Multi-Factor Authentication
Veeam Backup for Microsoft Azure multi-factor authentication (MFA) is based on the Time-based One-Time Password (TOTP) method. This method requires a user to install an application authentication on the trusted device. The authenticator application will generate temporary six-digit codes used to verify the user identity. Veeam Backup for Microsoft Azure supports Google Authenticator.
You can enable or disable MFA for a Veeam Backup for Microsoft Azure user using the REST API.
To enable MFA for a specific user, do the following:
- To obtain a secret key and a token, send the HTTP POST request to the /users/{id}/enableMfa endpoint.
In the request body, specify the recreate parameter. The parameter indicates whether you want to recreate the existing MFA secret key (true) or to enable MFA for the user (false). Specify the false value for the parameter.
Request: POST https://51.11.247.127/api/v7/users/1423/enableMfa
Request Header: Authorization: Bearer YSEoaL6H9EEyJpnrJ9WhLtzbrrBBYWqMQFDBQuLnp13qGQX6MjNfZ_wriPIRHQrbY-8dYtsWcRZQczIHVuSqbnVb00m-yOihPZZHQ48aP1VcgUtgnYTvtAO3WRJ1cJ8VaIXzsVYKIGrLa1Lm41LsjpMiiPZytkqIUUiphhlXn7Vm10xlTzQUe0TU3HmXK-KD2MiB6qBImaISkEjgCmyIsurSN2mHi1Qo8VlZadnhkBd3v6nD5GEb8Gh4Zw7YAv5klmrnM0iBu7xhev3hVMZvKHGXvGshI3gS24-hIWbSsBGarVnRLSiUzor6QExTGShSa7pIeJWsAtJXLF5a3oSUooUv_YMYe8d5iZEouUuirrw
Request Body: { "recreate": "false" } |
A successfully completed operation returns the 200 response code. In the response body, Veeam Backup for Microsoft Azure returns the secret key, token, recovery scratch codes and the qrString link. The recovery codes must be saved locally.
Response: 200 Response Body: { "userId": "administrator", "qrString": "otpauth://totp/administrator&40ip-172-31-71-115?secret=5XKNCVA54BPWQWCXLJZYLMIBD4&issuer=ip-172-31-71-115", "secretKey": "5XKNCVA54BPWQWCXLJZYLMIBD4", "scratchCodes": [ "79529234", "99447341", "98474119", "94074142", "95269008" ], "token": "M0Q1OEMwOEQ5MTRFNzMwMzE5MTkzMUU5MDVCNjNENzREMTQ0MDYyRUJFNEE0QjI5MzEzNzVEMUE1QURFNzBENA==" } |
- Install Google Authenticator on the trusted device.
- Open Google Authenticator, create an account and enter the secret key manually.
Google Authenticator will generate a six-digit verification code.
Tip |
You can use a QR code to create an account in the authenticator application:
Google Authenticator will automatically create an account and generate a six-digit verification code. |
- To associate the authentication application with the authorization server, send the HTTP POST request to the /users/{id}/acceptMfa endpoint.
In the Authorization header — currently valid access token in the Bearer <access_token> format.
In the request body, specify the following parameters:
- code — the six-digit verification code generated by the authentication application on the trusted device.
- token — the token previously received from the authorization server.
Request: POST https://51.11.247.127/api/v7/users/1423/acceptMfa
Request Header:
Authorization: Bearer YSEoaL6H9EEyJpnrJ9WhLtzbrrBBYWqMQFDBQuLnp13qGQX6MjNfZ_wriPIRHQrbY-8dYtsWcRZQczIHVuSqbnVb00m-yOihPZZHQ48aP1VcgUtgnYTvtAO3WRJ1cJ8VaIXzsVYKIGrLa1Lm41LsjpMiiPZytkqIUUiphhlXn7Vm10xlTzQUe0TU3HmXK-KD2MiB6qBImaISkEjgCmyIsurSN2mHi1Qo8VlZadnhkBd3v6nD5GEb8Gh4Zw7YAv5klmrnM0iBu7xhev3hVMZvKHGXvGshI3gS24-hIWbSsBGarVnRLSiUzor6QExTGShSa7pIeJWsAtJXLF5a3oSUooUv_YMYe8d5iZEouUuirrw
Request Body: { "code": "475112", "token": "M0Q1OEMwOEQ5MTRFNzMwMzE5MTkzMUU5MDVCNjNENzREMTQ0MDYyRUJFNEE0QjI5MzEzNzVEMUE1QURFNzBENA==" } |
A successfully completed operation returns the 204 response code.
Response: 204 |
Note |
In case of losing access to the authenticator application:
|
To disable MFA for a specific user, send the HTTP POST request to the /users/{id}/disableMfa endpoint.
In the Authorization header specify the currently valid access token in the Bearer <access_token> format.
Request: POST https://51.11.247.127/api/v7/users/1423/disableMfa
Request Header:
Authorization: Bearer YSEoaL6H9EEyJpnrJ9WhLtzbrrBBYWqMQFDBQuLnp13qGQX6MjNfZ_wriPIRHQrbY-8dYtsWcRZQczIHVuSqbnVb00m-yOihPZZHQ48aP1VcgUtgnYTvtAO3WRJ1cJ8VaIXzsVYKIGrLa1Lm41LsjpMiiPZytkqIUUiphhlXn7Vm10xlTzQUe0TU3HmXK-KD2MiB6qBImaISkEjgCmyIsurSN2mHi1Qo8VlZadnhkBd3v6nD5GEb8Gh4Zw7YAv5klmrnM0iBu7xhev3hVMZvKHGXvGshI3gS24-hIWbSsBGarVnRLSiUzor6QExTGShSa7pIeJWsAtJXLF5a3oSUooUv_YMYe8d5iZEouUuirrw |
A successfully completed operation returns the 204 response code.
Response: 204 |