We use a few cookies to run the site and understand how it's used. No tracking. No ads. View our cookie policy
Just the basics!
Rismor Technologies Ltd

Enable MFA in Veeam Backup & Replication

Home  ➔  Guides   ➔   Backups   ➔   Enable MFA in Veeam Backup & Replication
Backups Cyber Security Guides Veeam

Veeam Backup and Replication MFA: The Simple Change that Stops Stolen Passwords

Why this guide exists

Backups are the last safety net. Attackers know this and go after the Veeam console first. Multi-Factor Authentication (MFA) blocks stolen passwords by asking for a one-time code from an authenticator app. Follow this guide to enable MFA in Veeam v12+ and reduce the chance of an account-takeover dramatically.

If you prefer us to set this up and add offsite, immutable protection, see Rismor Cloud Backup. Keep your local Veeam for speed. We handle the resilient offsite vault attackers cannot reach.

What you will get by the end

• MFA enforced for Veeam console logins (v12 and newer)

• A clean, repeatable setup flow with screenshots

• Answers to common “what if” questions before they arise

• A clear next step to add offsite, immutable protection

Want the done-for-you route with monthly restore drills? See how our Cloud Backup works.

1) Understand the risk and the fix

The risk without MFA

One leaked password equals full console access. From there, an attacker can delete jobs, remove repositories, and sabotage restores. Password-only logins are the weak link.

What MFA changes

Even with the right password, the attacker still needs a fresh 6-digit code from your phone. No code, no entry. The console becomes significantly harder to breach.

2) Prerequisites (keeps setup smooth)

• Veeam Backup & Replication v12 or later

• Console access with a user in the Veeam Backup Administrator role

• Authenticator app (e.g. Microsoft Authenticator, Google Authenticator)

• List of named admin users who should log in (groups are not used for MFA)

Question you would ask later: Can groups use MFA? Not in practice for enrollment. Add named users you want to enforce, then enable MFA.

3) Enable MFA in the Veeam console

Open Security settings

Launch the Veeam console as an administrator. Go to Users and Roles > Security.

Use named users (not the Administrators group)

If you see the Windows Administrators group listed, select it and click Remove. Click Add and add the named admin accounts that should log in, assigning Veeam Backup Administrator where needed.

Turn on MFA

Tick Enable multi-factor authentication (MFA). Optionally tick Enable auto logoff after <n> minutes (for idle sessions). Click OK. MFA is now enforced for the listed users.

4) User enrollment (first login with MFA)

Scan the QR code

Each user signs out and back in. After entering their username and password, Veeam shows a one-time QR code. In the authenticator app, add a new account and scan the code (or enter the key manually).

Confirm the 6-digit code

Enter the current 6-digit code from the authenticator into the Veeam prompt and submit. Enrollment is complete. From now on, every login is password first, code second.

5) Daily use (what changes)

Login flow

Open the console, type username and password, then enter the 6-digit code from your app. Codes rotate every ~30 seconds. No internet connection is required for the app; codes are generated on the device.

Who needs MFA codes

Only the interactive users you added in Users and Roles. Service accounts can be handled separately. Keep human logins protected by MFA; keep automation predictable.

6) Frequently solved problems

I lost my phone

Ask a backup administrator to reset MFA for your account in the Security settings. Next login, you will be prompted to re-enroll by scanning a new QR code. If your authenticator supports backup/restore, you can also recover your tokens there.

We forgot to remove the Administrators group

Remove it now and add named users. MFA is enforced for named users. This avoids unintended backdoors through broad local admin membership.

Will MFA slow people down?

It adds a single code at sign-in. Most admins find it adds seconds, not minutes. The trade is a major jump in security for a tiny habit change.

Can someone bypass MFA?

Keep Veeam patched and your OS updated. MFA plus timely updates and role hygiene closes off the common attack paths.

7) Stronger together: MFA + immutable + offsite

MFA protects the door. Immutable and offsite backups protect the data if someone still gets in. Use Linux hardened repositories for local immutability and add an offsite, isolated copy so you can recover even if your site is compromised. That is where we come in.

We run Rismor Cloud Backup: immutable, snapshot-replicated backups in the UK, separate from your network. Even if attackers wipe local backups, your history survives. Simple pricing. Human support. Monthly restore drills available.

Appendix: quick reference

Checklist

• Identify named admin users

• Remove broad groups from Users and Roles

• Enable MFA and auto-logoff

• Enrol each user (scan QR, enter code)

• Test restore access with MFA in place

Good practice

• Patch Veeam and Windows regularly

• Review who has console access quarterly

• Pair MFA with immutable local storage and offsite copies

• Run evidence-based restore tests

Share on Facebook
Share on Twitter