Megaphone Commons

{{last_updated_at}} by {{last_updated_by}}

# Microsoft Azure - Setup

## For the Client

Hi there!  If I've directed you to this page, the part that concerns you are the first three sections only.  It's a bit convoluted, so feel free to ask me if you run into trouble! -Jon

[**NOTE**: Most of Microsoft's pages break with an ad blocker enabled.]

### Get a Sponsorship

* [Go to the Nonprofit Microsoft Getting Started page](https://nonprofit.microsoft.com/en-us/getting-started).  Fill out the paperwork to be approved as a 501c3.  Approval can take 1 day or 3-4 weeks - I've seen both multiple times.

* Once approved, go to https://www.microsoft.com/en-us/nonprofits/azure to claim credits (or go directly to [Claiming Your Credits](https://nonprofit.microsoft.com/en-us/offers/azure).

* You'll know you're successful because you'll see a sponsorship listed on the [Sponsorship Page](https://www.microsoftazuresponsorships.com/Balance).

### Create a Subscription

* Check that you have credits in your sponsored account: https://www.microsoftazuresponsorships.com/Balance

* Visit the [Azure Portal](https://portal.azure.com).  

* Click the **Subscriptions** icon.

* Click the **Add** button.

* Add a subscription of type "Microsoft Azure Sponsorship" from the Azure portal. You will likely need to select **Show other subscription types** to see it.

 * **Note**: Even sponsored subscriptions require a credit card, make sure you have one available.

### Grant access to other users

Microsoft is now enforcing two-factor authentication, so you need to create a separate user for me as your web vendor.

**October 2025**

Starting in October, you must do these additional steps. If not, please start at the "Start Here" below.

* Using the search bar at the top, search for **Microsoft Entra ID**.

* Click **Manage**, then **Users** in the left-hand menu.

* On the toolbar near the top of the page, select **New User » Invite External User**.

* Add my email (jon@megaphonetech.com) and display name.

* Click **Review and Invite** at the bottom left of the page.

[Source](https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/add-change-subscription-administrator) for instructions

[START HERE if it's not October yet]

* Open the new subscription by clicking on it from the **Subscriptions** page.

* Click **Access Control (IAM)** in the left navigation bar.

* At the top, press **Add » Add role assignment**.

* On the *Role* tab, go to the **Privileged administrator roles** subtab. 

* Click **Owner** and press **Next**.

* On the *Members* tab, set *Assign Access* to **User, group, or service principal**, and click **Select Members**.

* In the *Search by name or email address* box, put the email of the new user and press **Select**. Press **Next**.

* On the *Conditions* tab, select **Allow user to assign all roles except privileged administrator roles Owner, UAA, RBAC (Recommended)**.

* Click **Review and Assign**, then click **Review and Assign** again.

At this point, they'll receive an email to either log in with an existing Microsoft account or to create a new one.

### On Renewals

You will need to renew every year.  Instructions for this are incomplete - but you should go to your [Azure portal](https://portal.azure.com) and click the **Subscriptions** button (see screenshot 1 below).  Find the subscription ID (screenshot 2) - it's a string of numbers and letters.  Then go to https://www.microsoftazuresponsorships.com/Balance and assign your new credits to the existing subscription.

If you did not do this in time, you should be able to open a support ticket with Microsoft to request a refund.

**Screenshot 1**

![Azure portal toolbar, "Subscriptions" is circled](Selection_2157.png)

**Screenshot 2**

![Azure portal Subscriptions screen, a red arrow points to the Subscription ID](Selection_2158.png)

## Technical Configuration

To set up a free account, you must:

* Get a Sponsorship (see above)

* Create a Subscription linked to the Sponsorship (see above)

* (Strongly recommended) Grant access to the subscription to other users.

* Create a Resource Group linked to the Subscription

* Create a Virtual Machine (and associated resources) linked to the Resource Group

### Create a resource group

* Select "Resource Groups" from the main Azure portal (left sidebar).

* Select **Create** and give it a name.

* Your subscription should be pre-selected since you only have the one.

* Click **Review and Create**, then **Create**.

### Create a virtual machine

* Click on your new resource group in the Azure Portal.

* Click **Create**.

* Search for the name of the image you want (e.g. `Debian 13 "Trixie`).

 * If you picked an image that shows an hourly cost, it's the wrong one.

* See the screenshots below for configuration of the "Basics" and "Disk" tabs.  The other tabs I keep with the defaults.  My standard VPS type is now `D2ps_v6`.

 * "D2" is general-purpose VM, we always select this.  "a" is AMD-series (old preference), "p" is ARM64, "d" is temp disk included (we don't need this), "s" supports premium SSD disks. v6 is the latest gen, always use the latest gen.

![Create a VM - Basics Tab](Selection_2678.png)

![Create a VM - Disks Tab](Selection_2679.png)

### Post-provisioning configuration

#### Get serial console working

Serial console is necessary for single-user mode, and troubleshooting if SSH fails.

It's normally working out of the box now.  Go to "Serial Console" in the VM left navigation.  If it doesn't work:

* Go to **Boot Diagnostics** in the VM's left nav.

* Click **Settings** at the top.

* Select **Enable with managed storage account**.

* Save.

Now Serial Console will work.

#### Modify Firewall Rules

* Click on your new virtual machine in the Azure portal.

* Click **Networking** in the side navigation.

* You should see your firewall settings.  They should look like the screenshot below, except they'll be missing the two items circled.

* Add the "allow_ping" and "Port_5665" rules to the *Inbound Port Rules* as shown in the screenshot.

![Firewall Rules](https://hq.megaphonetech.com/attachments/download/1772/Selection_999(012).png)

#### Add a swapfile

[Complete instructions are here](https://support.microsoft.com/en-us/help/4010058/how-to-add-a-swap-file-in-linux-azure-virtual-machines) but in short, add this to `/etc/waagent.conf` for an 8GB swapfile:

```

    ResourceDisk.Format=y

    ResourceDisk.EnableSwap=y

    ResourceDisk.SwapSizeMB=8192

```

Then run `service walinuxagent restart`.

## Post-deployment management

### Adding a new disk

Add a disk by going to the virtual machine and clicking "Disk", not by "Add Resource".  Then used the `parted` and `mkfs` commands from above.  Don't forget to modify `/etc/fstab`!