Every 'local administrator' can use VeeamO365 console even though the account is not configured or listed in users and roles or having MFA enabled.
To quote the documentation:
Built-in administrator accounts (Domain\Administrator and Machine\Administrator) always have full access to Veeam Backup for Microsoft 365, even if you exclude them from the Veeam Backup Administrator role. If you delete the Administrators group from the Veeam Backup Administrator role, the users who are added to this group will still have access to Veeam Backup for Microsoft 365.
To my surprise the users and roles (+MFA functionality) in Veeam O365 V8 is behaving different than the one in the Veeam Backup & Replication console. When announced I was expecting the same behavior. In the latter you must list the user in users & roles otherwise it gets an access denied regardless if the account is local admin.
Will this functionality be added soon? --> Harden the users and roles, make it mandatory to be listed else access denied.
You can never limit a local administrator from performing harmful actions. Even in VBR, a local administrator can regain access. For example, using PsExec64.exe to start the console as LOCAL SYSTEM will grant full access to the backup server.
And every local admin will be able to do that as soon as they have RDP or local access to the backup server.
That's why we recommend working from a remote console instead of directly on the backup server. Only allow a few select trusted admins to log in to the backup server via RDP. For daily backup and restore tasks, use the remote console from a jump host.
However, I understand that having consistent behavior with VBR would make sense. I can't promise that we will change the behavior in VB365, but I will mention it to the team.
That's why we recommend working from a remote console instead of directly on the backup server. Only allow a few select trusted admins to log in to the backup server via RDP. For daily backup and restore tasks, use the remote console from a jump host.
And that is where the security differences lie compared to the original VBR remote console. Normally the newly created local administrator account would be blocked when the administator is not listed in Veeam's (VBR) Users & Roles. However in the Veeam O365 console when that local administrator is not listed in users & roles it can still login using the remote console or local console it does not matter.
However, I understand that having consistent behavior with VBR would make sense. I can't promise that we will change the behavior in VB365, but I will mention it to the team