# Installation
This manual was update 15 April 2025 using Epona365 Office version 25.1
# Introduction
This Modern Add-in (APP) deployment guide is written for Azure and M365 administrators with knowlegde of Powershell.
The documentation consists of four parts:
- Preparation and installation steps in the M365 tenant; setting up an Azure subcription, deploying Epona365 Office from the Azure private app store
- Architecture overview of the Self-Hosted Azure Containers to be deployed
- Deploying and configuring the APPs in the Office and Outlook environment
- Enabling and configuring optional APP components, such as AI filing predictions or OCR functions of the deployed Epona365 Office APP
Please contact the Epona helpdesk on helpdesk@epona.com for assistance with these deployment steps. You can only deploy Epona365 if you have shared our Azure Subscription ID with our helpdesk.
# Prerequisites for deployment
Before Epona365 Office can be deployed, please ensure that you are able to deploy Azure resources. The Epona365 Office APP will deploy azure infrastructure in a pay-per-use model. This means that if the APP functions are used, you will use small micro services called Container APPs to perform document management and e-mail management functions. For this consumption of Azure resources, a payment subscription with Microsoft needs to be in place.
The first prerequisite is an Azure Subscription. You need to create an Azure Subscription in https://portal.azure.com (opens new window) and share the Subscription ID with Epona, so that we can open the Azure Marketplace Private Plan for your company. Please send the Subscription ID to helpdesk@epona.com. We will confirm the addition of your Subscription ID to the Private Audience of this Azure Private Plan. It sometimes takes one hour before that Private plan is available.
Please also check your Role in the Azure Subscription that you plan to use for deploying the Epona365 Office resources. Your minimum role assignment should be: Contributor and User Access Administrator, preferably you are the Owner of the Azure Subscription
The second prerequisite is the Azure Subscription Resource Providers. You need to have Microsoft.App and Microsoft.ContainerService registered as Resource Providers in your Azure Subscription for the deployment of Epona365 to work
Filter for Microsoft.App, check the Registration status, if not registered, then Register the Microsoft.App resource provider
Filter on Microsoft.Container, check the Registration status of Microsoft.ContainerService and Register this resource provider
The third prerequisite is sometimes difficult in larger organizations. After the Container deployment, the next step in the installation process is a one-time step to run a PowerShell script. This script assumes that the user running the script has access to the Azure Subscription and the resources deployed, and this user should be able to Create and Configure two EntraID Registered Apps. In some organizations there is a separation between the Azure team and the Entra ID team, in those cases the PowerShell script cannot be deployed and manual deployment steps are required.
The fourth and last prerequisite is the use of Powershell version 7.x or higher. Please also ensure that you run Powershell from a Windows workstation, we have noticed that the Certificate download stage of our Powershell script fails when using Powershell on an Apple Mac.
# Architecture overview
Azure container apps are small micro services that you instantiate when there is demand for the service. These apps could scale well and will also resume to a shutdown state if there is no activity. With Azure container apps you are consuming a set of resources in an on-demand environment. The resources required for the Epona365 will be automatically created when you deploy a Private Plan from the Azure store and choose a Channel from the Epona365 offering. The Channel gives you the ability to define which version of the APP software and services you are offering to your users. It would also give you the ability to revert back to previous releases (channels) should something unplanned happen. When you deploy Epona365 contain apps a number of services will be automatically created. This chapter endeavours to describe the function of these services and their connections to the outside world.
Future deployments of Epona365 might contain new Azure resources to be used. We will never roll-out new resources in a Channel. Channels will only be hotfixed if necessary (let’s hope not) and new Channels will provide new functions and if required also new resources to be used.
| Resource | Type | Function | Connections |
|---|---|---|---|
| dms-crawl-app | Container App | processes jobs from the crawl queue. Crawl processes running are crawl matters, crawl matter and crawl documents | Use the Managed Identity to connect to the dmsstorage Storage account using Secure transfer for REST API connections within the VNET. Use Azure Key Vault (dms-kv) to cache access tokens. Access Sharepoint using an application permission. |
| dms-delta-app | Container App | processes jobs from the delta queue. Crawl processes running are full delta at the tenant level checking all matters, quick delta checking new matters, check document delta job. Check document delta will trigger new jobs to be created | Use the Managed Identity to connect to the dmsstorage Storage account using Secure transfer for REST API connections within the VNET. Use Azure Key Vault (dms-kv) to cache access tokens. Access Sharepoint and Graph using an application permission. |
| dms-metadata-app | Container App | The predict metadata job uses OpenAI to auto predict document metadata on exiting or new documents. | Use the Managed Identity to connect to the dmsstorage Storage account using Secure transfer for REST API connections within the VNET. Use Azure Key Vault (dms-kv) to cache access tokens. Access Sharepoint using an application permission. dms-metadata-app also connects with Epona LegalGraph to send the jobs to OpenAI |
| dms-ocr-app | Container App | processes jobs from the crawl queue. Crawl processes running are ocr matters, ocr matter and ocr documents | Use the Managed Identity to connect to the dmsstorage Storage account using Secure transfer for REST API connections within the VNET. Use Azure Key Vault (dms-kv) to cache access tokens. Access SharePoint through Graph using an application permission. |
| dms-suggestions-app | Container App | Provides Filing Suggestions to Epona365 Outlook APP, Epona DMSforLegal client | The dms-web app receives filing prediction requests from DMSforLegal and Epona365 Outlook. The dms-web app call the dms-suggestions-app to provide the predictions. The dms-suggestions-app connects with the dmsstorage Storage account to query the machine-learning model |
| dms-training-app | Container App | Creates the machine-learning model | Connects with the dmsstorage Azure Storage Account to save the model and the SQL database to read the training source data |
| dms-user-jobs-app | Container App | There are three types of user-jobs. High priority jobs are handled by the dms-web-app, Low, Medium priority jobs are handled by the dms-user-jobs-app | Accesses the dms-kv Key Vault accessing user tokens. Connects to the dmsstorage Azure Storage Account, connects to SharePoint and Microsoft Graph delegates permissions |
| dms-web-app | Container App | Services the static webpages and scripts, the front-end web components. Provides the website for configuring Epona365. Provides the core Epona365 web API. Is responsible for High priority jobs. | Use the Managed Identity to connect to the dmsstorage Storage account using Secure transfer for REST API connections within the VNET to populate queues. Use Azure Key Vault (dms-kv) to cache access tokens. Access SharePoint CSOM and Graph using delegated permission. The web front end and API services are accessible from the Internet. Connections from clients use HTTPS, the Ingress proxy relays the inbound requests to the internal container HTTP port. |
| dms-env | Container Apps Environment | Configures and defines the Dapr components, outlining service connections of all Container Apps | |
| dms-kv | Key vault | Key Vault saves the access tokens. | |
| dms-settings | Key vault | Key vault to store the settings of the registered Azure AD (Entra) APPs. In this keyvault Client ID and certificate of the Azure AD Apps are saved. | |
| dms-log-analytics | Log Analytics workspace | Storage of the container apps logs | |
| dms-app | Managed Identity | Authentication information to access the Epona365 resources in the VNET | |
| dms-crawl-db | SQL database | Storage of the crawl data to train the machine-learning model | |
| dms-sql-server | SQL server | Services the SQL database | |
| dmsstorage | Storage account | Stores job queues, and other temporary state data. | |
| dms-vnet | Virtual network | Defined virtual network for Epona365 internal traffic |
# Deploying the Epona365 Office resources in Azure
From the Azure subscription choose Resource groups and click Create to create a new resource group
Enter the Resource group name, here Epona365OfficeRG, choose the Region, here (Europe) West Europe, review the tags and Create the Resource group
Select the Resource group to start the deployment of Epona365 Office resources into that group
Click Create in the Resource group to be redirected to the Azure Marketplace
Under My Marketplace, click Private plans to review the private plans offered to this subscription. In the example below, no Epona365 Office private plan is available. This could be caused because Epona did not yet receive or process the Azure Subscription ID that you are using for this deployment. The private plan in the Azure marketplace is only available to known Azure Subscription IDs. Please connect with helpdesk@epona.com to request access to the Private plan.
The Azure Subscription ID can be found on the Overview page of the subscription
It could take up to one hour before a Private plan is available after updating the Azure marketplace with the supplied Subscription ID