The NHSmail security groups functionality provides Local Administrators the ability to create, manage and control Microsoft 365 static mail-enabled and non-mail-enabled security groups.
Automated All Users dynamic non-mail-enabled security groups for all users in an ODS code already exist and are managed by a stand-alone process that is automated and sits outside of the NHSmail Portal. For more information, please refer to the Automated All Users Security Groups article. Only static mail-enabled and non-mail-enabled security groups created via the NHSmail Portal can be managed in the NHSmail Portal.
The target audience for this guidance is Local Administrators. If you are a user with questions about security groups, please contact your Local Administrator.
Please refer to the Introduction to NHSmail Security Groups article for Local Administrators first, before reading this article. For more information, you can also refer to the NHSmail Security Groups Frequently Asked Questions (FAQs) article for Local Administrators.
Introduction
Security groups are a Microsoft 365 functionality that can be used to group users together that require the same permissions. They are primarily used for granting access to Microsoft 365 resources such as SharePoint Online, OneDrive and PowerApps.
For NHSmail, two types of security groups are available for management via the NHSmail Portal: static mail-enabled security groups and static non-mail-enabled security groups. Local Administrators can manage these types of security groups via the NHSmail Portal.
The following table provides an overview of the Microsoft 365 service offerings that are compatible with static mail-enabled security groups, static non-mail-enabled security groups, or both.
Where there is the option to use both groups, the recommendation is to use non-mail-enabled security groups as these are supported by most services.
| Service Name / Type | Compatible with non-mail-enabled security groups? | Compatible with mail-enabled security groups? |
| Teams | No | Yes |
| Teams Shared Channels Policies | Yes (recommended) | Yes |
| SharePoint Online | Yes (recommended) | Yes |
| OneDrive | No | Yes |
| PowerApps | Yes (recommended) | Yes |
| PowerAutomate | Yes (recommended) | Yes |
| Sway | Yes (recommended) | Yes |
| Power BI | Yes (recommended) | Yes |
| Power BI Tenant Settings | Yes (recommended) | Yes |
| Power BI Capacity Admins | Yes (recommended) | Yes |
| Application Access Policies | No | Yes |
Any security groups created via the Modern Authentication process will continue to be managed via the existing process, rather than via the NHSmail Portal. For more information, please refer to the Basic Authentication Deprecation Admin Guide article.
Pre-Requisites
Primary Local Administrators (PLAs) and Local Administrators will be able to manage and control static mail-enabled and non-mail-enabled security groups. There are no additional licensing requirement or other requirements to be able to manage and control NHSmail security groups.
Joiners, Movers and Leavers
The following table provides an overview of the joiners, movers and leavers process for NHSmail security groups and the required actions for Local Administrators.
| User Type | Action for Local Administrators |
| Joiners | When an NHSmail user is marked as a new joiner, the user will not be automatically added to any of the new organisation’s security groups.
Local Administrators must manually add new joiners into any security groups they have created via the Portal. |
| Movers | When an NHSmail user is marked as a mover, the user will not be removed from their existing organisation’s security groups and they will not be added to any of the new organisation’s security groups.
Local Administrators from the user’s original organisation must manually remove that user from any security groups they have created via the Portal. Local Administrators from the user’s new organisation must manually add that user into any security groups they have created via the Portal. |
| Leavers | When an NHSmail user is marked as a leaver, the user will retain their membership to the security groups until the account is removed by the Local Administrator or until the account is removed from the tenant.
Local Administrators can manually remove leavers from any security groups they have created via the Portal. If Local Administrators do not manually remove leavers from their security groups, the current standard account hygiene process will be followed, resulting in that user’s account eventually being removed from the security group. |
The actions above only apply to security groups created by Local Administrators via the NHSmail Portal. For any Automated All Users security groups there is a separate automated process for joiners and movers. Joiners and movers will be automatically added into any all-organisation ODS security groups as this process is automated and managed outside of the NHSmail Portal. For more information, please refer to the Automated All Users Security Groups article.
To support the management of the joiners, movers and leaver process, Local Administrators with the Guest Inviter role can use the Microsoft Entra Admin Centre (Azure AD) to check the security groups a user is a member of. For more information about reporting, please refer to the Reporting section in this article.
Creating new security groups
Local Administrators can create new security groups via the NHSmail Portal.
As a default setting, to restrict modification of the groups outside the Portal, the NHSmail Portal Service Account will be configured as the owner for all static mail-enabled and non-mail-enabled security groups.
How to name a security group
A consistent naming format must be used when creating NHSmail security groups to allow groups to be easily identified and to ensure they are searchable in the NHSmail Portal. The following table provides an overview of the naming convention to be used. Please note that the prefix, identifier and email domain will be automatically added by the NHSmail Portal.
| Security Group Type | Prefix* | Identifier* | Name | Email Domain* |
| Mail-Enabled | ODS Code | msg | Name inputed by Local Administrator | @nhs.net |
| Non-Mail-Enabled | ODS Code | sg | Name inputed by Local Administrator | N/A |
* Automatically added by the Portal
For example, the name of a mail-enabled security groups could be: lsp01.msg.name@nhs.net
The name of a non-mail-enabled security groups could be: lsp01.sg.name
How to create a new mail-enabled security group
Download the guidance to create a new mail-enabled security group
How to create a new non-mail-enabled security group
Download the guidance to create a new non-mail-enabled security group
How to create a new mail-enabled security group for all users in an ODS code
Download the guidance to create new mail-enabled security group for all users in an ODS code
Automated All Users dynamic non-mail-enabled security groups for all users in an ODS code already exist and are managed by a stand-alone process that is automated and sits outside of the NHSmail Portal. For more information, please refer to the Automated All Users Security Groups article.
The required Local Administrator actions for joiners, movers and leavers apply to any all user security groups created via the NHSmail Portal. For more information, please refer to the Joiners, Movers and Leavers section of this article.
Viewing security groups
Local Administrators can view security groups for organisations they have access to as per the existing parent / child ODS code mapping via the NHSmail Portal.
How to view a security group
Download the guidance to to view a security group
Searching security groups
Local Administrators can search Security Groups for organisations they have access to as per the existing parent / child ODS code mapping via the NHSmail Portal.
How to search a security group
Download the guidance to search a security group
If a Primary Local Administrator (PLA) or a Local Administrator is responsible for managing over 200 organisations and performs a search based on just a display name or email address, they might not see the expected results as the search will be carried out based on the first 200 ODS codes (in alphabetical order). To get the expected result, Primary Local Administrators (PLAs) and Local Administrators must use additional filters such as ODS code or organisation name along with display name and/or email.
Editing security groups
Local Administrators can edit security groups for organisations they have access to as per the existing parent / child ODS code mapping via the NHSmail Portal.
How to edit a security group
Download the guidance to edit a security group
Updating the membership of security groups
Local Administrators can update the membership of security groups for organisations they have access to as per the existing parent / child ODS code mapping via the NHSmail Portal.
How to individually update the members of a security group (limited to 100 users at a time)
Download the guidance on how to individually update members
How to bulk update the members of a security group (limited to 500 users and including nesting other security groups)
Download the guidance on how to bulk update members
It is recommended that security groups are not nested across more than one level to avoid functionality issues.
Exporting the members of security groups
Local Administrators can export a list of the members of security groups for organisations they have access to as per the existing parent / child ODS code mapping via the NHSmail Portal.
How to export a list of the members of a security group
Download the guidance on how to export list of members
Raising an incident for security groups
Local Administrators can raise an incident related to security groups via the Raise an Incident form for the Portal on the Helpdesk Self-Service (HSS) platform.
Reporting for security groups
Local Administrators can use the NHSmail Portal Audit Logs to extract records related to creating, editing and updating security groups.
Download the guidance on how to access Audit reports
Local Administrators with the Guest Inviter role can also use the Microsoft Entra Admin Centre (Azure AD) to access additional reporting, such as checking the security groups a user is a member of.
Download the guidance on how to access other reports
Where can I find out more about NHSmail security groups?
For more information, please refer to the NHSmail Security Groups Frequently Asked Questions (FAQs) article for Local Administrators.
| Last Reviewed Date | 14/09/2023 |
