# Installation
This manual was updated 25 June 2025 using Epona365 Office version 25.1 (25.1.39)
# Introduction
This Modern Add-in (APP) deployment guide is written for Azure and M365 administrators with knowlegde of Powershell.
The documentation consists of four parts:
- Preparation and installation steps in the M365 tenant; setting up an Azure subcription, deploying Epona365 Office from the Azure private app store
- Architecture overview of the Self-Hosted Azure Containers to be deployed
- Deploying and configuring the APPs in the Office and Outlook environment
- Enabling and configuring optional APP components, such as AI filing predictions or OCR functions of the deployed Epona365 Office APP
Please contact the Epona helpdesk on helpdesk@epona.com for assistance with these deployment steps. You can only deploy Epona365 if you have shared our Azure Subscription ID with our helpdesk.
# Prerequisites for deployment
Before Epona365 Office can be deployed, please ensure that you are able to deploy Azure resources. The Epona365 Office APP will deploy azure infrastructure in a pay-per-use model. This means that if the APP functions are used, you will use small micro services called Container APPs to perform document management and e-mail management functions. For this consumption of Azure resources, a payment subscription with Microsoft needs to be in place.
The first prerequisite is an Azure Subscription. You need to create an Azure Subscription in https://portal.azure.com (opens new window) and share the Subscription ID with Epona, so that we can open the Azure Marketplace Private Plan for your company. Please send the Subscription ID to helpdesk@epona.com. We will confirm the addition of your Subscription ID to the Private Audience of this Azure Private Plan. It sometimes takes one hour before that Private plan is available.
Please also check your Role in the Azure Subscription that you plan to use for deploying the Epona365 Office resources. Your minimum role assignment should be: Contributor and User Access Administrator, preferably you are the Owner of the Azure Subscription
The second prerequisite is the Azure Subscription Resource Providers. You need to have Microsoft.App and Microsoft.ContainerService registered as Resource Providers in your Azure Subscription for the deployment of Epona365 to work
Filter for Microsoft.App, check the Registration status, if not registered, then Register the Microsoft.App resource provider
Filter on Microsoft.Container, check the Registration status of Microsoft.ContainerService and Register this resource provider
The third prerequisite is sometimes difficult in larger organizations. After the Container deployment, the next step in the installation process is a one-time step to run a PowerShell script. This script assumes that the user running the script has access to the Azure Subscription and the resources deployed, and this user should be able to Create and Configure two EntraID Registered Apps. In some organizations there is a separation between the Azure team and the Entra ID team, in those cases the PowerShell script cannot be deployed and manual deployment steps are required.
The fourth and last prerequisite is the use of Powershell version 7.x or higher. Please also ensure that you run Powershell from a Windows workstation, we have noticed that the Certificate download stage of our Powershell script fails when using Powershell on an Apple Mac.
# Architecture overview
Azure container apps are small micro services that you instantiate when there is demand for the service. These apps could scale well and will also resume to a shutdown state if there is no activity. With Azure container apps you are consuming a set of resources in an on-demand environment. The resources required for the Epona365 will be automatically created when you deploy a Private Plan from the Azure store and choose a Channel from the Epona365 offering. The Channel gives you the ability to define which version of the APP software and services you are offering to your users. It would also give you the ability to revert back to previous releases (channels) should something unplanned happen. When you deploy Epona365 contain apps a number of services will be automatically created. This chapter endeavours to describe the function of these services and their connections to the outside world.
Future deployments of Epona365 might contain new Azure resources to be used. We will never roll-out new resources in a Channel. Channels will only be hotfixed if necessary (let’s hope not) and new Channels will provide new functions and if required also new resources to be used.
| Resource | Type | Function | Connections |
|---|---|---|---|
| ep-crawl-app | Container App | processes jobs from the crawl queue. Crawl processes running are crawl matters, crawl matter and crawl documents | Use the Managed Identity to connect to the epstorage Storage account using Secure transfer for REST API connections within the VNET. Use Azure Key Vault (ep-kv) to cache access tokens. Access Sharepoint using an application permission. |
| ep-delta-app | Container App | processes jobs from the delta queue. Crawl processes running are full delta at the tenant level checking all matters, quick delta checking new matters, check document delta job. Check document delta will trigger new jobs to be created | Use the Managed Identity to connect to the epstorage Storage account using Secure transfer for REST API connections within the VNET. Use Azure Key Vault (ep-kv) to cache access tokens. Access Sharepoint and Graph using an application permission. |
| ep-metadata-app | Container App | The predict metadata job uses OpenAI to auto predict document metadata on exiting or new documents. | Use the Managed Identity to connect to the epstorage Storage account using Secure transfer for REST API connections within the VNET. Use Azure Key Vault (ep-kv) to cache access tokens. Access Sharepoint using an application permission. ep-metadata-app also connects with Epona LegalGraph to send the jobs to OpenAI |
| ep-ocr-app | Container App | processes jobs from the crawl queue. Crawl processes running are ocr matters, ocr matter and ocr documents | Use the Managed Identity to connect to the epstorage Storage account using Secure transfer for REST API connections within the VNET. Use Azure Key Vault (ep-kv) to cache access tokens. Access SharePoint through Graph using an application permission. |
| ep-user-jobs-app | Container App | There are three types of user-jobs. High priority jobs are handled by the ep-web, Low, Medium priority jobs are handled by the ep-user-jobs-app | Accesses the ep-kv Key Vault accessing user tokens. Connects to the epstorage Azure Storage Account, connects to SharePoint and Microsoft Graph delegates permissions |
| ep-web | Container App | Services the static webpages and scripts, the front-end web components. Provides the website for configuring Epona365. Provides the core Epona365 web API. Is responsible for High priority jobs. | Use the Managed Identity to connect to the epstorage Storage account using Secure transfer for REST API connections within the VNET to populate queues. Use Azure Key Vault (ep-kv) to cache access tokens. Access SharePoint CSOM and Graph using delegated permission. The web front end and API services are accessible from the Internet. Connections from clients use HTTPS, the Ingress proxy relays the inbound requests to the internal container HTTP port. |
| ep-env | Container Apps Environment | Configures and defines the Dapr components, outlining service connections of all Container Apps | |
| ep-kv | Key vault | Key Vault saves the access tokens. | |
| ep-settings | Key vault | Key vault to store the settings of the registered Azure AD (Entra) APPs. In this keyvault Client ID and certificate of the Azure AD Apps are saved. | |
| ep-log-analytics | Log Analytics workspace | Storage of the container apps logs | |
| ep-app | Managed Identity | Authentication information to access the Epona365 resources in the VNET | |
| ep-crawl-db | SQL database | Storage of the crawl data | |
| ep-sql-server | SQL server | Services the SQL database | |
| epstorage | Storage account | Stores job queues, and other temporary state data. | |
| ep-vnet | Virtual network | Defined virtual network for Epona365 internal traffic |
# Deploying the Epona365 Office resources in Azure
From the Azure subscription choose Resource groups and click Create to create a new resource group
Enter the Resource group name, here Epona365OfficeRG, choose the Region, here (Europe) West Europe, review the tags and Create the Resource group
Select the Resource group to start the deployment of Epona365 Office resources into that group
Click Create in the Resource group to be redirected to the Azure Marketplace
Under My Marketplace, click Private plans to review the private plans offered to this subscription. In the example below, no Epona365 Office private plan is available. This could be caused because Epona did not yet receive or process the Azure Subscription ID that you are using for this deployment. The private plan in the Azure marketplace is only available to known Azure Subscription IDs. Please connect with helpdesk@epona.com to request access to the Private plan.
The Azure Subscription ID can be found on the Overview page of the subscription
It could take up to one hour before a Private plan is available after updating the Azure marketplace with the supplied Subscription ID
Choose the Epona365 Private plan
Select the Version to deploy, here only 25.1 is available and click Create
# Create Epona365 25.1 Choices
Select the Subscription and Resource group, select the Region (preferable identical to the Azure Subscription region) and enter the Prefix for the resource names. This prefix is placed before the names of the resources that are to be created, the prefix is limited to 3 to 5 characters and can only include lower case letters and number. The prefix needs to be globally unique, so do not use ep365, as we have probably already taken this prefix.
Click Next and Enable or Disable Logging. This setting allows Epona to receive logging from your application with a 30 minute delay and would help us proactively connect with you should an error occur. No information about documents or contents of documents is shared.
Click Next and Enable or Disable Filing Suggestions. Filing Suggestions are not immediatly active should you enable them, in this stage the necessary Azure resources are deployed to be able to use Filing suggestions. Filing suggestions allow Epona365 Office to suggest a possible filing location based on E-mail metadata (To, From, Subject). This correlated filing requires a small database to store filings patterns.
Click Next and Enable or Disable Cognitive services. Cognitive services are Microsoft Azure Search and Cognitive service resources deployed to your Azure environment. This is a step to discuss with your Epona consultant, it requires post configuration steps. Enabling Cognitive services during the first deployment is not advised, the process is described separately.
Click Next to Review the choices. Document the Prefix and Region used. If you redeploy the resources from the marketplace using the same mix of Region and Prefix, you will be able to overwrite the current deployment. Should you choose a different Prefix or Region, then duplicate resources will be deployed.
The deployment is now in progress. The azure resources are placed in the Resource group you have created. Microsoft will also create a seperate resource group with a number of epona635 Office related resources outside of the resource group you selected for the deployment.
It might take up to 45 minutes for all the resource to deploy initially. Please wait for this deployment to finish before proceeding.
Monitor the progress and outcome of the resource creation, the deployment should run without errors, but in some cases certain Azure resources could be not unavailable in a selected Region, especially the Azure Search and Cognitive services. We advise to rerun the deployment (click Create, select from the Marketplace, use the same Prefix and Region).
# /Setup installation steps from the ep-web container
The deployment of the containers and other resources to the Epona365Office RG resource group in the Azure Subscription is finished, but the containers cannot reach Microsoft 365 resources such as SharePoint online or Graph unless an EntraID APP is created that provides the containers or the (delegated) users of the system access to these resources. This process of creating two APPs with the right permissions is complex, therefore a PowerShell script can be used to create the APPs and connect the APPs to the containers.
There are three ways to approach this problem
- the user is Global Admin, has permissions in EntraID and in the Azure Subscription as owner ; powershell will be able to create the APPs and the connections
- the Azure Subscription owner does not have permissions to create EntraID APPs and assign API permissions with Admin consent ; manual configuration or Entra first
The