Information – MFA on for new NHSmail users as default

Dear Local/Primary Local Administrator,

As you are aware we are working towards Multi-Factor Authentication (MFA) being applied for all users across the NHSmail tenant to improve security, increase the protection of user and organisational data, and comply with the recently released national NHS England MFA policy.

In line with this and the NHSmail MFA roadmap we would like to advise you that from 5th October 2023 all new user accounts will have MFA applied by default (excluding PODS users).

What will this mean for new users?

When a new user activates their account for the first time, they will need to:

  • Accept the AUP and set their account secret.
  • They will be logged out and upon next log-in be prompted to register for MFA.
  • Once registered for MFA their account will be secured and they will be prompted for MFA when logging into their NHSmail account.

Please note: Users will not be able to bypass the MFA registration, however, if deemed necessary, Local Administrators can disable MFA on new users on an account-by-account basis via the User Management page and MFA can be disabled either before or after an account has registered for it. If MFA needs to be disabled before the MFA registration stage – and a local risk-based assessment must be completed for each disablement – the new user must have accepted the AUP and set their account secret first. Local Administrators will need to work with their new users directly in these instances as the user will be prompted to register for MFA at their next login.

What action do LAs need to take?
  • We advise that you update any local guidance for new starters to include MFA registration as part of setting up their NHSmail account.
  • Please note that Conditional Access MFA policies will be available shortly, and we will be sending further communications on this.
  • Keep an eye out for updated guidance on the support site.

Please note: New NHSmail accounts converted to Application Accounts will automatically have MFA removed as part of the conversion process.

Further information

To find out more about the MFA roadmap and upcoming changes please join our fortnightly MFA webinars and review previous recording of webinars.

Please also see MFA guidance on the support site.

Best wishes,

NHSmail Team

back to top