User Policy Management: Introduction


User policies enable LAs to manage O365 application access and settings for their users through the NHSmail Portal.

What to expect in this article:

    • Procuring Add-On or Top-Up Licenses
  • How to Manage User Policies
  • Additional User Policy Information

Introduction to User Policy Management

As part of the NHSmail Refresh, one National User Policy has been created for every Organisation Data Service (ODS) code on the NHSmail platform. This National User Policy represents the default O365 configuration available under the national N365 E3 Restricted licence provision and will be the default policy all users are added to through the NHSmail Refresh programme. The National User  Policy will show as – ODS National Policy in the NHSmail Portal.

LAs also have the ability to create additional policies for their organisation alongside the national policy and move users between them at their discretion (for their respective organisations). The default user policy will be configured as per the application settings outlined in the table below. It cannot be changed however; LAs can create new user policies to provide access to applications that are turned off by default.

Once users are created, the system will automatically migrate the new account in most cases within an hour to Exchange Online, where they will be automatically added into the National User Policy for their organisation. If a new account is not migrated for an extended period of time (e.g. more than 24 hours) Local Administrators can raise a ticket with the NHSmail National Helpdesk to resolve.

Please visit the Platform sync timings guidance for further information.

Please note some features are only available once a mailbox has been migrated to Exchange online (Office 365).

Application Name National User Policy Setting
Microsoft To Do On
Microsoft Stream On
Microsoft Shift / Staff Hub On
Microsoft PowerAutomate (Flow) On
Microsoft PowerApps On
Microsoft Teams On
Microsoft Planner On
Microsoft OneDrive for Business and Office Online On
Microsoft SharePoint Online On
Microsoft Exchange Online On
Microsoft Search On
Microsoft Whiteboard Off
Microsoft Forms Off
Microsoft Sway Off
Microsoft Yammer Off
It is the responsibility of local organisation’s to enable or disable O365 functionality for their users subject to local risk appetite and Data Protection policies on offshoring. Information on data residency for O365 applications can be found here.

User Policy Management for your organisation

An organisation can have multiple user policies, alongside the standard National User Policy, with different settings applied to each policy. This allows organisations to create different user policies based on a variety of user needs.

For example, a Local Administrator can create a policy for users who need access to Microsoft Teams, OneDrive and SharePoint only, and a different policy for users who only need access to Microsoft Shifts.  It is also possible to create a policy to require users to have multi factor authentication enabled on their account.

Important Note

It is recommended that LAs do not enable MFA for their user base until they have completed their migration to Exchange Online. If MFA is enabled for on-premise users, they will be required to complete additional steps to establish connectivity to Exchange Online during the Refresh process. Further detailed MFA guidance can be found here.

Any additional policies will utilise the nationally provisioned O365 allocation for that organisation and its associated users.  Organisations that have procured a top up licence can use those as well as or instead of these to enable any additional capabilities.

Procuring add-on or top-up licences

Organisations can continue to procure add-on or top-up licences and onboard them to the NHSmail tenant, should they wish to access additional features or higher O365 licence types. Please visit the onboarding guide for detailed step by step instructions of how to do so.

Add-on or top-up licences procured and onboarded by an organisation, can be managed the same way as standard user policies in the NHSmail Portal. These licences will appear automatically in the User Policy Management page once onboarded.

How to Manage User Policies

Visit the following start guides aim to provide instruction on how to perform key tasks in user policy management:

Additional User Policy Information

There are some additional user policy features to be aware of, please find these detailed below:

1. Default Policies: Organisations can update their default policy via a service request to the NHSmail helpdesk, and from December 2020 newly created accounts will be automatically added to this default policy.

Please note, once users are created, the system will automatically migrate the new account in most cases within an hour to Exchange Online, where they will be automatically added into the National User Policy for their organisation. Local Administrators can move users between this policy and the local default policy as required (this does not include pre-existing user policies set up by hybrid organisations.

To check what your default policy is, go to Admin, Organisations, Manage Organisations. Choose your organisation and select Policies. Your default policy will be shown as per the image below

  1. Joiners, Movers and Leavers:
  • Joiners: Will automatically be added to your organisation’s National User Policy (or Default policy if it has been changed). This will happen at the point of migration to Exchange Online through the NHSmail Refresh.
  • Movers: All users must be part of a user policy. There are two mechanisms to transfer users between user policies;
    • i. Via the User Policy Management: adding a user to a new policy will automatically remove them from their old one
    • ii. Via the User Management Page: Search for an individual user, select edit user policy property and hit transfer. This will take you to the page shown below where you can select a new user policy

  • Leavers: When marking a user as a leaver there are a few additional considerations to make – such as whether the user needs to retain their OneDrive content. Please see further guidance on how to  mark an NHSmail Office 365 user as a leaver.

3. Teams Recording: Will be enabled as default on all newly created user policies, in line with current settings on the platform. This can be manually disabled by Local Admins if required. Please see further guidance on Teams Call Recording, including instructions on how to setup, access and manage call recordings.

4. Policy Status: Users can only be assigned to one policy. To check a specific user’s policy: navigate to Admin, User Management, search for the user in question, you will see the user policy detail within the directory properties. This will show what policy the user is part of (if any).

Creating Microsoft Teams & SharePoint Collections

LAs can also create new Teams and SharePoint Collections through the NHSmail Portal. Specific guidance on how to perform these actions can be found via the links below:

Updated on 26/08/2021

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top