Local Administrators (LAs) can apply MFA Conditional Access to their organisation by creating a security group and adding their users into it. For more information on MFA CA, please see here.
Please note that this process has been reformed to use MFA CA and these users will be added into the MFA CA Standard Policy.
The interim process defined below has been created to allow Organisations to enable MFA in bulk for 50 users or more. Following the below steps will ensure that MFA is applied to the users provided in both the NHSmail tenant and via the Portal (to make sure they are visible via mailbox reports).
If an organisation is looking to enable MFA for a smaller number of users (50 or under), the quickest and most straightforward method is via the Admin tab on the NHSmail Portal. Select User Management, bulk select the users required using the checkbox next to each user, then click ‘bulk edit’. After this the user will be taken to a new screen and can select ‘Enable Azure MFA’.
1. Raising a ticket
Once you have validated your set of users, you will need to raise a ticket in the usual way via the NHSmail Helpdesk.
Please visit the NHSmail Helpdesk contact information pages. Incidents can also be raised using the Helpdesk Self-Service.
2. Providing the mandatory Minimum Dataset (MDS)
Regardless of how your ticket is raised, you must provide the below information to allow us to progress your request:
- A list of all mailboxes in-scope for MFA in the .csv format (this can be based on the Portal mailbox report).
The Organisation is responsible for data quality and for selecting the correct mailboxes to be MFA enabled. Only User accounts and Application accounts should be included, Shared Mailboxes are excluded from having MFA applied. Please also ensure that the list provided does not contain any accounts with a status of Deleted, Deleted Perm or Deleting.
How do I provide the email addresses for users who should be MFA enabled?
To provide the email addresses for all users who require MFA, you will need to download the mailbox report for the organisation that you are a Local Administrator for. Visit the NHSmail Portal > Reports > Admin Reports, then select Mailbox Report from the reports dropdown list and the Organisation you support from the target organisation dropdown.
Once the report is ready, copy the email addresses to a new worksheet and save is as a .csv file. All other data can be ignored and should be removed from the .csv if copied incorrectly.
3. Resolver Team Activities
Once your ticket has been submitted with the MDS information attached, the ticket will be assigned to the NHSmail Portal resolver team for action.
We aim to process your ticket within a 24-hour window wherever possible. However, please note, requests may be delayed if urgent priorities arise which must be addressed first. An example of this is where a High Severity Service Incident (HSSIs) occurs or an emergency release is in progress.
4. Ticket Resolution
Upon completion of the bulk MFA enablement activity, and validation that each user has successfully had MFA applied, the ticket will be returned to the Originator (the user who raised the original request) and will be given a Resolved status.
The ticket will remain in a Resolved state for 3 calendar days before being closed automatically. If you experience any issues within this window, please re-open the incident so that engineers can engage with you and fix any issues. Should you experience any issues beyond this time period, please raise a new incident, including the original Incident Reference, so that the relevant engineering team can investigate.
| Last Reviewed Date | 22/03/2024 |
