Hi everyone.  Starting with the V12, Veeam Backup & Replication (VBR) supports multi-factor authentication (MFA) for additional user verification.   When MFA is enabled, a one-time password (OTP) generated in a mobile authenticator application (like Microsoft Authenticator) is used as a second verification method.  The main purpose of using MFA in addition to the standard authentication via username and password, is to provide a more secure environment and protects user accounts from being compromised

Requirements and Limitations for MFA

  • Only users with the Veeam Backup Administrator role can manage MFA.
  • User groups are not supported. You can enable MFA only for user accounts.  This means that, if you have any user group configured to access VBR console, this group must be removed before enabling MFA.  MFA can only be enabled when just specific users are allowed to login to VBR console.
  • MFA is not supported for non-interactive connections like the use of  REST API.
  • To avoid connection issues, you must disable MFA for the accounts used to run backup infrastructure components.

 

Enabling MFA

The process of enabling MFA is quite simple by following these steps:

  • Go to the main menu, and click in Users & Roles.

  • In the Security tab
    • Add the users you want to allow to connect with VBR console, and choose the proper role.
    • Make sure there isn’t any Group in the list.  If there is any Group, MFA won’t be enabled.
    • Enable the Enable multi-factor authentication (MFA) option, and then click in OK.

  • In case the Configuration Backup is enabled without the Encyption option, then it will be disabled for security purposes and you will get a message like the one in the image below .  It’s required to configure Encryption to enable Configuration Backup again.

 

Logging to VBR Console

Now that MFA is enabled, you can close the VBR Console and login again to test the feature.

    • After providing username and password, a one-time password (OTP) will be required, which will require the use of an authenticator app.
      • Open the authenticator app
      • Register the VBR instance scaning the QR code or entering the code provided as you can see in the image below.
      • Click Next.
    • In the Authenticator app, in my case Microsoft Authenticator, you will get an OTP.

    • Use that OTP in the Confirmation code field as shown in the image below.  Click in Confirm to access VBR console.

 

Disabling MFA for Service Accounts

As mentioned before, to avoid connection issues, you must disable MFA for the accounts used to run backup infrastructure components.  In order to do this:

  • We go to the main menu, and click in Users & Roles.
  • In the Security tab, click Add.
  • Select the service account by clicking in Browse
  • Enable the This is a service account (disables two-factor authentication) option.

Then you will see the Service Account is included in the list of users, but in this case MFA will be disabled for the Service Account.