User account hygiene changes – scheduled 1 December 2022
User accounts that are not pro-actively used or monitored present a security risk to the NHSmail platform. To enhance security, from 1 December 2022 we will be making account hygiene changes.
What does this mean?
Both the ‘active’ AND ‘inactive’ periods for unused accounts are being reduced from 90 to 30 days.
Please note: There is no change to application accounts, shared, resource mailbox hygiene or the forensic process.
Disabled accounts will also be classified as inactive whilst in a disabled state, they will remain on the platform for 18 months with no additional activity required.
New user accounts that have been set up but have not accepted the Acceptable Use Policy (AUP) or set security questions will be moved to inactive within 30 days from creation.
User accounts will not be permanently deleted on the 1 December as part of this change, based on their current activity status they will move from:
- Active to deleted if 60+ days of no activity
- Active to inactive if 30-60 days of no activity
- Inactive to deleted if 30+ days in inactive state
- Accounts that move to deleted state will then have 30 days to be restored, if required
New management lifecycle for user accounts
What do I need to do?
Please remind your users that at least one of the below must be completed every 30 days to keep an account active:
- Logging into the NHSmail portal
- Logging into an NHSmail shared tenant O365 application (e.g., Teams)
- Use of O365 applications (e.g., Outlook with cached credentials)
- Sending an email
Please ensure that this change is communicated to your respective HR/IT teams to ensure local processes are updated in line with this change.
The mailbox report ‘account status’ column updates weekly on a Sunday evening. You will be able to assess the status of mailboxes across your organisation following the change.
We would advise that you review deleted mailboxes within 30 days of 1 December to ensure any required restoration activity is undertaken.
More information
Further detail and guidance will be published in the NHSmail Data Retention and Information Management Policy and Types of Account Status support site page.
Best wishes,
The NHSmail Team
Last Reviewed Date | 28/11/2022 |