This is an archive version of the document. To get the most up-to-date information, see the current version.

Requesting Authorization

The Veeam Backup for Microsoft Azure REST API accepts several grant types to authenticate a Veeam Backup for Microsoft Azure user:

Password
MFA

You can configure single sign-on (SSO) settings in Veeam Backup for Microsoft Azure and retrieve user identities from your identity provider. To authenticate a user retrieved from the identity provider, the Veeam Backup for Microsoft Azure REST API uses single sign-on authorization. For more information on configuring SSO settings, see the Configuring SSO Settings section of the Veeam Backup for Microsoft Azure User Guide.

Using Password Grant Type

To obtain authorization tokens, a user sends the HTTP POST request to the /api/oauth2/token endpoint.

The request body must contain the grant_type parameter with the specified Password value and the credentials of a user created in Veeam Backup for Microsoft Azure. For more information on how to create users, see Users or the Veeam Backup for Microsoft Azure User Guide, section Managing Permissions.

A successfully completed operation returns the 200 response code. In the response body, Veeam Backup for Microsoft Azure returns an access token, its expiration time (in seconds) and a refresh token. The user inserts the access token in headers of further requests to the Veeam Backup for Microsoft Azure REST API. The refresh token must be saved locally.

To learn how to authorize your access using the Password grant type, see Example [Password]. Alternatively, you can use the Swagger UI.

Using MFA Grant Type

Note

MFA is disabled by default. To learn how to enable MFA, see Multi-Factor Authentication or the Veeam Backup for Microsoft Azure User Guide, section Managing Permissions.

If multi-factor authentication (MFA) is enabled for a user, the user must first obtain an mfa token, and then get authorization tokens.

To obtain an mfa token, the user sends the HTTP POST request to the api/oauth2/token endpoint. The request body must contain the grant_type parameter with the specified Password value and the credentials of the user.

A successfully completed operation returns the 200 response code. In the response body, Veeam Backup for Microsoft Azure returns an mfa token.

To obtain an access token and a refresh token, the user must send another HTTP POST request to the api/v3/token endpoint. The request body must contain the grant_type parameter with the specified Mfa value, the mfa token previously received from the authorization server, and the verification code generated by an authentication application on the trusted device.

To learn how to authorize your access using the MFA grant type, see Example [MFA]. Alternatively, you can use the Swagger UI.

Using Single Sign-On

To get authorization using single sign-on, a user must first send the HTTP POST request to the /api/v3/settings/saml2/idp/register endpoint. The request body must contain the content of the metadata file obtained from the identity provider.

A successfully completed operation returns the 200 response code.

To obtain metadata from your service provider, send the HTTP GET request to the /api/v3/settings/saml2/sp/metadata endpoint.

A successfully completed operation returns the 200 response code. In the response body, Veeam Backup for Microsoft Azure returns metadata file.

To obtain the SSO URL, a user sends the HTTP GET request to the /api/v3/settings/saml2/idp endpoint.

A successfully completed operation returns the 200 response code.In the response body, Veeam Backup for Microsoft Azure returns the entityId and loginUrl, that will be used to get an SSO URL and start SSO login process.

To start the SSO login process, send the HTTP GET request to the /api/v3/settings/saml2/idp/authenticate endpoint. Insert identity provider ID and login URL to the request body.

A successfully completed operation returns the 200 response code.In the response body, Veeam Backup for Microsoft Azure returns the redirect SSO URL.

5. To finish SSO settings configuration, a user must pass the service provider authentication settings to the identity provider. To obtain the settings, send the HTTP GET request to the /api/v3/settings/saml2/sp/metadata endpoint.

A successfully completed operation returns the 200 response code and a metadata file with the service provider authentication settings.

Alternatively, you can copy the service provider settings manually. To do that, send the HTTP GET request to the /api/v3/settings/saml2/sp/metadata endpoint. A successfully completed operation returns the 200 response code. In the response body, Veeam Backup for Microsoft Azure returns an ID of the identity provider and login URL.

Tip

If you want to sign and encrypt authentication requests sent from Veeam Backup for Microsoft Azure to the identity provider, you must select a certificate with a private key that will be used for encryption and signing:

Send the HTTP PUT request to the /api/v3/settings/saml2/sp/certificate endpoint.
In the request body insert the content of the certificate file and specify a password.
A successfully completed operation returns the 200 response code

Example [Password]

To obtain an access token and a refresh token, a user sends the HTTP POST request to the api/oauth2/token endpoint.

In the request body, the user specifies the following parameters:

grant_type — the Password value must be specified for this parameter.
Username and Password — credentials used to access the server; in this example, administrator and Password1 are used.

Request:

POST https://51.11.247.127/api/oauth2/token

Request Header:

Content-Type: application/x-www-form-urlencoded

Request Body:

Username=administrator&Password=Password1&grant_type=Password

The server sends a response in the following format.

Response:

200

Response Body:

{

"access_token": "eyJhbGciOiJSUzUxMiIsImtpZCI6IjUxOUMwRDlFMkRCRTcxQ0E5RkJBOTU3QkJBNENGNEJGMjBCMkM2QzMiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiIwY2QyMDU3Ni05MzEwLTQ5NGYtOGM4ZS01OWEwZjRmMDc1MmMiLCJuYW1laWQiOiI2ZjQyMzZjMi0xNjI2LTRjZmItOGVlYy00OTYxZTU3YTAyNDEiLCJ1bmlxdWVfbmFtZSI6ImFsZW5rYSIsInJvbGUiOiJQb3J0YWxBZG1pbiIsIm5iZiI6MTYzMzM1OTQ1OCwiZXhwIjoxNjMzMzYzMDU4LCJpYXQiOjE2MzMzNTk0NTgsImF1ZCI6ImFwaS9kZWZhdWx0LzVkMDRjMTc4LWVkYWItNDY0ZS1iNWI3LWRiOTZmOWM5YTk5YiJ9.AqDBc0QrXzcwxaIpAcw2XJsQqQPwDYiZvFoFgcbQc0zVqIfLezqb4hP0d9H-b63_vXGRFoUPJLu0dZxbEBL-i8SmP-QQGcGAWZ3uZdU0yWiH4OBPmXPjsnOlFHQN4uylLDuc_bjVCm9svUfW_eSeOLn7CRhMjHQmRv6C9ehEIyLNBThIiSa9_23Feg1DoqduDgN58XglGIxiia_yfJYcI-zbup2DQ3MTT6J3z7RxDBc2FkAC0IRPN5k2V8nOXfaGdWdNPQdkMn1NjAxXbBEguC1l5yPtBh55VMJpECmYDDMfE4GDjQYsm5Gv-LEG6iN26jTFgvo7dfSUzjT5FgpDxQ",

"token_type": "bearer",

"refresh_token": "eyJhbGciOiJSUzUxMiIsImtpZCI6IjUxOUMwRDlFMkRCRTcxQ0E5RkJBOTU3QkJBNENGNEJGMjBCMkM2QzMiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiIwY2QyMDU3Ni05MzEwLTQ5NGYtOGM4ZS01OWEwZjRmMDc1MmMiLCJuYW1laWQiOiI2ZjQyMzZjMi0xNjI2LTRjZmItOGVlYy00OTYxZTU3YTAyNDEiLCJ1bmlxdWVfbmFtZSI6ImFsZW5rYSIsInJvbGUiOiJQb3J0YWxBZG1pbiIsIm5iZiI6MTYzMzM1OTQ1OCwiZXhwIjoxNjM0NTY5MDU4LCJpYXQiOjE2MzMzNTk0NTgsImF1ZCI6ImF1dGgvcmVmcmVzaC85YTA0OWRmNi02ZWUxLTRjYzktOThiNy0wZWZkMDA1NjYwN2QifQ.4ff9xxC9Pdxbbj60P4PTCfPu0CuOW7jzvqy_nTON9c78YGgw23iTgxHekl4oGCHm480jkzPW7uXBI1ghCQUJ6t4qOCtuR5d755deNGpmew4lYGsRoyBfEMmKOoCsl56pK9_NwQo8I-BcSvRKL7X8FHRCrfaaI5kAxEiEZjyoHJpF3J3g8UIpsgpkXoLT9rG3jAvTkV2fcVIxZh7yNeEeEOmSks1G46z_1L__onrWsgreHd0g6OdA806L3--cVbFxm6G8qxC4Jem05aq3Mej7THSzcAdXlpVgWcdZgTyGpJjz5RXarR2eNgCNBPJEdXSJ5kLg_p6GqpFFEcsW9ptExg",

"expires_in": 3600,

".issued": "2021-10-04T14:57:38.1832163Z",

".expires": "2021-10-04T15:57:38.1791726Z",

"userId": "6f6356c2-1626-4cfb-8eec-4961e57a0241",

"username": "administrator",

"roleName": "PortalAdmin",

"userType": "Internal",

"latestNewsShown": true,

"mfa_enabled": false,

"shortLived": false

}

Example [MFA]

To access the REST API when MFA is enabled, a user must do the following:

To obtain an mfa token, the user sends the HTTP POST request to the api/oauth2/token endpoint.

In the request body, the user specifies the following parameters:

grant_type — the Password value must be specified for this parameter.
Username and Password — credentials used to access the server; in this example, administrator and Password1 are used.

Request:

POST https://51.11.247.127/api/oauth2/token

Request Body:

Username=administrator&Password=Password1&grant_type=Password

The server sends a response in the following format.

Response:

200

Response Body:

{

"token_type": "bearer",

"expires_in": 0,

".issued": "0001-01-01T00:00:00Z",

".expires": "0001-01-01T00:00:00Z",

"userId": "d5022b05-574f-494e-9414-797834d5d411",

"username": "administrator",

"roleName": "PortalOperator",

"userType": "Internal",

"latestNewsShown": true,

"mfa_enabled": true,

"mfa_token": "MDhDQjQ4RENDNEU1QzA1ODFFMTQxRUE0QTZGQTUyMzFDQzczMUQxRDFEREZGMzI1N0NFMjQxNzFFODRERjUxOQ==",

"shortLived": false

}

To obtain an access token and a refresh token, the user sends the HTTP POST request to the api/oauth2/token endpoint.

In the request body, the user specifies the following parameters:

grant_type — the Mfa value must be specified for this parameter.
mfa_token — the mfa token previously received from the authorization server.
mfa_code — the six-digit verification code generated on the trusted device.

Request:

POST https://51.11.247.127/api/oauth2/token

Request Body:

grant_type=Mfa&mfa_token=NkZFMzc4RjA4NzJCQzk1QjU3NTY1Mzc2RTU1MjVCODkzOThDQjdGODMzNDVDMEY0QUZGRTIzMjZFQTNDQ0QxRg==&mfa_code=346816

The server sends a response in the following format.

Response:

200

Response Body:

{

"access_token": "eyJhbGciOiJSUzUxMiIsImtpZCI6IjUxOUMwRDlFMkRCRTcxQ0E5RkJBOTU3QkJBNENGNEJGMjBCMkM2QzMiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJmZTRhYjc1Yi1lOGNlLTQ2OTEtODFlNC02OGRhYzI2ZDZlODEiLCJuYW1laWQiOiJkNTAyMmIwNS01NzRmLTQ5NGUtOTQxNC03OTc4MzRkNWQ0MTEiLCJ1bmlxdWVfbmFtZSI6InBvcnRhbCIsInJvbGUiOiJQb3J0YWxPcGVyYXRvciIsIm5iZiI6MTYzMzM1OTcyNiwiZXhwIjoxNjMzMzYzMzI2LCJpYXQiOjE2MzMzNTk3MjYsImF1ZCI6ImFwaS9kZWZhdWx0LzVkMDRjMTc4LWVkYWItNDY0ZS1iNWI3LWRiOTZmOWM5YTk5YiJ9.3UlRQqTtxGtNaD6QE-tNORUJ3ILcQFjVmumX4HIESu-qxOMSKIqbvNPQQ102cT6g0qHg0l-hzvGK1tLAKhCu_UMge8-lWosMuwKrhyR-A7sDASAYQPDG-3oDqVqjUEaPfRKsVtMtGqsZdp6ngbszB1ELUNY1PUZ5PgwXpdDoACtytzdqktl5c8NnoQ6ZU44KpaGuB3d2EuK14EM91tAMvFFqV2q9fn9vQg1PRD7TDzvPagW3qRoxPyw61wxUc3U-TOzEBc-7nwRmrf10xqZSO6Vyg4JWmzBx4uAKqIzhpG_DJBnNrHtJrBxXwzUCFxuzt_NCWBJ41PH-FIuzyYHI-Q",

"token_type": "bearer",

"refresh_token": "eyJhbGciOiJSUzUxMiIsImtpZCI6IjUxOUMwRDlFMkRCRTcxQ0E5RkJBOTU3QkJBNENGNEJGMjBCMkM2QzMiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJmZTRhYjc1Yi1lOGNlLTQ2OTEtODFlNC02OGRhYzI2ZDZlODEiLCJuYW1laWQiOiJkNTAyMmIwNS01NzRmLTQ5NGUtOTQxNC03OTc4MzRkNWQ0MTEiLCJ1bmlxdWVfbmFtZSI6InBvcnRhbCIsInJvbGUiOiJQb3J0YWxPcGVyYXRvciIsIm5iZiI6MTYzMzM1OTcyNiwiZXhwIjoxNjM0NTY5MzI2LCJpYXQiOjE2MzMzNTk3MjYsImF1ZCI6ImF1dGgvcmVmcmVzaC85YTA0OWRmNi02ZWUxLTRjYzktOThiNy0wZWZkMDA1NjYwN2QifQ.m28hKov6-XY-mMZRNrf453psNM-uL3jzcPXCnxth-B4uKq_7c_Sc03zelxpry9SJtJYcHc2lQMBfHelcUNN6azKF8I0pfNAGH_csYyoENZYoM4n2q441kBpamnAvEE5IKTFsIWlBu4ccHLS9UpZFEBr9X-0JOPlJ1MuNdyo8qtUP4hPKAT3llhHJZzOxTG6Uac4pCf82CgbCiHp5yCKNpzQ6KVCMPzlL94SdyB05EVlNmpZI4vwTmiryn-vXMpK6p7rGnqG2fSMCI1of8JwAqWZNtnuLdk2xKRas87ZHqWzv2q-4aRQP7ph0Fjfmk8WIk3ZlblRy-CvRr5PtB1ly3g",

"expires_in": 3600,

".issued": "2021-10-04T15:02:06.8846099Z",

".expires": "2021-10-04T16:02:06.8802955Z",

"userId": "d5022b05-574f-494e-9414-797834d5d411",

"username": "administrator",

"roleName": "PortalOperator",

"userType": "Internal",

"latestNewsShown": true,

"mfa_enabled": false,

"shortLived": false

}