1. Home
  2. Security Group Management​
  3. NHSmail Security Groups Frequently Asked Questions (FAQs)

NHSmail Security Groups Frequently Asked Questions (FAQs)

The NHSmail security groups functionality provides Local Administrators the ability to create, manage and control Microsoft 365 static mail-enabled and non-mail-enabled security groups.

Please note:


Automated All Users dynamic non-mail-enabled security groups for all users in an ODS code already exist and are managed by a stand-alone process that is automated and sits outside of the NHSmail Portal. For more information, please refer to the Automated All Users Security Groups article. Only static mail-enabled and non-mail-enabled security groups created via the NHSmail Portal can be managed in the NHSmail Portal.

The target audience for this guidance is Local Administrators. If you are a user with questions about security groups, please contact your Local Administrator.

Please refer to the Introduction to NHSmail Security Groups article and the Managing NHSmail Security groups article for Local Administrators first, before reading this article.

Security Group Overview

What are security groups?

Security groups are a Microsoft 365 functionality that can be used to group users together that require the same permissions. They are primarily used for granting access to Microsoft 365 resources such as SharePoint Online, OneDrive and PowerApps.

What types of security groups are available for NHSmail organisations?

For NHSmail, Local Administrators can manage static mail-enabled security groups and static non-mail-enabled security groups via the NHSmail Portal. Dynamic security groups are not currently supported. Automated All Users dynamic non-mail-enabled security groups for all users in an ODS code already exist and are managed by a stand-alone process that is automated and sits outside of the NHSmail Portal. For more information, please refer to the Automated All Users Security Groups article.

What are the differences between mail-enabled and non-mail-enabled security groups?

Mail-enabled security groups are compatible with all Microsoft 365 service offerings, whereas non-mail-enabled security groups are not compatible with some offerings. Mail-enabled security groups also include the ability to send mail to all the members of the group, but for the purposes of NHSmail, mail-enabled security groups should not be used for mail purposes as the Distribution List functionality should be used instead. For a full overview of which Microsoft 365 service offerings are compatible with mail-enabled and non-mail-enabled security groups, please refer to the Introduction to NHSmail security groups article.

What type of security group should Local Administrators use?

For a full overview of which Microsoft 365 service offerings are compatible with mail-enabled and non-mail-enabled security groups, please refer to the Introduction to NHSmail Security Groups article. Where there is the option to use both groups, the recommendation is to use non-mail-enabled security groups as these are supported by most services.

What can Local Administrators do with NHSmail security groups?

Local Administrators can manage and control their security groups via the NHSmail Portal. Local Administrators can:

  • Create new security groups (including mail-enabled all-user security groups for a particular ODS code)
  • View their security groups
  • Edit their security groups
  • Search for security groups
  • Update the user membership of their security groups (both individually and in bulk)
  • Nest security groups within other security groups
  • Export the members of a security group
  • Access basic reporting for security groups

Security Group Management

What are the pre-requisites for managing NHSmail security groups?

Primary Local Administrators (PLAs) and Local Administrators will be able to manage and control static mail-enabled and non-mail-enabled security groups. There are no additional licensing requirement or other requirements to be able to manage and control NHSmail security groups.

What is the process for managing joiners, movers and leavers for NHSmail security groups?

For an overview of the joiners, movers and leavers process for NHSmail security groups and the required actions for Local Administrators, please refer to the Managing NHSmail Security Groups article. This does not apply to Automated All Users dynamic non-mail-enabled security groups which are managed by a stand-alone process that sits outside of the NHSmail Portal.

Why have users marked as joiners / movers not been added / removed from my security group?

When an NHSmail user is marked as a new joiner, the user will not be automatically added to any of the new organisation’s security groups. Similarly, when an NHSmail user is marked as a mover, the user will not be removed from their existing organisation’s security groups and they will not be added to any of the new organisation’s security groups. For an overview of the joiners, movers and leavers process for NHSmail security groups and the required actions for Local Administrators, please refer to the Managing NHSmail Security Groups article.

How should Local Administrators name their security groups?

For information on the naming format that should be used when creating NHSmail security groups, please refer to the Managing NHSmail Security Groups article.

How can Local Administrators create new security groups?

For information on how to create NHSmail security groups, please refer to the Managing NHSmail Security Groups article.

Why can Local Administrators only create mail-enabled security groups for all users in an ODS code?

Automated All Users dynamic non-mail-enabled security groups for all users in an ODS code already exist and are managed by a stand-alone process that is automated and sits outside of the NHSmail Portal. For more information, please refer to the Automated All Users Security Groups article. The required Local Administrator actions for joiners, movers and leavers apply to any all user security groups created via the NHSmail Portal. For more information, please refer to the Joiners, Movers and Leavers section of this article.

How can Local Administrators view their security groups?

For information on how to view NHSmail security groups, please refer to the Managing NHSmail Security Groups article.

How can Local Administrators search for security groups?

When searching for security groups, please note that partial searches are not accepted. To search for individual security groups, it is recommended that Local Administrators use either the full display name, or the full email address if it is a mail-enabled security group. To search for security groups at organisation level, it is recommended that Local Administrators use the ODS code or the organisation name to search for all security groups in the organisation. Please note that only the first 500 security groups will be visible if more than that are present in the tenant. For further information on how to search for NHSmail security groups, please refer to the Managing NHSmail Security Groups article.

How can Local Administrators edit their security groups?

For information on how to view NHSmail security groups, please refer to the Managing NHSmail Security Groups article.

How can Local Administrators update the membership of their security groups?

For information on how to update the membership of NHSmail security groups, both individually and in bulk, please refer to the Managing NHSmail Security Groups article.

Why have the membership details of my security group not yet updated?

When editing and updating security groups, updates can take up to 5 minutes to show in the NHSmail Portal whilst the sync completes. If the update does not show after this time, please re-try. Please note that for mail-enabled security groups for all users in an ODS code this may take more than 5 minutes, depending on the total number of users. If the problem persists, Local Administrators can raise an incident related to security groups via the Raise an Incident form for the Portal on the Helpdesk Self-Service (HSS) platform.

How can Local Administrators export the members of their security groups?

For information on how to export the members of NHSmail security groups, please refer to the Managing NHSmail Security Groups article.

How can Local Administrators raise incidents related to NHSmail security groups?

Local Administrators can raise an incident related to security groups via the Raise an Incident form for the Portal on the Helpdesk Self-Service (HSS) platform.

How can Local Administrators access basic reporting related to NHSmail security groups?

Local Administrators can use the NHSmail Portal Audit Logs to extract records related to creating, editing and updating security groups. Local Administrators can also use Azure AD to generate a report for their security groups and to check the security groups a user is a member of.

How will this affect the NHSmail Bring Your Own (BYO) Device Security Controls?

For the updated guidance on how Local Administrators can opt-in users for the BYO device security controls, please refer to the Bring Your Own Device Security Controls guidance article for Local Administrators.

How will this affect the management of static mail-enabled and non-mail-enabled security groups for use with Intune?

Intune Admins can now leverage both the NHSmail Portal and the Intune PowerApp for the creation of static security groups, as long as the correct naming format is used.

The creation of dynamic and device-based security groups will remain unchanged and managed via the Intune PowerApp.

All static security groups created by the Intune PowerApp will automatically appear in the NHSmail Portal with no manual naming convention steps required.

All static security groups created via the NHSmail Portal will be required to use the following specific Intune naming convention shown via the table below in order to appear within the PowerApp:

Security Group Type Prefix* Identifier* Intune identifier Name Email Domain*
Mail-Enabled ODS Code msg Intune- Name created by Local Administrator @nhs.net
Non-Mail Enabled ODS Code sg Intune- Name created by Local Administrator N/A

* Automatically added by the Portal

Where can I find out more about NHSmail security groups?

For more information, please refer to the Introduction to NHSmail Security Groups article or the Managing NHSmail Security Groups article for Local Administrators.

Last Reviewed Date 14/09/2023
Updated on 14/09/2023

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top