Why RMAD requires an Azure service principal when using Azure infrastructure during Forest Recovery (4382030)

Why RMAD requires an Azure service principal when using Azure infrastructure during Forest Recovery

When performing a Forest Recovery using RMAD with Clean-OS Azure infrastructure, RMAD automatically creates an Azure Application Registration with an associated service principal for authentication.

RMAD creates an Enterprise Application (Service Principal), is required because automated disaster recovery must run fully unattended. Interactive user accounts—even with sufficient permissions—are not reliable for automation due to:

• Short-lived user tokens
• Possible MFA or Conditional Access prompts
• Session expiration during long-running recovery operations

Azure best practices require a service principal for any non-interactive infrastructure automation.

The following roles are automatically assigned to service principal: -Owner role for the resource group where VMs are created -Contributor role for virtual network if the virtual network is located in the resource group different from the RG where VMs are created -Contributor role for virtual network gateway if the virtual network gateway is located in the resource group different from the RG where VMs are created -Contributor role for security group if the security group is located in the resource group different from the RG where VMs are created