I can’t answer this, but recently tried the MFA using the OTP generator in 1password for a login somewhere and man that thing is sweet.

Autofills the webpage - nice.

syncs between devices  - nice.

when my phone dies, gets lost or upgraded, just reinstall the app - nice.

As an MSP, when there is some sort of shared login, it’s kept in IT Glue’s virtual MFA.  Pretty slick.

For my own logins, I’ve been using Duo except I also use the Microsoft Authenticator which I’ve had to use in the past for some sites (Barracuda Cloud Control to start because it was unreliable at best with Duo), and the MS Authenticator does a better job of backing up and restoring 3rd party accounts.  I’m now transitioning my 3rd party accounts away from the Duo authenticator and only using it for the Duo managed accounts.  

To answer you question:

No, to my knowledge you cannot use the API with a MFA enabled account. (its not possible on VBR12 so i think it also applies to VSPC although its a totally separate authentication system.

I also did a reset for a admin user (on VSPC7) and that worked just fine.
Did you also create a Supportcase for this?

I haven’t but will need to.  It’s been a lower priority item though.

Hi @dloseke 

Just wrote a bit of code for you (couldnt find the one I created before for the previous VSPC version.
Its untested but should work:

## variables
$server = ''  #VSPC url
$port = '443'
$version = '3' 
$AuthToken = '' #API token with read/write

## api calls
$headers=@{}
$headers.Add("Content-Type", "application/json; charset=utf-8")
$headers.Add("Accept", "application/json")
$headers.Add("Authorization", "Bearer $($AuthToken)")


# first get all organizations
$page = 0
$objects = @()
$objects = do { 
    $endpoint = "organizations"
    #request page
    $request = Invoke-RestMethod -uri "https://$($server):$($port)/api/v$($version)/$($endpoint)?limit=100&offset=$page" -Method GET -headers $headers 

    #save results
    $request.data

    #go to next page
    $page += $request.meta.pagingInfo.count

    #wait (429)
    Start-Sleep -Milliseconds 1000 

} while ($request.meta.pagingInfo.offset -ne $request.meta.pagingInfo.total)

$providerinstance = $objects | Where-Object {$_.type -eq "provider"} 

# get all users
$page = 0
$objects = @()
$objects = do { 
    $endpoint = "users/logins"
    #request page
    $request = Invoke-RestMethod -uri "https://$($server):$($port)/api/v$($version)/$($endpoint)?limit=100&offset=$page" -Method GET -headers $headers 

    #save results
    $request.data

    #go to next page
    $page += $request.meta.pagingInfo.count

    #wait (429)
    Start-Sleep -Milliseconds 1000 

} while ($request.meta.pagingInfo.offset -ne $request.meta.pagingInfo.total)

# select users in provider company
$providerusers = $objects | ? {$_.companyid -eq $providerinstance.instanceUid} 
$providerusers | ft -AutoSize

# disable MFA
$useruuid = "uuid" # set uuid from previous step

#create payload
$body = @(@PSCustomObject]@{
        value = "replace"
        path  = 'mfaPolicyStatus'
        op    = 'disabled'
    }
)
$json_body = convertto-json -InputObject $body

#send patch request to disable MFA for user
$request = Invoke-RestMethod -uri "https://$($server):$($port)/api/v$($version)/users/$($useruuid)" -Method PATCH -headers $headers -body

## variables
$server = ''  #VSPC url
$port = '443'
$version = '3' 
$AuthToken = '' #API token with read/write

## api calls
$headers=@{}
$headers.Add("Content-Type", "application/json; charset=utf-8")
$headers.Add("Accept", "application/json")
$headers.Add("Authorization", "Bearer $($AuthToken)")


# first get all organizations
$page = 0
$objects = @()
$objects = do { 
    $endpoint = "organizations"
    #request page
    $request = Invoke-RestMethod -uri "https://$($server):$($port)/api/v$($version)/$($endpoint)?limit=100&offset=$page" -Method GET -headers $headers 

    #save results
    $request.data

    #go to next page
    $page += $request.meta.pagingInfo.count

    #wait (429)
    Start-Sleep -Milliseconds 1000 

} while ($request.meta.pagingInfo.offset -ne $request.meta.pagingInfo.total)

$providerinstance = $objects | Where-Object {$_.type -eq "provider"} 

# get all users
$page = 0
$objects = @()
$objects = do { 
    $endpoint = "users/logins"
    #request page
    $request = Invoke-RestMethod -uri "https://$($server):$($port)/api/v$($version)/$($endpoint)?limit=100&offset=$page" -Method GET -headers $headers 

    #save results
    $request.data

    #go to next page
    $page += $request.meta.pagingInfo.count

    #wait (429)
    Start-Sleep -Milliseconds 1000 

} while ($request.meta.pagingInfo.offset -ne $request.meta.pagingInfo.total)

# select users in provider company
$providerusers = $objects | ? {$_.companyid -eq $providerinstance.instanceUid} 
$providerusers | ft -AutoSize

# disable MFA
$useruuid = "uuid" # set uuid from previous step

#create payload
$body = @( PSCustomObject]@{
        value = "replace"
        path  = 'mfaPolicyStatus'
        op    = 'disabled'
    }
)
$json_body = convertto-json -InputObject $body

#send patch request to disable MFA for user
$request = Invoke-RestMethod -uri "https://$($server):$($port)/api/v$($version)/users/$($useruuid)" -Method PATCH -headers $headers -body

Thanks...I’ll check this out next chance I get!

Hi @dloseke ,

By accident I found the API reference for removing the MFA device that is attached to a user:

https://helpcenter.veeam.com/docs/vac/rest/mfa.html?ver=80

The link to the api reference doesn’t work but here is the correct one: https://helpcenter.veeam.com/docs/vac/rest/reference/vspc-rest.html?ver=80#tag/Accounts/operation/UpdateUserLogin

The fix for you should be: send a patch with the property "mfaPolicyStatus” on disabled.
So I think the script should work :-)

The datamodel for the payload for this endpoint: