The NHSmail team are currently working with Microsoft and other partners to establish a comprehensive onboarding assurance process to support the migration of local services to the NHS Shared tenant.
Several webinars have been held, where the NHSmail team and its partners have given an update on the work to support organisations wanting to migrate to the NHS shared tenant.
Links to the webinars and slides are below.
If you have any questions in relation to Microsoft Fastrack and tenant to tenant migrations, please contact the NHSmail team at feedback@nhs.net.
Guidance
The guidance for the currently approved tools for use to onboard to the Shared tenant, can be found below.
Guidance on how to use the SharePoint Migration Tool on the N365 Shared tenant
Guidance on how to use the Quest Content Matrix on the N365 Shared tenant
Guidance on how to use the Quest Essentials tool on the N365 Shared tenant
Managed migrations partnership capabilities
Migration enablement requests
The NHSmail team are aware of enhancements required to facilitate efficient onboarding of organisations and data into the National Office 365 tenant.
These enhancements allow for the bulk creation/change and decommissioning of SharePoint and Teams sites, removing the need to create these manually one by one through the NHSmail portal.
While these capabilities are being developed and released into the NHSmail portal we have agreed an interim process with Accenture.
Resources will be provided to run the bulk command listed below based on submissions by the requesting organisations.
These costs are not covered centrally and so will incur a charge. Please contact the Accenture Service Desk to scope up the required actions and provide a cost to complete on your behalf.
The capabilities that can be requested are detailed below.
1. Service account enablement
a. Automated creation of a service account, scoped to an ODS
2. NHS organisation O365 migration enablement
a. SharePoint Online
- Bulk SP site creation
- Bulk SP site deletion
- New SP site permission additions
- New SP site permission removals
- Existing SP site permission additions
- Existing SP site permission removals
b. Local Organisation Teams to NHSmail shared tenant Teams
- Bulk Team creation
- Bulk Team deletion
- New Team permission additions
- New Team permission removals
- Existing Team permission additions
- Existing Teams permission removals
c. Local Org OneDrive for Business to NHSmail shared tenant OneDrive for Business
- OneDrive for Business provisioning
- OneDrive for Business permission additions
This capability will deliver against the following source and target locations.
- Source locations
- On-premises:
- Exchange
- File shares
- Home directories
- SharePoint
- OneDrive for Business
- Trust owned tenant:
- Exchange Online
- SharePoint Online
- Teams
- OneDrive for Business
- Destinations in NHSmail
- Exchange Online
- SharePoint Online
- Teams
- OneDrive for Business
- On-premises:
This capability includes the following as part of any request for the above;
- Data validations – specifically ensuring that the destination locations are owned by the trust requesting the migration and are created in a format that is within the conventions and standards of the NHSmail platform
- Service accounts – ensuring their permissions are scoped to the organisations users as determined by the ODS construct used on the NHSmail platform
- Upload templates – standardised set of templates that an NHS organisation can submit through the self-service tool when requesting a function
- Output – standardised that detail the created outputs of the bulk operation (e.g. confirmation of SharePoint sites created, associated names, permissions assigned etc.)
If you have any questions, or want to request these capabilities, please contact the Accenture Service Desk or NHSmail.Development@accenture.com.
Onboarding capability
Accenture have an onboarding capability that is now live. The service will onboard the majority of Office 365 services. For further details on this service, please contact NHSmail.Development@accenture.com.
PST ingestion into NHSmail
Accenture have a service for PST ingestion. The service will complete a local onsite PST discovery and the importing of these identified files into users Online archive or primary mailbox. For further details on this service please contact: NHSmail.Development@accenture.com.
Onboarding FAQs
| 1 | What partners are approved for the FastTrack service? |
Partners can be found by registering at fasttrack.microsoft.com
|
| 2 | How does funding for FastTrack work? |
Funding for FastTrack is available to organisations, in collaboration with Microsoft, dependant on meeting the products in scope criteria.
|
| 3 | Will cross-tenant mailbox migration be possible? | Not as part of the FastTrack solution. For tenant-to-tenant migration, this can be discussed with either of the two organisations that are already able to do this (Accenture & BDS) or other organisations if they meet the requirements necessary for the shared tenant.
|
| 4 |
Are there any timescales in which FastTrack migrations need to be completed by?
|
There is no time limit. If your workload is compatible with FastTrack, then you can keep working on this. |
| 5 | Can I use FastTrack to migrate Local File Shares to shared tenant versions of SharePoint and OneDrive? |
Yes, FastTrack can migrate from local File Shares. More information on what data sources FastTrack can migrate from can be found at this link. If FastTrack isn’t possible, organisations can either run a self-migration or engage with a partner to assist with the migration. |
| 6 |
Is Microsoft Migration Manager tool a potential alternative to SharePoint Migration Tool?
|
This product is being used by the FastTrack process. Due to the permissions required, should an organisation not qualify for FastTrack, then it will not be available otherwise. |
| 7 |
Is there an option for OneDrive self-migration? |
The options for OneDrive self-migration are SharePoint Migration Tool, Quest Essentials Quest Content Matrix and BitTitan.
The SharePoint Migration Tool will allow you to migrate files from a designated storage.
Quest products will need to be installed by Quest, and then can be run by the local IT team.
|
| 8 | What is the shared tenant position on sharing sensitive information on SharePoint? | SharePoint is approved to hold sensitive data to “Official” sensitivity. If organisations are concerned– MFA can be set up on accounts via the portal – and users can also self-enrol.
Patient Identifiable Data (PID) should be stored in clinical systems and not in SharePoint. This should be part of the migration planning to ensure that this is the case.
Local organisations need to take a view in relation to their local policy and procedures, via local IG teams as necessary.
|
| 9 | What is your guidance with N365 OneDrive not being certified for PID, but shared drives often having PID in the files? | As with SharePoint, OneDrive is approved to “Official” sensitivity.
OneDrive should be used for personal documents, anything that is for teams or departments would need to be stored on SharePoint or Teams. |
| 10 | What file types are covered by the Quest products and are there any restrictions or advice on pre work needed? | The Quest products migrates all file types, apart from those which SharePoint does not permit, such as executables and databases.
Files with special characters will need to be renamed ahead of migration.
More information on the Quest products can be found at Essentials guidance and Quest Content Matrix.
|
| 11 | Does the migration process include labelling to support Data Loss Prevention (DLP)? | NHS Digital are working on a range of sensitivity labels along with the ability for organisations to request their own sensitivity labels and manual application of data classifications. This is so DLP policies can be assigned to those policies and have retention aligned to organisation’s requirements.
With the Quest tooling, you are also able to enrich the data on an ad hoc basis so where any additional fields can be created and migrated along with the data during the migration. It is not possible to accomplish this with the SharePoint Migration Tool. |
| 12 | Will it be possible for the FastTrack or migration partner to have access to admin permissions for the shared tenant? | Any migrations using tooling will need to be completed through specific permissions controlled by RBAC (Role-Based Access Control) controls which will be provided. Partners will not be given global admin or tenant wide permissions due to the security restrictions of the shared tenant. |
| 13 | Are there any architectural patterns for sharing nhs.net identities between the shared tenant Azure AD and an organisation’s own Azure subscription? | Yes, we have architectural designs for our products synchronising via TANSync.
Please see the TANSync overview guidance on the support site. |
| 14 | Is there a list of approved partners who can offer these tools? | At present only Accenture (working with BitTitan), BDS (working with Quest) are approved to work on the shared tenant. BitTitan is approved for use with self-migration.
Any new requests for tooling should be submitted by emailing feedback@nhs.net and requesting the Partner Assurance Requirements document to be sent to your organisation.
|
| 15 | How can an account with permission for migrations be requested? | NHS Digital have worked with the Accenture service desk, and a migration account with delegate permissions can be requested via the NHSmail service desk with appropriate authorisation.
|
