# Installation

This manual was updated 17 September 2025 using Epona365 Office version 25.1 (25.1.113)

# Introduction

This Modern Add-in (APP) deployment guide is written for Azure and M365 administrators with knowlegde of Powershell.
The documentation consists of four parts:

Preparation and installation steps in the M365 tenant; setting up an Azure subcription, deploying Epona365 Office from the Azure private app store
Architecture overview of the Self-Hosted Azure Containers to be deployed
Deploying and configuring the APPs in the Office and Outlook environment
Enabling and configuring optional APP components, such as AI filing predictions or OCR functions of the deployed Epona365 Office APP

Please contact the Epona helpdesk on helpdesk@epona.com for assistance with these deployment steps. You can only deploy Epona365 if you have shared our Azure Subscription ID with our helpdesk.

# Prerequisites for deployment

Before Epona365 Office can be deployed, please ensure that you are able to deploy Azure resources. The Epona365 Office APP will deploy azure infrastructure in a pay-per-use model. This means that if the APP functions are used, you will use small micro services called Container APPs to perform document management and e-mail management functions. For this consumption of Azure resources, a payment subscription with Microsoft needs to be in place.

The first prerequisite is an Azure Subscription. You need to create an Azure Subscription in https://portal.azure.com (opens new window) and share the Subscription ID with Epona, so that we can open the Azure Marketplace Private Plan for your company. Please send the Subscription ID to helpdesk@epona.com. We will confirm the addition of your Subscription ID to the Private Audience of this Azure Private Plan. It sometimes takes one hour before that Private plan is available.

Please also check your Role in the Azure Subscription that you plan to use for deploying the Epona365 Office resources. Your minimum role assignment should be: Contributor and User Access Administrator, preferably you are the Owner of the Azure Subscription

The second prerequisite is the Azure Subscription Resource Providers. You need to have Microsoft.App and Microsoft.ContainerService registered as Resource Providers in your Azure Subscription for the deployment of Epona365 to work

Filter for Microsoft.App, check the Registration status, if not registered, then Register the Microsoft.App resource provider

Filter on Microsoft.Container, check the Registration status of Microsoft.ContainerService and Register this resource provider

The third prerequisite is sometimes difficult in larger organizations. After the Container deployment, the next step in the installation process is a one-time step to run a PowerShell script. This script assumes that the user running the script has access to the Azure Subscription and the resources deployed, and this user should be able to Create and Configure two EntraID Registered Apps. In some organizations there is a separation between the Azure team and the Entra ID team, in those cases the PowerShell script cannot be deployed and manual deployment steps are required.

The fourth and last prerequisite is the use of Powershell version 7.x or higher. Please also ensure that you run Powershell from a Windows workstation, we have noticed that the Certificate download stage of our Powershell script fails when using Powershell on an Apple Mac.

# Architecture overview

Azure container apps are small micro services that you instantiate when there is demand for the service. These apps could scale well and will also resume to a shutdown state if there is no activity. With Azure container apps you are consuming a set of resources in an on-demand environment. The resources required for the Epona365 will be automatically created when you deploy a Private Plan from the Azure store and choose a Channel from the Epona365 offering. The Channel gives you the ability to define which version of the APP software and services you are offering to your users. It would also give you the ability to revert back to previous releases (channels) should something unplanned happen. When you deploy Epona365 contain apps a number of services will be automatically created. This chapter endeavours to describe the function of these services and their connections to the outside world.

Remark: some of the screenshots below might not reflect the resources that you see, this depends on the choices made during deployment and the version of the product deployed in your azure environment

Future deployments of Epona365 might contain new Azure resources to be used. We will never roll-out new resources in a Channel. Channels will only be hotfixed if necessary (let’s hope not) and new Channels will provide new functions and if required also new resources to be used.

Resource	Type	Function	Connections
ep-app	Managed Identity	Authentication information to access the Epona365 resources in the VNET
ep-app-insights	Local Application Insights resource	Providing application insights in to logs, telemetry checking of resource health and usage
ep-crawl-app	Container App	processes jobs from the crawl queue. Crawl processes running are crawl matters, crawl matter and crawl documents	Use the Managed Identity to connect to the epstorage Storage account using Secure transfer for REST API connections within the VNET. Use Azure Key Vault (ep-kv) to cache access tokens. Access Sharepoint using an application permission.
ep-crawl-db	SQL database	Storage of the Filing Suggestions crawl data
ep-cognitive-services	Optional AI service	Provide pay per use Azure OpenAI functions to Epona365 Office and Web users
ep-delta-app	Container App	processes jobs from the delta queue. Crawl processes running are full delta at the tenant level checking all matters, quick delta checking new matters, check document delta job. Check document delta will trigger new jobs to be created	Use the Managed Identity to connect to the epstorage Storage account using Secure transfer for REST API connections within the VNET. Use Azure Key Vault (ep-kv) to cache access tokens. Access Sharepoint and Graph using an application permission.
ep-env	Container Apps Environment	Configures and defines the Dapr components, outlining service connections of all Container Apps
ep-kv	Key vault	Key Vault saves the access tokens.
ep-log-analytics	Logging resource	Storage resource for application logging
ep-metadata-app	Container App	The predict metadata job uses OpenAI to auto predict document metadata on exiting or new documents.	Use the Managed Identity to connect to the epstorage Storage account using Secure transfer for REST API connections within the VNET. Use Azure Key Vault (ep-kv) to cache access tokens. Access Sharepoint using an application permission. ep-metadata-app also connects with Epona LegalGraph to send the jobs to OpenAI
ep-nsg	Network Security Group	New resource from 25.1.105 onwards to define Inbound and Outbound security rules, limiting network traffic to only allowed flows
ep-ocr-app	Container App	processes jobs from the crawl queue. Crawl processes running are ocr matters, ocr matter and ocr documents	Use the Managed Identity to connect to the epstorage Storage account using Secure transfer for REST API connections within the VNET. Use Azure Key Vault (ep-kv) to cache access tokens. Access SharePoint through Graph using an application permission.
ep-search-services	Optional Azure AI RAG search	Azure AI storage space for AI indexing documents, will save document data
ep-user-jobs-app	Container App	There are three types of user-jobs. High priority jobs are handled by the ep-web, Low, Medium priority jobs are handled by the ep-user-jobs-app	Accesses the ep-kv Key Vault accessing user tokens. Connects to the epstorage Azure Storage Account, connects to SharePoint and Microsoft Graph delegates permissions
ep-settings	Key vault	Key vault to store the settings of the registered Azure AD (Entra) APPs. In this keyvault Client ID and certificate of the Azure AD Apps are saved.
ep-sql-server	SQL server	Services the SQL database
ep-vnet	Virtual network	Defined virtual network for Epona365 internal traffic
ep-web	Container App	Services the static webpages and scripts, the front-end web components. Provides the website for configuring Epona365. Provides the core Epona365 web API. Is responsible for High priority jobs.	Use the Managed Identity to connect to the epstorage Storage account using Secure transfer for REST API connections within the VNET to populate queues. Use Azure Key Vault (ep-kv) to cache access tokens. Access SharePoint CSOM and Graph using delegated permission. The web front end and API services are accessible from the Internet. Connections from clients use HTTPS, the Ingress proxy relays the inbound requests to the internal container HTTP port.
epstorage	Storage account	Stores job queues, and other temporary state data.

# Deploying the Epona365 Office resources in Azure

From the Azure subscription choose Resource groups and click Create to create a new resource group

Enter the Resource group name, here Epona365OfficeRG, choose the Region, here (Europe) West Europe, review the tags and Create the Resource group

Select the Resource group to start the deployment of Epona365 Office resources into that group

Click Create in the Resource group to be redirected to the Azure Marketplace

Under My Marketplace, click Private plans to review the private plans offered to this subscription. In the example below, no Epona365 Office private plan is available. This could be caused because Epona did not yet receive or process the Azure Subscription ID that you are using for this deployment. The private plan in the Azure marketplace is only available to known Azure Subscription IDs. Please connect with helpdesk@epona.com to request access to the Private plan.

The Azure Subscription ID can be found on the Overview page of the subscription

It could take up to one hour before a Private plan is available after updating the Azure marketplace with the supplied Subscription ID

Choose the Epona365 Private plan

Select the Version to deploy, here only 25.1 is available and click Create

# Create Epona365 25.1 Choices

Select the Subscription and Resource group, select the Region (preferable identical to the Azure Subscription region) and enter the Prefix for the resource names. This prefix is placed before the names of the resources that are to be created, the prefix is limited to 3 to 5 characters and can only include lower case letters and number. The prefix needs to be globally unique, so do not use ep365, as we have probably already taken this prefix.

Click Next and select Basic or Standard performance parameters. Basic is suites for up to 100 users and Standard is suited for 500+ users. Choose Basic for small Proof of Concept deployments.

Click Next and Enable or Disable Logging. This setting allows Epona to receive logging from your application with a 30 minute delay and would help us proactively connect with you should an error occur. No information about documents or contents of documents is shared.

Click Next and Enable or Disable Filing Suggestions. Filing Suggestions are not immediatly active should you enable them, in this stage the necessary Azure resources are deployed to be able to use Filing suggestions. Filing suggestions allow Epona365 Office to suggest a possible filing location based on E-mail metadata (To, From, Subject). This correlated filing requires a small database to store filings patterns.

Click Next and Enable or Disable Search and Cognitive services. Cognitive services are Microsoft Azure Search and Cognitive service resources deployed to your Azure environment. This is a step to discuss with your Epona consultant, it requires post configuration steps. Enabling Cognitive services during the first deployment is not advised, the process is described separately.

Important: if you already have deployed Search and Cognitive services in previous deployment, then realize that you have to manually Enable that choice if you redeploy. The Azure Marketplace deployment is unaware of previous choices you have made. So check the services selected, use the same regions and choices. And check your deployment documentation for any other choices you previously made.

Click Next and enter the password to retrieve new containers from the Azure Container Registry at Epona. This password will be sent to your when Epona has opened the Azure Marketplace Private plan for your Azure subscription

Click Next to Review the choices. Document the Prefix and Region used. If you redeploy the resources from the marketplace using the same mix of Region and Prefix, you will be able to overwrite the current deployment. Should you choose a different Prefix or Region, then duplicate resources will be deployed.

The deployment is now in progress. The azure resources are placed in the Resource group you have created. Microsoft will also create a seperate resource group with a number of epona635 Office related resources outside of the resource group you selected for the deployment.

It might take up to 45 minutes for all the resource to deploy initially. Please wait for this deployment to finish before proceeding.

Monitor the progress and outcome of the resource creation, the deployment should run without errors, but in some cases certain Azure resources could be not unavailable in a selected Region, especially the Azure Search and Cognitive services. We advise to rerun the deployment (click Create, select from the Marketplace, use the same Prefix and Region).

Remark: when you deploy an Azure Container Environment in a Resource group, there is going to be an extra Resource group that is created by Microsoft to manage the loadbalancer, the external IP address and the inbound traffic. This way Microsoft Azure is able to monitor the availability and warn you if containers are no longer available.

# /Setup installation steps from the ep-web container

The deployment of the containers and other resources to the Epona365Office RG resource group in the Azure Subscription is finished, but the containers cannot reach Microsoft 365 resources such as SharePoint online or Graph unless an EntraID APP is created that provides the containers or the (delegated) users of the system access to these resources. This process of creating two APPs with the right permissions is complex, therefore a PowerShell script can be used to create the APPs and connect the APPs to the containers. If your organisation does not allow Powershell scripts to be run, then you can perform the manual steps outlined in the ep-web Container on the /setup page.

# Using Powershell to deploy the two Epona365 Office Entra ID apps

Click on the Application URL (or Ingress) in the Overview page of the ep-web container

The browser will open a new Tab and show the /portal page of the ep-web container. At this stage the containers (resources) are deployed, but there are no APPs with permissions into the Microsoft environment, hence the /portal will not yet be able to retrieve data. Therefore the first step is to replace /portal with /setup

Choose step 1: Register Epona365 with the Microsoft identity platform (Entra ID), two choices are presented, using Powershell to setup the two Entra ID APPs or Manual steps

First the Powershell method is documented. There are a number of preconditions to meet: 1. The user needs permissions to create two APPs in Entra 2. The user needs to consent to API-permissions defined for the two APPs in Entra 3. The users workstation needs to use Powershell 7 and above on a Windows platform (because of the certificate download phase) 4. The users workstation need the PowerShell Az module to run the powershell script provided 5. The users workstation needs to enter the public IPv4 address used by the workstation in the networking configuration of one of the resources

Click on task 1.1, Download the powershell script Assert-Epona365Apps.ps1

The download of a script file is possibly blocked by the Browser, for Edge click Keep to save the file to the default download location

Rightclick on the *.ps1 file and choose Properties, Unblock the file in it is blocked by the download from an Internet location. Move the PS1 file to a temporary location so that it is easier to reach than the Download folder which has spaces in the folder name.

Remark: filestreams blocking will also block the Powershell execution of the script

Visit the {prefix}-ep-web container and lookup the Application (Ingress) URL on the right top corner

By default you are redirected to the /portal page, but you need the Connection information from the /setup page, so replace /portal with /setup
Copy the Connect to Azure instruction under step 4, this instruction you can use to connect PowerShell 7 to the Azure subscription used on this Tenant

eg. Connect-AzAccount -Subscription "ffd2cd94-647d-1234-a471-abcd1cb0655a" -Tenant "29619c40-02a5-1234-be03-abcd49dd99"

Login using the Azure credentials used deploying the Epona365 Office solution, this is usually an account that is the owner of the Azure subscription
Install the Az Powershell module: Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

Remark: it might take up to 15 minutes before a Module is downloaded and applied. the Az module could possibly also conflict with other modules running on your machine

Now that you have logged into Azure and have installed the Az module, the next step is to execute the Powershell script. Before you execute the script, you need to be aware that

The script will create two Entra ID APPs, does your username have permissions to create APPs?
The script will download and upload information to the VLAN protected netwerk of Epona365 Office from your workstation, you need to open the firewall to run a script from your workstation against the Epona365 Office environment

Go to the Epona365Office Resource Group and select the {prefix}-ep-settings Keyvault
Choose Objects, Networking and under the section Firewall, click Add your client IP address to allow your workstation to run Powershell against the Keyvault

How do you know your Public IP address? Visit a site like WhatsMyIP or https://ip.intermax.nl (opens new window) to retrieve your IPv4 address
Add the IPv4 address, and click Apply. It will take Azure a couple of minutes to process this request. Click Refresh to see if Azure placed /32 behind the address that you entered, this confirms that Azure has processed the change
Start the Powershell script using the instructions in step 1.5

Example: .\Assert-Epona365Apps.ps1 -Prefix "{prefix}" -ApplicationUrl "https://{prefix}-ep-web.kindfield-abc123zw.{region}.azurecontainerapps.io"

If the execution of the script is OK, the green text output in Powershell is visible and two remaining tasks are displayed in yellow

Remark: when you have now allowed the workstation running the Powershell script Firewall access to the Epona365 Office {prefix}-ep-settings, then you will see a firewall warning during the execution of the script

Warning: if you see an error during the Create a certificate phase of the Powershell script execution, this is most likely due to the Operating System you might be using. Powershell on an Apple Mac computer does not allow this powershell action of creating and downloading a certificate

Two new Entra ID APPs have been added. The APPs have API-permissions, but these permissions are not active unless the Global Admin Consents the API permissions

In the Azure portal, go to Entra ID, select App registrations (not Enterprise applications), filter on All applications

There are two new Applications available, Epona365 api and Epona365 app. First consent the Epona365 api APP
Click Manage, API permissions and Grant admin consent for {username of the global admin}

Now visit Epona365 APP and repeat the steps

The Azure (container) resources will now have access to the Microsoft 365 resources. This can be verified by visiting the /portal page of the web container

Go to the {prefix}-ep-web container, click on the Application URL and sign into the /portal page

If the Entra ID APPs have not been properly installed or no API permissions are assigned and granted, you will see the error below

Remark: if you redo a deployment and overwrite the Epona365 API and APP apps in Entra ID, then the {prefix}-ep-settings, Secret value is not alligned with the Application (Client) IDs of the newly created APPs. Visit https://{yourwebcontainerURL}/api/configuration to check the APP and API Application (client) ID that is in use. If you change the Secret, then the web container needs to be restarted. Please also be aware that APP ID's are registered in Manifest files. Update Manifest files if your have replaced the Entra ID apps. The Entra ID APP relationship is registered in the {prefix}-ep-settings container, Secrets section.

You can create a New version of a secret and save the Application (client) ID in the Secret field

If you unhide the Secret, then you are able to check if the ID in ep-settings alligns with the Application (client) ID in Entra

# Setting the SharePoint URL

The Global Administrator is able to access the /setup and /portal page. You can configure a Non Global Admin security group consisting of a number of users to have access to the /portal. But by default only the Global Admin can reach the /portal

The SharePoint URL where the Epona365 (DMSforLegal) is deployed need to be defined. The /portal settings will be registered in that location. This means that the Global Admin needs access to the location where the Matters, My Matters and other Epona lists reside.

Click on Step 2 in the /Setup page, choose Login to the portal and enter the URL of the Epona site collection that contains the management lists (Matters, etc)

Click Save to save the URL and notice that the /portal now displays new functionalities.

More options in the /portal page are now visible, as the Epona365 Office solution is able to read the DMS Configuration list in the Epona Site Collection.

# Finishing /setup, deploy the Manifest files of Outlook and Office to Microsoft 365

The last steps in the deployment of Epona365 Office involves deploying the Manifest files to Microsoft 365. This is again a task that can only be performed by a Global Administrator or a role that is allowed to deploy apps in Microsoft 365. The Manifest files used by Epona are XML based. There will also be a JSON based manifest file soon that would work for both Outlook and Office, but in this case we deploy two seperate Manifest files, one for Outlook and the other one for Office

Remark: it would be advisable to ask Epona to update your Epona365 Office to a recente 'channel' or version of the environment. Versions above 25.1.107 offer Outlook SmartAlerts instead of a Send & File dialog. If you see the below options, then your are running an old version 25.1.39

Use the Set-Epona365-Channel script to set the Epona365 Office environment to 25.1.108 or above.

Remark: there is seperate documentation available on how to set Channels

Wait a few minutes and check if the /setup page now displays the SmartAlerts Outlook choice
Follow the instructions to push both the Outlook and the Office Manifest files to the right (AD) user group

Remark: do not choose Admin and required pushing of APPs, if there is a technical problem, you will not be able to remove APPs quickly enough.