I don’t believe VEM supports 2FA currently.  The VBR Console can be set up with 2FA, but VEM you need to use Roles for users.

See here - Configuring Accounts and Roles - Veeam Backup Enterprise Manager Guide

correct, VEM dosent support 2FA

but i want to do this with another solution or tools

VEM will not integrate with other tools is what I am saying.  You can do MFA/2FA for the server that has VEM/VBR on it and then do 2FA on VBR as well, but VEM is just roles as per the link I posted.

Hi @miriam1989, here is a comment from Fabian on this topic “If you have an external authentication solution with MFA capabilities, you can already integrate this with the enterprise manager over SAML”: https://forums.veeam.com/veeam-backup-replication-f2/no-mfa-on-enterprise-manager-t85588.html 

Ah yes, I am corrected and forgot about SAML in VEM.  Thanks for sharing that one @Iams3le 

Hi @miriam1989 -

As @Iams3le noted, you can configure MFA with a 3rd party ID Provider; it’s also noted in the User Guide:

https://helpcenter.veeam.com/docs/backup/vsphere/mfa.html?zoom_highlight=unsuccessful+login&ver=120#requirements-and-limitations

See the other section the above link references in the Guide on SAML:

https://helpcenter.veeam.com/docs/backup/em/veeam_backup_em_saml.html?ver=120

Hope this helps.

Just implemented SSO with SAML and MFA. Only issue is that normal login without SAML and MFA is still possible. Is there any way to prevent this?

I just learned in R&D forum that the standard login page can not be removed. For us this the final reason to get rid of BEM. I tried to establish it for our OS teams for restores. But functionality is so limited compared to console that they needed access there anywhere. Now without a way to force MFA its just dead. We don’t use end user self service.