⚠️ WARNING: This article is intended for participants in the
MFA Modernization Pilot only. If you are not a pilot participant, the information in this article may not apply to you. Contact the
IT Service Desk if you have questions about your current sign-in experience.
You have been enrolled in the MFA Modernization Pilot. This article covers everything you need to get started: an overview of MFA methods available to you, recommendations based on your device and situation, and how to get help during the pilot period.
Detailed Information
What Is the MFA Modernization Pilot?
UMS is transitioning to Microsoft Entra as our single sign-on (SSO) and multi-factor authentication (MFA) platform. As a pilot participant, you are among the first to register for and use the new Entra-based MFA experience. Your feedback will directly shape how UMS supports the broader community through this transition.
Before You Begin: Which Situation Applies to You?
This pilot includes two groups of participants. Find your situation below — it determines what you need to do before you start.
- I do not currently use MFA for my UMS account. You will be setting up MFA for the first time. Follow the registration steps in Step 2 below to get started.
- I already use Duo for MFA on my UMS account. You will set up a new Microsoft Entra MFA method alongside your existing Duo setup. During the pilot period, you will still have the option to use Duo when signing in, but you are strongly encouraged to use your new Entra method as much as possible.
About MFA Methods
There are two main types of MFA methods available in Microsoft Entra:
Passkeys
A passkey replaces your password with a secure key stored on your device. You verify your identity using your fingerprint, face recognition, or PIN — no password needed. Passkeys are the most secure option and are strongly recommended.
Passkeys come in two forms:
- Device-bound: Stored on a specific device (such as a YubiKey or a Windows Hello-enabled PC). More secure, but only available on that one device.
- Synced: Stored in a cloud account (such as iCloud Keychain or Google Password Manager) and available across all your devices signed in to that account. Easier to use day-to-day.
Microsoft Authenticator App (Push Notification)
The Microsoft Authenticator app sends a notification to your smartphone when you sign in. You approve the request by tapping a number on your screen. This is the minimum recommended option if you are unable to set up a passkey.
Step 1: What Should I Set Up?
INFO: For detailed information, review the
Recommendations by device and user type section in the
MFA Authentication Methods. Below is a brief overview.
Registering a backup method is strongly recommended for everyone.
Not sure where to start? The Getting Started guide will walk you through your options:
Personal Devices (Phones, Tablets, Personal Computers)
Set up a passkey on every personal device you use regularly. Synced passkeys (iCloud Keychain, Google Password Manager) are the easiest to use day-to-day because they are available across all your devices automatically. A passkey in the Microsoft Authenticator app is the simplest to set up and is a great starting point.
At minimum, set up the Microsoft Authenticator app for push notifications as a backup.
WARNING: Never set up a passkey on a shared or lab computer — passkeys saved to a shared device could be used by anyone with access to it.
Lab or Shared Computers
Do not save a passkey to a lab or shared computer. Instead, use one of the following when signing in on a shared machine:
UMS-Managed Windows Devices
Windows Hello for Business (WHfB) is the recommended option. It uses your device's built-in security to create a device-bound passkey that signs you in automatically on your managed PC.
INFO: Windows Hello for Business requires a connection to UMS domain controllers to work. You must be on campus connected via ethernet or to the
eduroam wireless network, or
connected to VPN if working remotely when using WHfB. Set up a backup method for situations where you are off-network or without VPN.
If you have a secondary UMS account (such as an admin account), you can also save a passkey for that account to Windows Hello for Business on your managed device.
UMS-Managed Mac Devices
Set up a synced passkey using iCloud Keychain. This stores your passkey in your Apple account and makes it available across all your Apple devices.
Remote Access
RDP (Remote Desktop Protocol) continues to use Duo MFA during the pilot period.
Step 2: Register Your Method
Browse all registration how-to guides for the full list of available options:
Step 3: Sign In with MFA
Once registered, use your new Entra MFA method when prompted during the pilot period.
Getting Help
Before reaching out, please check the pilot knowledge base — most common questions and errors are covered there.
Reporting Issues
Your feedback is a core part of the pilot. When you encounter a problem, please report it using the pilot feedback form.
MFA Modernization Pilot Feedback Form
If you run into a sign-in error, check the troubleshooting articles first — they cover the most frequently seen errors and what to do:
When reporting an MFA issue, include:
For urgent issues or questions, contact the project team via Google Chat in the MFA Modernization Pilot space or via email at sso-mfa-project-group@maine.edu.
INFO: Please avoid using the UMS:IT MFA Support chat space for pilot-related questions. Use the
MFA Modernization Pilot chat space instead.
Environment
- All UMS-connected applications and services
- Microsoft Entra ID (MFA Modernization Pilot)
- Microsoft Authenticator app (iOS and Android)
- FIDO2 hardware security keys (e.g., YubiKey)
- Windows Hello for Business (UMS-managed Windows devices)
- Duo (remote access / VPN — not changing as part of this pilot)