Configure Dragon Copilot (radiologists) in Microsoft Azure

Prerequisites

Step 1: Identify the PowerScribe One SSL certificate

  1. On your PowerScribe One app server, open Internet Information Services (IIS) Manager.
  2. In the navigation pane to the left, select Sites > Default Web Site.
  3. In the Actions pane, Edit Site section, select Bindings.
  4. Select the https (port 443) entry and select Edit.
  5. Copy the certificate name displayed under SSL certificate and save it. This certificate is the one you export in step 3.
  6. Select View.
  7. Copy the following information and save it: Issued to, Issued by, Valid from ... to. If there are multiple certificates with the same name, this information helps you find the correct certificate.

Step 2: Set permissions for the PowerScribe One SSL certificate

Enable the PowerScribe One Admin Portal to access the PowerScribe One SSL certificate:

  1. On your PowerScribe One app server, search for certlm.msc and open the app.
  2. Select Certificates – Local Computer > Personal > Certificates.
  3. Locate the PowerScribe One SSL certificate and make sure the details in the columns Issued To, Issued By, and Expiration date match the information you saved earlier.
  4. Select and hold (or right-click) the certificate, and then select All Tasks > Manage Private Keys.
  5. Make sure that the PSRadPortalAppPool user in the Group or user names list has read permissions.

If the PSRadPortalAppPool user isn't present in the Group or user names list:

  1. Select Add.
  2. Make sure you select your PowerScribe One app server location.
  3. Enter the object name IIS AppPool\PSRadPortalAppPool.
  4. Select Check Names. The object name is shortened to PSRadPortalAppPool.
  5. Select OK.
  6. Make sure that the PSRadPortalAppPool user has read permissions.

Step 3: Export the PowerScribe One SSL certificate

  1. On your PowerScribe One app server, search for certlm.msc and open the app.
  2. Select Certificates – Local Computer > Personal > Certificates.
  3. Locate the PowerScribe One SSL certificate and make sure the details in the columns Issued To, Issued By, and Expiration date match the information you saved earlier.
  4. Select and hold (or right-click) the certificate, and then select All Tasks > Export.
  5. The Certificate Export Wizard opens; select Next.
  6. On the Export Private Key page, select No, do not export the private key > Next.
  7. On the Export File Format page, select DER encoded binary X.509 (.CER). > Next.
  8. On the File to Export page, browse for the location where you want to save the certificate.
  9. On the Completing the Certificate Export Wizard page, review your settings, and then select Finish.

Step 4: Provision the service principals

To provision the service principals in your Entra tenant, use one of the following options:

Run the PowerShell script provided by Microsoft

The PowerShell script provided by your Microsoft project team creates service principals in your Entra tenant. Running the script requires tenant administrator privileges.

  1. On any workstation that has access to your Entra tenant, open Windows PowerShell with elevated privileges.
  2. Run the following PowerShell commands and answer Y for each of them:
    • Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
    • Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser
    • Install-Module Microsoft.Graph -AllowClobber
  3. In Windows PowerShell, go to the folder that contains the PowerShell script and enter: .\Provision-ServicePrincipals.ps1.
  4. When prompted, enter your Entra tenant ID and press Enter.
  5. The Connecting to Microsoft Graph message box is displayed. When prompted, authenticate your account.
Manually provision the service principals by using Microsoft Graph

Prerequisites

  • You're signed into your Entra tenant with a role that can create service principals (for example, Global Administrator or Cloud Application Administrator).
  • You know which environment or tenant you're targeting.
  • In Graph Explorer, you consented to the permissions required to create and read service principals. For more information, see Consent to permissions.
  • You received the app IDs for Dragon Copilot (radiologists) from your Microsoft project team.

Provision the service principals in Graph Explorer

  1. Open Graph Explorer and sign in with an account from the Entra tenant that has a role that can create service principals.

  2. Ensure the directory shown in the profile menu is the correct Entra tenant.

  3. Set the HTTP request method to POST and enter https://graph.microsoft.com/v1.0/servicePrincipals as the request URL.

  4. On the Request Body tab, enter the following code, replacing <APP_ID> with the Dragon Copilot app ID you received:

    {
  "appId": "<APP_ID>"
}

  5. On the Request Headers tab, make sure Content-Type is set to application/json.

  6. Select Run query. The service principal is created and the Response body shows the new service principal (including its ID and app ID).

Note

Perform steps 4-6 for each Dragon Copilot app ID.

Screenshot of Graph Explorer showing a POST request to the servicePrincipals endpoint with an app ID in the request body and the resulting service principal object in the response body.

Verify service principals

After creating the service principals, verify they exist in the Entra tenant in Graph Explorer or in Microsoft Azure.

In Graph Explorer:

  1. Set the HTTP request method to GET and enter https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '<APP_ID>' as the request URL. Replace <APP_ID> with the Dragon Copilot app ID you want to verify.
  2. Select Run query. The response returns a service principal object for the specified app ID.

In the Microsoft Azure portal:

  1. Select Microsoft Entra ID.
  2. In the navigation pane to the left, select Manage > Enterprise applications.
  3. Filter by application ID or search by the Dragon Copilot app IDs.
  4. Confirm an enterprise app entry exists for each app ID.

Assign required access (if applicable)

Creating the service principal only registers the app in the Entra tenant. Depending on your deployment, you might also need to do the following steps:

  • Assign the app to users, groups, or service accounts.
  • Configure API permissions and grant administrator consent as required by the Dragon Copilot integration.
  • Follow your solution’s deployment guide for any additional role or permission assignments.

Step 5: Add the PowerScribe Services app in your Entra tenant

Important

Make sure you perform this step on the tenant where your users are registered.

Add the PowerScribe Services app, which is used for both Dragon Copilot and PowerScribe One Web Services API, in your Entra tenant:

  1. Go to the Microsoft Azure portal and select Microsoft Entra ID.
  2. Select Add > App registration.
  3. In the Name field, enter PowerScribe Services.
  4. In the Supported account types section, select the Single tenant option.
  5. Select Register.
  6. In the navigation pane to the left, select Manage > App registrations.
  7. Select the All applications tab and select PowerScribe Services in the list.
  8. In the navigation pane to the left, select Overview.
  9. Copy the Application (client) ID and Directory (tenant) ID values and save them; you'll need them later in the process.

Step 6: Upload the PowerScribe One SSL certificate

  1. Go to the Microsoft Azure portal and select Microsoft Entra ID.
  2. In the navigation pane to the left, select Manage > App registrations.
  3. Select the All applications tab and select PowerScribe Services in the list.
  4. In the navigation pane to the left, select Manage > Certificates and secrets.
  5. On the Certificates tab, select Upload certificate and browse for the PowerScribe One SSL certificate you exported earlier. When the upload is complete, the certificate is listed on the Certificates tab.
  6. Copy the Thumbprint and save it; you'll need it in later in the process.

Step 7: Configure the PowerScribe Services app

Assign the required role to the PowerScribe Services app in your Entra tenant so it can access the Dragon Copilot connector server APIs:

  1. Go to the Microsoft Azure portal and select Microsoft Entra ID.
  2. In the navigation pane to the left, select Manage > App registrations.
  3. Select the All applications tab and select PowerScribe Services in the list.
  4. In the navigation pane to the left, select Manage > API permissions.
  5. Select Add a permission > APIs my organization uses.
  6. Search for and select HLS PowerScribeCloud CommonApi.
  7. Select Application permissions > ClinicalDataImport > Add permissions. The ClinicalDataImport API permissions are created.
  8. Select ClinicalDataImport > Grant admin consent to Tenant. Confirm your selection.

Step 8: Manage user access to Dragon Copilot

Assign Dragon Copilot access to users or groups:

  1. Go to the Microsoft Azure portal and select Microsoft Entra ID.
  2. In the navigation pane to the left, select Manage > Enterprise applications.
  3. Search for and select Dragon Copilot Services.
  4. Select Assign users and groups > Add user/group.
  5. On Add Assignment, select Users and groups, and then select the users or groups you want to give access to Dragon Copilot.
  6. Select Select a role > CompanionAllowList.
  7. Select Select > Assign.

The changes take effect the next time the user signs in to Dragon Copilot.

Remove Dragon Copilot access for users or groups:

  1. Go to the Microsoft Azure portal and select Microsoft Entra ID.
  2. In the navigation pane to the left, select Manage > Enterprise applications.
  3. Search for and select Dragon Copilot Services.
  4. Select Assign users and groups.
  5. Select the users or groups you want to remove access for and select Edit assignment.
  6. Select Select a role, and then deselect CompanionAllowList.
  7. Select Select > Assign.

Step 9: Provide information to Microsoft

Provide the following information to your Microsoft project team so they can install the Dragon Copilot connector on your PowerScribe One app server:

  • The database credentials to sign in to the PowerScribe One SQL database.
  • The Application (client) ID and Directory (tenant) ID values you saved earlier.
  • The location of the PowerScribe One SSL certificate you exported earlier.

Next step

Install Dragon Copilot

  • Last updated on