Enabling and Disabling Multi-Factoring Authentication
Veeam Recovery Orchestrator supports multi-factor authentication (MFA) for additional user verification, which allows Administrators to enable, disable and reset MFA for all users and user groups working with the Orchestrator UI. MFA in Veeam Recovery Orchestrator is based on the Time-based One-Time Password (TOTP) method that requires the user to verify their identity by providing a temporary six-digit code generated by an authentication application running on a trusted device.
To enable or disable MFA, do the following:
- Switch to the Administration page.
- Navigate to Scope Users.
- Click Enable MFA or Disable MFA. As a result, the statuses of all user accounts added to Orchestrator will change to Not configured or Disabled.
When a user logs in to the Orchestrator UI for the first time, they must do the following:
- Install a supported authentication application on a trusted device. Note that only Google Authenticator and Microsoft Authenticator are fully supported by Orchestrator.
- Scan the displayed QR code using the camera of the trusted device.
- Enter a verification code generated by the authentication application. Note that mobile push notifications are not supported — you can get a verification code only in the authentication application installed at step 1.
Important |
To avoid connection failures, make sure that the system time on the trusted device that you are using is synchronized with the system time on the machine where Orchestrator is installed. |
- Click Confirm. As a result, the status of the user account will change to Configured.
Tip |
As a workaround, the Administrator can add a new user to the user group in Windows settings of their workstation or domain controller. Since Windows settings are synchronized with the configuration database of the Orchestrator server, the new user will also be added to the user group in Orchestrator and then will become able to reset MFA for the Administrator and all other users. |