Microsoft MFA Enrollment FAQ
What is changing on October 7?
On October 7, OIT will start enrolling all accounts into strengthened MFA protection for Microsoft services. We expect it will take about one week to enroll all accounts. Once you are first enrolled, you will be required to reauthenticate for all Microsoft services using MFA. You should only need to do this once per device, or once per browsing session for web-based applications. After the first time you reauthenticate you will be periodically prompted to reauthenticate using Microsoft MFA, especially when you log into Microsoft services with a browser.
I didn’t verify my MFA was working before October 7 and now I can’t sign in. What do I do?
You can still visit the MFA Management Tool to test your MFA methods. If they fail, you will be given an opportunity to set up new devices. If you need additional assistance, please contact the IT Service Center at 303-735-4357 or oithelp@colorado.edu.
Why did some Microsoft services stop working after I was enrolled in the strengthened MFA protection?
The Microsoft MFA enrollment process will log you out of all Microsoft services that are running at the time of enrolment. So after enrolling, you will need to log back into Microsoft services such as Outlook, OneDrive, Office or Microsoft 365 apps, Teams, SharePoint and Power Apps. Here’s a complete list of Microsoft services that could be impacted.
How often will I be prompted for MFA?
After the first time you reauthenticate you will be periodically prompted to reauthenticate using Microsoft MFA, especially when you log into Microsoft services with a web browser.
General FAQ
What is multi-factor authentication?
Multi-factor authentication (MFA) is a simple way to increase account security by requiring multiple forms of verification to prove your identity when signing into an application. This is generally something you know, like a password, and something you have, like a personal phone. Many institutions and applications use some form of MFA to log in, especially when using a new device. Microsoft 365 multi-factor authentication will increase the protection on all Microsoft 365 services and applications, including desktop applications, email, Teams, OneDrive and SharePoint. For your convenience, your sign-in session on your regular devices will not require you to log in or use multi-factor often, but it will protect your account if any suspicious login attempts are detected.
Why is CU Boulder using MFA?
One of our campus's largest attack vectors is through collaboration services; especially email accounts using older protocols. MFA adds an additional layer of security, making it harder for attackers to log in as if they were you. Your information is safer because thieves would need to steal both your password and your phone to access services protected by MFA. MFA has been shown to block 99.9 percent of compromised-credential attacks, which in turn will help to safeguard the university's data, finances, and reputation.
Am I required to use MFA?
Yes, everyone using CU Boulder's Microsoft 365 instance will be required to use MFA.
Why should I have to use my personal phone for this when CU Boulder doesn't pay for it?
Multi-factor authentication ensures that users are who they say they are by requiring that they provide two pieces of evidence to prove their identity. This is generally something you know, like a password, and something you have, like a personal phone. Since mobile phones are so ubiquitous and we seldom go anywhere without one, they are the most popular choice for multi-factor authentication. If using a mobile phone isn't an option for you, please contact the IT Service Center to discuss other options.
I have concerns about sharing my phone number with Microsoft. What happens with the information I share through MFA?
Both CU Boulder and Microsoft are not permitted to use this information for marketing, tracking, or data mining purposes. We have contractual agreements with Microsoft that protect your personal information. Your phone number will only be used to validate that you are who you say you are when using the Microsoft 365 services. MFA is an additional security measure that is designed to protect your personal information.
Can I use YubiKeys or other FIDO2 tokens with MFA?
FIDO2 tokens are physical devices that provide a second factor during the multi-factor authentication process. They may be a good option if you are unable to use a mobile phone for MFA.
Please note that OIT cannot provide support for the use of FIDO2 tokens – it is your responsibility to purchase, configure, and keep track of your token. Before purchasing a token, it's recommended to review Microsoft's FIDO2 token requirements.
If you decide to use FIDO2 tokens, it is highly recommended to register a backup method, such as a phone, in addition to your token in case you misplace it. Learn how to edit backup methods for MFA in the beginning of our registering and using the authenticator app tutorial.
How often should I expect to be prompted to use MFA once registered?
To give campus users the right balance of security and ease of use, we've enabled a setting that takes into account many factors to determine if a login attempt is suspicious. If you mostly access Microsoft apps using the same devices and patterns, you should rarely if ever be prompted with MFA. However, if you frequently travel internationally, log in to your Microsoft apps and email during trips, or use public computers or kiosks, you could expect to be prompted more frequently due to risky-looking activities.
Where can I download the Authenticator app?
Use OIT's instructions registering and using the authenticator app. You can download the Authenticator app directly from Microsoft's Authenticator App page.
I lost my phone and/or got a new device and am unable to authenticate.
If you're unable to log in or change your authentication information (see How can I update my phone number or change authentication preferences? below), please contact the IT Service Center at 303-735-4357 or oithelp@colorado.edu for assistance resetting MFA.
How can I update my phone number or change my authentication preferences?
There are several ways to update or change your authentication information:
- Log in to your Microsoft 365 account then click security info settings.
- These steps are outlined in the Microsoft MFA - Find and Update Security Info tutorial.
- Visit Microsoft's additional security verification or change two-step verification and settings help pages for additional information.
I am an international student or will be traveling abroad. Which authentication method should I choose?
OIT recommends configuring the Microsoft Authenticator app in case your country code is not available; however, a comprehensive list of international calling codes will be available to select from when enrolling your device.
I lost or do not have access to the method(s) I set up for MFA, what do I do?
OIT recommends configuring multiple methods for MFA, so in the event you lose or do not have access to one you will have a back up method to authenticate with. If you have lost access to the only method you have configured you will need to contact the IT Service Center via phone (303-735-4357) to request your MFA be reset. You will be required to go through the first-time enrollment process for MFA again.
