Dear Primary/Local Administrator,
As you are aware we are working towards Multi-Factor Authentication (MFA) being applied for all users across the NHSmail shared tenant to improve security, increase the protection of user and organisational data, and comply with the recently released national NHS England MFA policy.
To support the MFA roll out, we would like to advise you that all new user accounts will have MFA applied by default from 5 October 2023 (excluding PODS users).
What will this mean for new users?
When a new user activates their account for the first time, they will need to:
- Accept the Acceptable Use Policy (AUP) and set their account secret
- They will be logged out and upon next log-in be prompted to register for MFA
- Once registered for MFA their account will be secured and they will be prompted for MFA when logging into their NHSmail account
Please note: Users will not be able to bypass the MFA registration, however Local Administrators (LAs) will be able to disable MFA, if necessary, via the user management Portal page and after the new user has accepted the AUP. Organisations should consider the cyber security implications of disabling MFA and record associated risks locally.
What action do LAs need to take?
- We advise that you update any local guidance for new starters to include MFA registration as part of setting up their NHSmail account
- Note – the Authenticator App is the preferred MFA option as it is the most secure
- Keep an eye out for updated guidance on the NHSmail support site
Please note: New NHSmail accounts converted to Application Accounts will automatically have MFA removed as part of the conversion process.
Further information
To find out more about the MFA roadmap and upcoming changes please join our fortnightly MFA webinars and watch previous recordings of the webinars.
Please also see MFA guidance on the NHSmail support site.
Best wishes,
The NHSmail team
