Admidio 5 Membership Management on Ubuntu 24.04 on Azure User Guide
Overview
Admidio is the open source membership management platform for clubs, associations and non profit organisations. It centres on a member database with freely definable profile fields, and adds groups and roles with granular permissions, events with participant registration, a document and file archive, announcements, photo albums, forums, messages and mailings, an inventory and category based reporting, all from one web interface. The cloudimg image ships Admidio 5 served by Apache and PHP 8.3 on a hardened, fully patched Ubuntu 24.04 LTS base, together with a bundled local MariaDB server so the appliance is complete and useful on its own. The installation wizard is pre completed and locked away, so the platform is ready the moment the instance boots. The bundled MariaDB listens only on the loopback interface (127.0.0.1:3306) and keeps its data on a dedicated Azure data disk. A unique administrator password is generated on the first boot of every VM. Backed by 24/7 cloudimg support.
What is included:
- Admidio 5 served by Apache with PHP 8.3, managed by systemd
- A bundled MariaDB server holding the Admidio database, already installed and ready
- The installation wizard pre completed and locked away, so no setup wizard is ever exposed
- A per VM administrator password generated on first boot and recorded in a root only file
- No shipped default login: the administrator password ships rotated to a discarded random and the real per VM password is set on first boot
- MariaDB bound to
127.0.0.1only, never exposed to the network - A dedicated Azure data disk carrying both the MariaDB database and Admidio's uploaded and generated files
- A base URL derived from the request, so the site answers correctly on the public IP, the private IP or any DNS name you point at it
apache2.serviceandmariadb.serviceas enabled systemd units- An unauthenticated
/healthzendpoint for Azure Load Balancer health probes - 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point for a club or association; move up to Standard_D2s_v3 for larger memberships or heavy photo use. NSG inbound: allow 22/tcp from your management network, 80/tcp for the application and 443/tcp if you terminate TLS on the VM. The bundled MariaDB is never exposed: it listens on 127.0.0.1 only, so port 3306 stays off the network.
Step 1 - Deploy from the Azure Marketplace
In the Azure portal choose Create a resource, search for Admidio 5 Membership Management on Ubuntu 24.04 LTS by cloudimg, and select Create. Pick your subscription, resource group and region, choose the Standard_B2s size, select SSH public key authentication with the username azureuser, and allow inbound 22, 80 and 443. The image attaches its own 20 GiB data disk for your member database and files, so you do not need to add one.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name admidio \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--generate-ssh-keys \
--public-ip-sku Standard
Then open ports 80 and 443:
az vm open-port --resource-group <your-rg> --name admidio --port 80,443
Step 3 - Confirm the services are running
SSH to the VM as azureuser and confirm Apache, MariaDB and the first boot service are all active. Note that MariaDB is bound to 127.0.0.1:3306 only, while Apache serves on port 80.
systemctl is-active apache2 mariadb admidio-firstboot
ss -tlnp | grep -E ':80 |:3306 ' | sed 's/ */ /g'

Step 4 - Retrieve the per VM administrator password
The first boot service generates an administrator password unique to your VM and writes it to a root only file. Read it over SSH:
sudo cat /root/admidio-credentials.txt

ADMIDIO_URL is the VM's own address as seen from inside the VM. Azure does not expose the public IP to the instance, so this is usually the private address. Browsing the public IP shown in the Azure portal works identically, because this image derives Admidio's base URL from the request rather than baking one in at build time.
Step 5 - Sign in
Browse to http://<vm-ip>/ and sign in with the username admin and the password from the credentials file.

After signing in you land on the Overview, which shows who is signed in, upcoming birthdays, the calendar, announcements, events and who is online, with the module list down the left and the administration section beneath it.

Step 6 - Set up your organisation
The image ships a starter organisation called My Organisation so the platform is usable immediately. Rename it and set your own details under Administration > Preferences > Organisation: the long name and short name, the administrator email address, your timezone and the default language. The same Preferences area is where you enable and configure the individual modules (events, photos, documents, forum, messages and the rest) and set the registration behaviour for new members.
Step 7 - Manage your members
Contacts is the member database. Use Create contact to add a member, Import contacts to bulk load from CSV, and Edit profile fields to define exactly which fields your organisation records. The list is searchable and sortable, and every change is tracked in the change history.

Step 8 - Organise groups and roles
Groups & roles is where Admidio decides who may see and do what. The image ships the standard Administrator, Association's board and Member roles. Create your own roles for committees, teams or age groups, assign members to them, and use Show permissions to review exactly which rights each role grants.

Step 9 - No known or default credentials
This image ships with no usable login. The administrator password baked at build time is rotated to a random value that is discarded and never recorded, and the first boot service sets a fresh password unique to your VM before Admidio serves a single request. The admin account is the only account that can sign in, and the check below confirms that the per VM password authenticates through the real Admidio login form while a blank password and common weak guesses are all rejected.
sudo mariadb --protocol=socket -uroot -N -e "SELECT CONCAT(usr_login_name,' (the only account that can sign in)') FROM admidio.adm_users WHERE usr_valid=1 AND usr_login_name IS NOT NULL"
sudo bash /usr/local/sbin/admidio-cred-roundtrip.sh

Change the administrator password to one of your own at My profile > Edit profile > Change password once you have signed in for the first time.
Step 10 - Verify the stack and where your data lives
Confirm the installed release, the health endpoint and the data disk layout. Both the MariaDB database and Admidio's adm_my_files tree (your uploads, generated files and the configuration) live on the dedicated data disk, bind mounted into place, so your data is kept off the operating system disk.
sudo mariadb --protocol=socket -uroot -N -e "SELECT CONCAT('Admidio ',com_version) FROM admidio.adm_components WHERE com_name_intern='CORE'"
curl -sI http://127.0.0.1/healthz | head -1
findmnt -no SOURCE,TARGET,FSTYPE,SIZE /data; findmnt -no SOURCE,TARGET /var/lib/mysql; findmnt -no SOURCE,TARGET /var/www/admidio/adm_my_files

Adding your own domain and TLS
Admidio derives its base URL from the request, so pointing a DNS name at the VM is all that is needed for links and emails to use that name. No configuration change is required. To terminate TLS on the VM itself, install a certificate with Certbot:
sudo apt-get update && sudo apt-get install -y certbot python3-certbot-apache
sudo certbot --apache -d admidio.your-domain.com
Certbot configures the Apache virtual host and renews automatically. Admidio switches its generated links to https:// on its own once requests arrive over TLS.
If you prefer to pin one fixed public URL instead of following the request, replace the cloudimg block at the end of /var/www/admidio/adm_my_files/config.php with a single line, for example $g_root_path = 'https://admidio.your-domain.com';.
Backing up
Everything that matters lives on the data disk: the MariaDB database and the adm_my_files tree. Snapshot the data disk for a complete point in time backup, or dump the database and archive the files tree:
sudo mariadb-dump --protocol=socket -uroot --single-transaction --routines admidio > /var/tmp/admidio-backup.sql
sudo tar -czf /var/tmp/admidio-files-backup.tar.gz -C /data/admidio adm_my_files
Security notes
- The administrator password is unique to every VM, generated on first boot into a
0600 root:rootfile. No default or shared login ships in the image. - The installation and update wizard is denied from the web (
/installreturns 403). To perform a major version upgrade, temporarily lift it withsudo a2disconf cloudimg-admidio-lockdown && sudo systemctl reload apache2, complete the upgrade, then re enable it. adm_my_files, which holdsconfig.phpand every upload, is denied from the web by Admidio's own shipped.htaccess, honoured because the virtual host setsAllowOverride All.- MariaDB listens on
127.0.0.1:3306only and is never reachable from the network. On box maintenance usessudo mariadbasroot@localhostover the unix socket, with no password. - The session cookie is host only, so it is scoped to exactly the address you browse to.
- Admidio locks an account for 15 minutes after repeated wrong passwords.
- The OS is fully patched at build time and unattended security upgrades stay enabled on your VM.
- Restrict
22/tcpto your management network, and put the site behind TLS before inviting members.
Trademark
Admidio is a trademark of its respective owner. cloudimg is not affiliated with or endorsed by the Admidio project. All product and company names are trademarks or registered trademarks of their respective holders.
Support
cloudimg provides 24/7 technical support for this image by email (support@cloudimg.co.uk) and live chat, with a one hour average response time for critical issues.