The NHSmail security groups functionality provides Local Administrators the ability to create, manage and control Microsoft 365 static mail-enabled and non-mail-enabled security groups.
Automated All Users dynamic non-mail-enabled security groups for all users in an ODS code already exist and are managed by a stand-alone process that is automated and sits outside of the NHSmail Portal. For more information, please refer to the Automated All Users Security Groups article. Only static mail-enabled and non-mail-enabled security groups created via the NHSmail Portal can be managed in the NHSmail Portal.
The target audience for this guidance is Local Administrators. If you are a user with questions about security groups, please contact your Local Administrator.
This article is intended to give an overview of the new NHSmail security groups functionality. For more information, please refer to the Managing NHSmail Security Groups article or the NHSmail Security Groups Frequently Asked Questions (FAQs) article for Local Administrators.
What are security groups?
Security groups are a Microsoft 365 functionality that can be used to group users together that require the same permissions. They are primarily used for granting access to Microsoft 365 resources such as SharePoint Online, OneDrive and PowerApps. For example, security groups can be used to configure SharePoint and OneDrive permissions, or they can be used for sharing a PowerApps.
For NHSmail, two types of security groups are available for management via the NHSmail Portal: static mail-enabled security groups and static non-mail-enabled security groups. Local Administrators can manage static mail-enabled and non-mail-enabled security groups via the NHSmail Portal.
Microsoft 365 security groups can either be dynamic or static, but for the purposes of NHSmail, all security groups created via the NHSmail Portal will be static. Additionally, Microsoft 365 security groups can contain users or devices, but for the purposes of NHSmail, all security groups created via the NHSmail Portal will contain users only.
What are mail-enabled and non-mail-enabled security groups?
Static mail-enabled and non-mail enabled security groups perform similar functions, with two key differences:
- Static mail-enabled security groups are compatible with all Microsoft 365 service offerings, whereas static non-mail-enabled security groups are not compatible with some offerings. Full details are provided in the table below.
- Static mail-enabled security groups include the ability to send mail to all the members of the group, but for the purposes of NHSmail, Distribution Groups should be used to send mail to members of a group.
Mail-enabled security groups should not be used to send mail to all the members of the group. Please use the Distribution Group functionality instead. For more information, please see the Distribution Group guidance.
The following table provides an overview of the Microsoft 365 service offerings that are compatible with static mail-enabled security groups, static non-mail-enabled security groups, or both.
When there is the option to use both groups, the recommendation is to use non-mail-enabled security groups as these are supported by most services.
| Service Name / Type | Compatible with non-mail-enabled security groups? | Compatible with mail-enabled security groups? |
| Teams | No | Yes |
| Teams Shared Channels Policies | Yes (recommended) | Yes |
| SharePoint Online | Yes (recommended) | Yes |
| OneDrive | No | Yes |
| PowerApps | Yes (recommended) | Yes |
| PowerAutomate | Yes (recommended) | Yes |
| Sway | Yes (recommended) | Yes |
| Power BI | Yes (recommended) | Yes |
| Power BI Tenant Settings | Yes (recommended) | Yes |
| Power BI Capacity Admins | Yes (recommended) | Yes |
| Application Access Policies | No | Yes |
Why is this functionality important for NHSmail organisations?
Providing the ability for Local Administrators to create and manage their own security groups provides additional control over their local organisation’s security. It allows Local Administrators to better manage security risks, by offering the ability to tailor access policies and permissions to specific organisations and users.
What are the benefits?
- Reducing security risks and providing better security controls by allowing closer and immediate management of users and access permissions
- Giving Local Administrators the control and responsibility to organise and manage their users, providing a greater degree of organisational autonomy
- Enabling faster and easier roll-out of features and services across the tenant, accelerating future NHSmail enhancements and their adoption
How will the NHSmail security groups work?
Local Administrators can manage and control security groups they create via the NHSmail Portal in the NHSmail Portal. This does not apply to automated all users dynamic non-mail-enabled security groups which are managed by a stand-alone process that sits outside of the NHSmail Portal.
Via the NHSmail Portal, Local Administrators can:
- Create new security groups (including mail-enabled all-user security groups for a particular ODS code)
- View their security groups
- Search for security groups
- Edit their security groups
- Update the user membership of their security groups (both individually and in bulk)
- Nest security groups within other security groups
- Export the members of a security group
- Access basic reporting for security groups
Once security groups are created, these can be used with various Microsoft 365 services as per their support model. For example, security groups can be used to share a Sway or PowerAutomate, or they can be used to limit the scope of different Power BI tenant level settings.
Where can I find out more about NHSmail security groups?
For more information, please refer to the Managing NHSmail Security Groups article or the NHSmail Security Groups Frequently Asked Questions (FAQs) article for Local Administrators.
| Last Reviewed Date | 08/09/2023 |
