Hendy Release – Content Summary

The NHSmail Portal release is named in honour of Ruth Hendy, Lead cancer nurse at University Hospitals Bristol and Weston NHS Foundation Trust, who was awarded a British Empire Medal (BEM) for her services to cancer patients.

Please find below a summary of the main content of the Hendy release which was deployed on 3rd April 2024. To view the full release notes for this release please see the PDF file at the end of this summary.

VN166 Functionality

• 80354: Assign Shared Channel Policies to Users via User Policies

As part of this PBI, PLAs and LAs will be able to assign shared channel permissions to users within their organisation.

This PBI will create a new section within user policies that will allow administrators to assign Teams Shared Channel permissions via a drop-down. This will provide all users within the selected policy with one of the following permission sets:

• NHSmail Invite and Join Only
• NHSmail Shared Channels Inviter Only
• NHSmail Join Externally Hosted Shared Channels
• NHSmail Shared Channel Inviter
• NHSmail All Shared Channel Features

Please note that only one set of permissions can be assigned to users.

If a Teams Shared Channel policy is removed from the user policy settings in Portal, all members will be reverted to the global default policy with no Shared Channel permissions.

• 80355: New Shared Channel Permissions Report

This PBI will introduce a new NHSmail admin report named “Shared Channels Permissions Report” which will be available to all admins* under the Admin Reports section of Portal. This report will be available through a downloadable CSV file generating including the following data columns:

• Organisation Name
• ODS Code
• User Policy Name
• User Email address
• User Display Name
• Shared Channel Policy

*All admin roles can be referenced in the following support site article: Roles-and-Permissions

Portal AD Functionality – Product Backlog Items

• 82612: MFA Temporary Exception – User Interface Button

As part of this PBI, a Multi-Factor Authentication (MFA) Temporary Exception workflow will be introduced. Within a 24-hour exception period, MFA will be removed from a user’s account and reapplied once the 24-hours has exceeded.

During the 24-hour period, the user will not be prompted for MFA when logging into the NHSmail Portal or associate O365 applications. After the 24-hour period has ended, the user will be prompted for MFA as normal at log in. This PBI will create a new button within the User Details page that will allow administrators to apply the 24-hour temporary exception to a user as required. Please note that the following accounts will be excluded from the temporary exception process:

• Accounts with admin permissions – all admin roles can be referenced in the following support site article: Roles-and-Permissions
• User accounts that have previously been marked as compromised and remediated.
• Accounts that are already within a temporary or long-term exception group.

All applications of the temporary exception process will be recorded in the audit record for administrators to review as needed.

This particular PBI will also introduce a new user interface button called: “MFA 24 hour exception” which will be showcased on the User Details page under the Action section. This button will be available to user accounts who don’t have an admin role, have been previously remediated if compromised and aren’t in the current temporary exception or long-term exception period.

• 84494: Remove Self-Service MFA Disablement Functionality

This PBI will remove the ‘Disable Azure MFA’ button and associated information box from the My Profile Self-Service page. The “Azure MFA Status” detail will remain to show the user’s current MFA status.

This will prevent end users controlling their MFA status and disabling it via te portal themselves; instead requiring admins to control the temporary disablement. The following admin roles can update users: Local Primary Admin, Local Admin, Local Helpdesk, Connector and O365 Licence Admin.

• 84498: Remove Disable Azure MFA and Disable Azure MFA for 48 Hours Button

This PBI will remove both the “Disable Azure MFA” and “Disable Azure MFA for 48 Hours” buttons from the User Detail page. It will also remove the Bulk Edit capability to “Disable Azure MFA”.

When an account has been remediated, the “Disable Azure MFA for 48 Hours” button will be removed and replaced by the new “MFA 24 hour exception” button.

This will be in a greyed-out state when MFA is switched ON for a user account

These changes will affect the following admin accounts that have permissions to update users: Local Primary Admin, Local Admin, Local Helpdesk, Connector and O365 Licence Admin.

• 72580: Allow Apostrophes in Microsoft Teams Display Name When Created via NHSmail Portal

As part of this PBI, we are introducing functionality to allow the apostrophe character in the Microsoft Teams Display Name upon creation. This enables the NHSmail application to follow the same standards set by Microsoft to allow apostrophes within Microsoft Teams Display Names. Before this change, admins couldn’t create Microsoft Teams via NHSmail with an apostrophe in the name.