{{last_updated_at}} by {{last_updated_by}}

Microsoft Azure - Setup¶

For the Client¶

Hi there! If I've directed you to this page, the part that concerns you are the first three sections only. It's a bit convoluted, so feel free to ask me if you run into trouble! -Jon

[NOTE: Most of Microsoft's pages break with an ad blocker enabled.]

Get a Sponsorship¶

• Go to the Nonprofit Microsoft Getting Started page. Fill out the paperwork to be approved as a 501c3. Approval can take 1 day or 3-4 weeks - I've seen both multiple times.
• Once approved, go to https://www.microsoft.com/en-us/nonprofits/azure to claim credits (or go directly to Claiming Your Credits.
• You'll know you're successful because you'll see a sponsorship listed on the Sponsorship Page.

Create a Subscription¶

• Check that you have credits in your sponsored account: https://www.microsoftazuresponsorships.com/Balance
• Visit the Azure Portal.
  
• Click the Subscriptions icon.
• Click the Add button.
• Add a subscription of type "Microsoft Azure Sponsorship" from the Azure portal. You will likely need to select Show other subscription types to see it.
  • Note: Even sponsored subscriptions require a credit card, make sure you have one available.

Grant access to other users¶

Microsoft is now enforcing two-factor authentication, so you need to create a separate user for me as your web vendor.

October 2025
Starting in October, you must do these additional steps. If not, please start at the "Start Here" below.

• Using the search bar at the top, search for Microsoft Entra ID.
• Click Manage, then Users in the left-hand menu.
• On the toolbar near the top of the page, select New User » Invite External User.
• Add my email (jon@megaphonetech.com) and display name.
• Click Review and Invite at the bottom left of the page.

Source for instructions
[START HERE if it's not October yet]

• Open the new subscription by clicking on it from the Subscriptions page.
• Click Access Control (IAM) in the left navigation bar.
• At the top, press Add » Add role assignment.
• On the Role tab, go to the Privileged administrator roles subtab.
• Click Owner and press Next.
• On the Members tab, set Assign Access to User, group, or service principal, and click Select Members.
• In the Search by name or email address box, put the email of the new user and press Select. Press Next.
• On the Conditions tab, select Allow user to assign all roles except privileged administrator roles Owner, UAA, RBAC (Recommended).
• Click Review and Assign, then click Review and Assign again. At this point, they'll receive an email to either log in with an existing Microsoft account or to create a new one.

On Renewals¶

You will need to renew every year. Instructions for this are incomplete - but you should go to your Azure portal and click the Subscriptions button (see screenshot 1 below). Find the subscription ID (screenshot 2) - it's a string of numbers and letters. Then go to https://www.microsoftazuresponsorships.com/Balance and assign your new credits to the existing subscription.

If you did not do this in time, you should be able to open a support ticket with Microsoft to request a refund.

Screenshot 1

Screenshot 2

Technical Configuration¶

To set up a free account, you must:

• Get a Sponsorship (see above)
• Create a Subscription linked to the Sponsorship (see above)
• (Strongly recommended) Grant access to the subscription to other users.
• Create a Resource Group linked to the Subscription
• Create a Virtual Machine (and associated resources) linked to the Resource Group

Create a resource group¶

• Select "Resource Groups" from the main Azure portal (left sidebar).
• Select Create and give it a name.
• Your subscription should be pre-selected since you only have the one.
• Click Review and Create, then Create.

Create a virtual machine¶

• Click on your new resource group in the Azure Portal.
• Click Create.
• Search for the name of the image you want (e.g. Debian 13 "Trixie).
  • If you picked an image that shows an hourly cost, it's the wrong one.
• See the screenshots below for configuration of the "Basics" and "Disk" tabs. The other tabs I keep with the defaults. My standard VPS type is now D2ps_v6.
  • "D2" is general-purpose VM, we always select this. "a" is AMD-series (old preference), "p" is ARM64, "d" is temp disk included (we don't need this), "s" supports premium SSD disks. v6 is the latest gen, always use the latest gen.

Post-provisioning configuration¶

Get serial console working¶

Serial console is necessary for single-user mode, and troubleshooting if SSH fails.

It's normally working out of the box now. Go to "Serial Console" in the VM left navigation. If it doesn't work:

• Go to Boot Diagnostics in the VM's left nav.
• Click Settings at the top.
• Select Enable with managed storage account.
• Save.

Now Serial Console will work.

Modify Firewall Rules¶

• Click on your new virtual machine in the Azure portal.
• Click Networking in the side navigation.
• You should see your firewall settings. They should look like the screenshot below, except they'll be missing the two items circled.
• Add the "allow_ping" and "Port_5665" rules to the Inbound Port Rules as shown in the screenshot.

Add a swapfile¶

Complete instructions are here but in short, add this to /etc/waagent.conf for an 8GB swapfile:

    ResourceDisk.Format=y
    ResourceDisk.EnableSwap=y
    ResourceDisk.SwapSizeMB=8192

Then run service walinuxagent restart.