Multi-Factor Authentication

Veeam Backup for Microsoft Azure multi-factor authentication (MFA) is based on the Time-based One-Time Password (TOTP) method. This method requires a user to install an application authentication on the trusted device. The authenticator application will generate temporary six-digit codes used to verify the user identity. Veeam Backup for Microsoft Azure supports Google Authenticator.

You can enable or disable MFA for a Veeam Backup for Microsoft Azure user using the REST API.

Enabling MFA

To enable MFA for a specific user, do the following:

  1. To obtain a secret key and a token, send the HTTP POST request to the /users/{id}/enableMfa endpoint.

In the request body, specify the recreate parameter. The parameter indicates whether you want to recreate the existing MFA secret key (true) or to enable MFA for the user (false). Specify the false value for the parameter.

Request:

POST https://51.11.247.127/api/v7/users/1423/enableMfa

 

Request Header:

Authorization: Bearer YSEoaL6H9EEyJpnrJ9WhLtzbrrBBYWqMQFDBQuLnp13qGQX6MjNfZ_wriPIRHQrbY-8dYtsWcRZQczIHVuSqbnVb00m-yOihPZZHQ48aP1VcgUtgnYTvtAO3WRJ1cJ8VaIXzsVYKIGrLa1Lm41LsjpMiiPZytkqIUUiphhlXn7Vm10xlTzQUe0TU3HmXK-KD2MiB6qBImaISkEjgCmyIsurSN2mHi1Qo8VlZadnhkBd3v6nD5GEb8Gh4Zw7YAv5klmrnM0iBu7xhev3hVMZvKHGXvGshI3gS24-hIWbSsBGarVnRLSiUzor6QExTGShSa7pIeJWsAtJXLF5a3oSUooUv_YMYe8d5iZEouUuirrw

 

Request Body:

{

 "recreate": "false"

}

A successfully completed operation returns the 200 response code. In the response body, Veeam Backup for Microsoft Azure returns the secret key, token, recovery scratch codes and the qrString link. The recovery codes must be saved locally.

Response:

200

Response Body:

{

 "userId": "administrator",

 "qrString": "otpauth://totp/administrator&40ip-172-31-71-115?secret=5XKNCVA54BPWQWCXLJZYLMIBD4&issuer=ip-172-31-71-115",

 "secretKey": "5XKNCVA54BPWQWCXLJZYLMIBD4",

 "scratchCodes": [

   "79529234",

   "99447341",

   "98474119",

   "94074142",

   "95269008"

 ],

 "token": "M0Q1OEMwOEQ5MTRFNzMwMzE5MTkzMUU5MDVCNjNENzREMTQ0MDYyRUJFNEE0QjI5MzEzNzVEMUE1QURFNzBENA=="

}

  1. Install Google Authenticator on the trusted device.
  2. Open Google Authenticator, create an account and enter the secret key manually.

Google Authenticator will generate a six-digit verification code.

Tip

You can use a QR code to create an account in the authenticator application:

  1. On another device, open a QR code generator in a web browser.
  2. In the QR code generator, insert the qrString link returned by Veeam Backup for Microsoft Azure. The QR code generator will display a QR code.
  3. On your trusted device, open Google Authenticator and choose the Scan barcode option.
  4. Scan the displayed QR code using the device camera.

Google Authenticator will automatically create an account and generate a six-digit verification code.

  1. To associate the authentication application with the authorization server, send the HTTP POST request to the /users/{id}/acceptMfa endpoint.

In the Authorization header — currently valid access token in the Bearer <access_token> format.

In the request body, specify the following parameters:

Request:

POST https://51.11.247.127/api/v7/users/1423/acceptMfa

 

Request Header:

 

Authorization: Bearer YSEoaL6H9EEyJpnrJ9WhLtzbrrBBYWqMQFDBQuLnp13qGQX6MjNfZ_wriPIRHQrbY-8dYtsWcRZQczIHVuSqbnVb00m-yOihPZZHQ48aP1VcgUtgnYTvtAO3WRJ1cJ8VaIXzsVYKIGrLa1Lm41LsjpMiiPZytkqIUUiphhlXn7Vm10xlTzQUe0TU3HmXK-KD2MiB6qBImaISkEjgCmyIsurSN2mHi1Qo8VlZadnhkBd3v6nD5GEb8Gh4Zw7YAv5klmrnM0iBu7xhev3hVMZvKHGXvGshI3gS24-hIWbSsBGarVnRLSiUzor6QExTGShSa7pIeJWsAtJXLF5a3oSUooUv_YMYe8d5iZEouUuirrw

 

Request Body:

{

 "code": "475112",

 "token": "M0Q1OEMwOEQ5MTRFNzMwMzE5MTkzMUU5MDVCNjNENzREMTQ0MDYyRUJFNEE0QjI5MzEzNzVEMUE1QURFNzBENA=="

}

A successfully completed operation returns the 204 response code.

Response:

204

Note

In case of losing access to the authenticator application:

  • To get authorization in Veeam Backup for Microsoft Azure, the user can use a recovery scratch code saved locally instead of a verification code. Each recovery code can be used only once.
  • To recreate the MFA secret key for a new device if the trusted device is lost or broken, repeat step 1 (specify the true value for the recreate parameter), and then repeat steps 2, 3 and 4.

Disabling MFA

To disable MFA for a specific user, send the HTTP POST request to the /users/{id}/disableMfa endpoint.

In the Authorization header specify the currently valid access token in the Bearer <access_token> format.

Request:

POST https://51.11.247.127/api/v7/users/1423/disableMfa

 

Request Header:

 

Authorization: Bearer YSEoaL6H9EEyJpnrJ9WhLtzbrrBBYWqMQFDBQuLnp13qGQX6MjNfZ_wriPIRHQrbY-8dYtsWcRZQczIHVuSqbnVb00m-yOihPZZHQ48aP1VcgUtgnYTvtAO3WRJ1cJ8VaIXzsVYKIGrLa1Lm41LsjpMiiPZytkqIUUiphhlXn7Vm10xlTzQUe0TU3HmXK-KD2MiB6qBImaISkEjgCmyIsurSN2mHi1Qo8VlZadnhkBd3v6nD5GEb8Gh4Zw7YAv5klmrnM0iBu7xhev3hVMZvKHGXvGshI3gS24-hIWbSsBGarVnRLSiUzor6QExTGShSa7pIeJWsAtJXLF5a3oSUooUv_YMYe8d5iZEouUuirrw

A successfully completed operation returns the 204 response code.

Response:

204