Overview
CU Boulder is taking steps to strengthen multi-factor authentication (MFA) protection in response to escalated global security threats. Starting on October 7, all students, faculty and staff will be enrolled in a strengthened Microsoft MFA policy and need to reauthenticate (i.e. log in again) for all sessions of Microsoft services and will be prompted for MFA. Learn more in the Microsoft multi-factor authentication changes news story. Later stages of the project will incorporate additional MFA policy changes, broaden the number of services protected by Microsoft MFA and move Duo MFA protected services to Microsoft MFA.
Timeline
MFA Expansion and Streamlining
More information about additional MFA policy changes, broadening the number of services protected by MFA and moving Duo MFA protected services to Microsoft MFA will be added here when available.
Microsoft MFA Validation
OIT enabled a new baseline MFA policy for CU Boulder users accessing Microsoft 365 products on October 7, 2025. This baseline policy initially forced all students, faculty and staff to reauthenticate (i.e. log in again) for all sessions of Microsoft services and be prompted for MFA. After the first time you reauthenticate you should not be prompted for MFA for Microsoft services again unless:
- You sign in on a new device or use a different browser
- You have not signed in for 90 days on the device
- Suspicious activity is detected
Find more details in the Microsoft multi-factor authentication changes news story.
Support
Visit the Duo MFA and Microsoft MFA pages for more information about each service, including additional frequently asked questions. If you need help with the MFA verification and enablement process, contact the IT Service Center at 303-735-4357 or oithelp@colorado.edu.
Frequently Asked Questions
What is MFA?
MFA is a foundational element in a security strategy. MFA helps protect you by adding an additional layer of security, making it harder for attackers to log in as if they were you. Your information is safer because thieves would need to steal both your password and your MFA option (e.g. phone or FIDO2 tokens).
What is changing on October 7, 2025?
On October 7, OIT will start enrolling all accounts that did not enroll using the MFA Management Tool into strengthened MFA protection for Microsoft services. You can learn more about enrolling with the MFA Management Tool in the Microsoft multi-factor authentication changes news story.
Once you are first enrolled, you will be required to reauthenticate for all Microsoft services using MFA. You should only need to do this once per device, or once per browsing session for web-based applications.
After the first time you reauthenticate you should not be prompted for MFA for Microsoft services again unless:
- You sign in on a new device or use a different browser
- You have not signed in for 90 days on the device
- Suspicious activity is detected
I didn’t verify my MFA was working before Oct. 7, 2025, and now I can’t sign in. What do I do?
You can still visit the MFA Management Tool to test your MFA methods. If they fail, you will be given an opportunity to set up new devices. Please read the Microsoft multi-factor authentication changes news story for more details.
If you need additional assistance, please contact the IT Service Center at 303-735-4357 or oithelp@colorado.edu.
I already enrolled in Microsoft MFA when it was first rolled out on campus. Why do I need to do this again?
We know that there have been many recent requests made of campus constituents to help secure our IT environment and that this is yet another request added to that long list. However, U.S. cybersecurity and intelligence agencies have recently issued a joint advisory warning of potential cyber-attacks from state-sponsored or affiliated threat actors. This new enrollment process will enable a stronger security policy to help protect against these heightened security risks.
What is the difference between Duo MFA and Microsoft MFA?
Duo MFA and Microsoft MFA work similarly to protect different services on our campus. Duo was first used on our campus for system administration and by those with privileged access to services or private networks. Duo MFA now also protects the MyCUInfo Portal, Buff Portal and other campus services. Microsoft MFA protects Microsoft 365 services such as OneDrive, Outlook and Teams. In later phases of the MFA Improvement Project, services protected by Duo will be moved to Microsoft MFA to streamline campus MFA services.
