create by deployment — the deployment creates every role assignment the managed identity needs on the existing resources. The principal running the deployment must have User Access Administrator or Owner on each existing resource.
• Pre-configured by customer — you grant the required roles to the managed identity yourself before running the deployment. The deployment will not touch RBAC on existing resources.

For new resources this toggle has no effect; role assignments on newly-created resources are always done by the deployment.

Pre-deployment checklist

Before starting the deployment, have the following ready:

• Target subscription + resource group — the RG must already exist (or you must have rights to create it during the deployment).
• Region — pick a region; if you want Ask Epona (AI Foundry), pick from: eastus, eastus2, swedencentral, westus, westus3. For a broader AI Foundry-only list, see AI Foundry.
• Prefix — 3–5 lowercase letters/digits/hyphens. Must not contain epona, dms, e365, and must not start with ep.
• ACR password — obtain from your Epona contact.
• Existing resources — for every resource you are bringing yourself, confirm it meets the per-resource requirements below. Existing resources must live in the same resource group as the deployment.
• SQL Server admin password — if you bring an existing SQL database, have the SQL Server's admin password ready — the deployment needs it so the worker apps can authenticate to the server.
• RBAC — if you picked "Create by deployment" for role assignments, confirm the deploying principal has User Access Administrator (or Owner) on every existing resource. Otherwise, grant the roles from the Role assignments reference to the managed identity before deploying.

UI walkthrough — step by step

Basics

Field	Description
Subscription	Target Azure subscription.
Resource group	Must already exist or be created during the deployment. Every existing resource you select later must live in this same resource group.
Region	Region for all new resources. Regions for AI Foundry are restricted — the UI will warn you if the selected region is unsupported.
Prefix	3–5 lowercase characters, used as a prefix for every resource name created by the deployment.

Permissions

Field	Description
Role assignments on existing resources	Create by deployment (requires User Access Administrator on each existing resource) or Pre-configured by customer (you have granted the roles to the managed identity yourself before deploying). See Role assignments reference.

Network

Field	Description
Virtual network	Create by deployment or Select existing. When existing, the picker presents your existing VNet and asks you to pick both subnets (default subnet and Container Apps subnet).
Network accessibility	Only visible when VNet is existing. Public (default) or Internal (VNet only). Internal mode requires you to configure a private DNS zone post-deployment — see Post-deployment steps.

Identity

Field	Description
Managed identity	Create by deployment or Select existing. Must be a user-assigned managed identity.

Storage & Secrets

Field	Description
Storage Account	Create by deployment or Select existing.
Key Vault (application secrets)	Create by deployment or Select existing.
Key Vault (application settings)	Create by deployment or Select existing.

Monitoring

Field	Description
Application Insights	Create by deployment or Select existing. Selecting existing also reuses the connected workspace.

Performance

Field	Description
Performance profile	Basic (≤100 users), Standard (≤1,000 users). Premium is only available inside the Epona tenant.

Logging

Field	Description
Enable logging to Epona	Enabled sends non-sensitive Application Insights telemetry to Epona support.

AI integration

Visible only when the region supports AI Foundry.

Field	Description
Enable AI Foundry	Enable Ask Epona and related AI features. Deploys the AIServices account + models + project.
AI Foundry	When AI Foundry is enabled: Create by deployment or Select existing.

Filing suggestions

Field	Description
Filing suggestions	Enabled deploys a SQL server + crawl database. Disabled skips them.
SQL database	Only visible when filing suggestions is enabled: Create by deployment or Select existing. Selecting existing also implies an existing SQL Server — the server is derived from the database you pick.
SQL Server admin password	Only visible when "Select existing" database is picked. Must match the administratorLoginPassword configured on the SQL Server so the container apps can connect.

Registry

Field	Description
Registry password	Password for Epona's Azure Container Registry — obtain from Epona.

Per-resource requirements (for "Select existing")

For each resource you bring yourself, this section lists the exact configuration the deployment expects. If your existing resource is already configured by corporate policy (network ACLs, diagnostic settings, etc.), the deployment will not touch those settings — it is on you to ensure the resource remains reachable from the Container Apps subnet and usable by the managed identity.

Virtual Network and subnets

Resource type: Microsoft.Network/virtualNetworks

Subnets you must provide: two.

Default subnet (service endpoints subnet):

• Minimum size: /23 (512 IPs).
• Required service endpoints:
  • Microsoft.Storage
  • Microsoft.KeyVault
  • Microsoft.Sql
  • Microsoft.CognitiveServices
• Must not be delegated.
• Must not have conflicting NSG rules that block outbound traffic to Azure services.

Container Apps subnet:

• Minimum size: /23 (512 IPs).
• Must be delegated to Microsoft.App/environments.
• Must not be shared with any other resources.
• Service endpoints for Microsoft.Storage, Microsoft.KeyVault, Microsoft.Sql, Microsoft.CognitiveServices are recommended.

NSG rules:

The deployment does not configure NSG rules when VNet is existing. You are responsible for allowing:

• HTTPS (TCP/443) inbound to the Container Apps managed environment static IP (output after the deployment).
• Outbound to Azure services used (Storage, Key Vault, SQL, Cognitive Services) — typically already allowed when service endpoints are in place.

Equivalent Bicep for a new subnet (for reference):

{
  name: '<your-default-subnet>'
  properties: {
    addressPrefix: '10.0.2.0/23'
    serviceEndpoints: [
      { service: 'Microsoft.Storage' }
      { service: 'Microsoft.KeyVault' }
      { service: 'Microsoft.Sql' }
      { service: 'Microsoft.CognitiveServices' }
    ]
    privateLinkServiceNetworkPolicies: 'Enabled'
  }
}

{
  name: '<your-container-apps-subnet>'
  properties: {
    addressPrefix: '10.0.4.0/23'
    delegations: [
      {
        name: 'Microsoft.App.environments'
        properties: { serviceName: 'Microsoft.App/environments' }
      }
    ]
  }
}

User-assigned Managed Identity

Resource type: Microsoft.ManagedIdentity/userAssignedIdentities

Requirements:

• Must be a user-assigned managed identity (not system-assigned).
• No specific properties to configure — the identity just needs to exist.

If "Pre-configured by customer" RBAC is selected, grant the identity the roles listed under Role assignments reference on every other existing resource you are reusing.

Storage Account

Resource type: Microsoft.Storage/storageAccounts

Required properties:

• kind: StorageV2
• sku.name: Standard_ZRS (or equivalent or higher redundancy)
• supportsHttpsTrafficOnly: true
• allowSharedKeyAccess: true (the Dapr queue bindings authenticate to the storage account with a shared key)
• allowBlobPublicAccess: false
• minimumTlsVersion: TLS1_2
• accessTier: Hot

Network ACLs:

The deployment does not modify networkAcls on existing Storage Accounts. You must pre-configure network access so the Container Apps subnet can reach the account. Example:

networkAcls: {
  defaultAction: 'Deny'
  bypass: 'AzureServices'
  virtualNetworkRules: [
    { id: '<default-subnet-id>',        action: 'Allow' }
    { id: '<container-apps-subnet-id>', action: 'Allow' }
  ]
}

Child resources created by the deployment:

Regardless of whether the Storage Account is new or existing, the deployment creates the following child resources on the account. If they already exist the deployment is a no-op on them; if you pre-created them with the same names, you're fine.

• Blob container: organization-settings
• Queues (11):
  • user-jobs-high-priority, user-jobs-medium-priority, user-jobs-low-priority
  • ocr-jobs, crawl-jobs, delta-jobs
  • metadata-jobs-waiting, metadata-jobs-processing
  • tenant-jobs
• Tables (4): SiteAccess, UserJobs, UserStates, LegalGraphServices

Key Vault — application secrets

Resource type: Microsoft.KeyVault/vaults

Required properties:

• sku.name: premium
• enableRbacAuthorization: true
• enableSoftDelete: true
• enablePurgeProtection: true (production) or false (non-production).
• tenantId: your tenant ID.

Network ACLs:

Same principle as Storage — the deployment does not modify networkAcls on an existing Key Vault. Pre-configure to allow the Container Apps subnet:

networkAcls: {
  defaultAction: 'Deny'
  bypass: 'AzureServices'
  virtualNetworkRules: [
    { id: '<default-subnet-id>' }
    { id: '<container-apps-subnet-id>' }
  ]
}

Key Vault — application settings

Same requirements as Key Vault — application secrets. The deployment uses two separate Key Vaults: one holds application-internal secrets, the other holds admin-authored application settings. You must provide two distinct vaults.

Application Insights and Log Analytics

Resource types: Microsoft.Insights/components and Microsoft.OperationalInsights/workspaces

Requirements:

• The Application Insights component must be of kind web.
• IngestionMode: LogAnalytics — i.e. it must be a workspace-based Application Insights.
• WorkspaceResourceId must reference an existing Log Analytics workspace. That workspace will be reused for the Container Apps managed environment.

Coupling: you cannot select Application Insights and Log Analytics independently. Picking existing Application Insights automatically reuses its connected workspace.

The deployment reads the connection string and workspace ID from the existing Application Insights resource. The deploying principal needs Reader on the Application Insights resource.

SQL database

Only relevant when filing suggestions is enabled.

The UI exposes one choice — "Create by deployment" or "Select existing" for the SQL database. Selecting "existing" also implies an existing SQL Server: the server is derived from the database resource ID, so you only pick the database.

Resource type (server): Microsoft.Sql/servers

Requirements for the existing SQL Server (the parent of the database you picked):

• The server must be reachable from the Container Apps subnet — either via a public endpoint (with firewall allowances) or VNet service-endpoint rules.
• An administratorLogin + administratorLoginPassword must be configured. The login is read from the server; the password is supplied via the UI so the worker apps can authenticate to the server.
• TLS enforcement enabled (default on modern servers).

VNet rules: the deployment does not add VNet rules on an existing SQL Server. Pre-configure rules for both subnets:

resource sqlServer 'Microsoft.Sql/servers@2025-02-01-preview' = {
  // ...
  resource defaultSubnetRule 'virtualNetworkRules' = {
    name: 'default-subnet-rule'
    properties: { virtualNetworkSubnetId: '<default-subnet-id>' }
  }
  resource containerAppsSubnetRule 'virtualNetworkRules' = {
    name: 'container-apps-subnet-rule'
    properties: { virtualNetworkSubnetId: '<container-apps-subnet-id>' }
  }
}

Resource type (database): Microsoft.Sql/servers/databases

Requirements for the existing crawl database:

• sku.name: S1 (tier Standard) or equivalent / higher.
• collation: SQL_Latin1_General_CP850_BIN2.

[!IMPORTANT] The UI only offers a SQL database picker — the SQL Server is inferred from the database you select. There is no separate option to pick "existing server + new database".

AI Foundry (AIServices account)

Only relevant when AI Foundry is enabled.

Resource type: Microsoft.CognitiveServices/accounts

Required properties:

• kind: AIServices.
• sku.name: S0.
• properties.allowProjectManagement: true.
• properties.customSubDomainName: set to the account name.
• properties.disableLocalAuth: true.
• properties.publicNetworkAccess: Disabled (production) or Enabled (Epona test only).

Region availability: AI Foundry is only available in a subset of regions — pick the region from: australiaeast, eastus, eastus2, francecentral, norwayeast, southindia, swedencentral, uksouth, westus, westus3. For Ask Epona (Assistants API), the narrower list applies: eastus, eastus2, swedencentral, westus, westus3.

What the deployment adds on new or existing:

• Model deployments: gpt-4o-mini (200 capacity), gpt-4o (50 capacity).
• AI Foundry project: named <prefix>-ep-ai-foundry-project by default.
• Private DNS zone privatelink.services.ai.azure.com, linked to the VNet.
• Private endpoint to the AIServices account, in the default subnet.

If your existing AIServices account already has equivalent model deployments with the same names, Azure will refuse the second deployment. Remove the conflicting model deployments before selecting existing.

Role assignments reference

If you selected Pre-configured by customer for role assignments, grant the managed identity these roles on every existing resource you are bringing. If you selected Create by deployment, you can skip this section; the deployment will create them.

Resource	Role(s)
Storage Account	Storage Blob Data Owner; Storage Queue Data Message Sender; Storage Queue Data Reader; Storage Queue Data Message Processor; Storage Queue Data Contributor; Storage Table Data Contributor
Key Vault — application secrets	Key Vault Secrets Officer
Key Vault — application settings	Key Vault Secrets User
AI Foundry AIServices account	Azure AI User

SQL Server: authentication uses the SQL Server admin login + the password you provide in the UI. No role assignments on the server are needed.

Post-deployment steps

After a successful deployment, do the following:

1. Retrieve outputs. The deployment exports webFqdn, managedEnvironmentId, and (when new VNet) the Container Apps static IP via the managed environment resource.
2. Open HTTPS inbound. On the NSG protecting the Container Apps subnet, add a rule:
   • Name: AllowHTTPS
   • Priority: 110
   • Direction: Inbound
   • Action: Allow
   • Protocol: TCP
   • Source: Internet (or your allowed ranges)
   • Destination: Container Apps static IP (from the managed environment)
   • Port: 443
3. (Internal mode only.) Create a Private DNS Zone matching the Container Apps environment domain, link it to your VNet, and add a wildcard A record pointing to the environment's static IP.
4. Verify the web application is reachable over HTTPS at the webFqdn output.
5. Confirm queues and tables. Open the existing Storage Account and confirm the queues / tables listed above exist.
6. Confirm RBAC. Check that the managed identity has the roles listed in Role assignments reference on every existing resource. If any are missing, grant them manually — the application will fail to start otherwise.

Troubleshooting

Deployment fails with subnet delegation error (existing VNet). The Container Apps subnet either has a conflicting delegation, is shared with other resources, or was previously used by a deleted managed environment. Use a dedicated, empty subnet delegated to Microsoft.App/environments.

Deployment fails with "resource not found" on an existing resource. The most common cause is that the resource lives in a different resource group than the deployment — that is not supported on this offer. Either move the resource into the deployment's RG or recreate it there. Other causes: the resource ID the UI selected no longer exists, or the deploying principal doesn't have Reader on it.

Deployment fails creating a role assignment on an existing resource. You selected "Create by deployment" for role assignments, but the deploying principal doesn't hold User Access Administrator/Owner on the existing resource. Either grant that permission or rerun the deployment with "Pre-configured by customer" after granting the roles manually.

Containers start but fail to read/write to Storage / Key Vault / SQL. Either the managed identity is missing a role assignment on the existing resource, or the resource's networkAcls don't allow the Container Apps subnet. The deployment does not modify networkAcls on existing resources — fix this on your resource.

Web application is not reachable. Check the NSG rule for HTTPS (port 443). Confirm the Container Apps managed environment static IP matches the destination in the rule. If internal mode is on, confirm the private DNS zone is set up.

AI Foundry model deployment fails with "AccountProvisioningStateInvalid". A known Azure timing issue. Rerun the deployment after 5–10 minutes; the account will be in the Succeeded state and model deployments will proceed.

AI Foundry deployment fails with "model deployment already exists". Your existing AIServices account already has a deployment named epona-gpt-mini or epona-gpt. Remove the conflict or pick a different account.