As part of the Azure B2B Guest Access service, a number of controls have been put in place to mitigate the risks associated with sharing data with users from external organisations. One of these controls is a guest access attestation process, whereby an external user with a guest account requires an NHSmail user (who is set up as an eligible guest inviter) to approve an extension to their access. External users, will require an approval for an extension after the first 30 days of being granted access and every subsequent 180 days. If an approval is not provided, access will be revoked.
If you are an Eligible Guest Inviter, you will be able to action a guest access extension request via the NHSmail Portal.
Approving or rejecting extension of guest access for external users
To approve or reject an extension request:
1. Click the secure link within the guest access extension email that the external user has shared with you and log into the NHSmail Portal using your nhs.net account
Note: If you are already logged in to the NHSmail Portal, go to step 2 after clicking on the secure link.
2. Select the Checkbox next to the request
3. Click Approve or Reject
- If the Guest User is unable to find their invitation and they are in a Pending Invite status, users with the Guest Inviter role can re-send the invitation, via the ‘Re-Send Guest Invite’ button located towards the top of the page when selecting a user(s).
- If the external user is granted an extension to their access, they will retain their permissions for 180 days. After this period, the process will be repeated and they will require another extension.
- If an external user is a member of an external federated group, they will be exempt from this process.
If the external user’s guest access request is rejected, their guest account will be removed immediately and they will lose all their permissions, i.e. they will not be able to access documents that they had access to previously. This action cannot be reversed, so if they need guest access again, they will need to be re-invited and data will need to be shared again.
| Last Reviewed Date | 09/12/2022 |
