Coming soon: Multi-Factor Authentication (MFA) Conditional Access Policies
Dear Local/Primary Local Administrator,
As you are aware we are working towards Multi-Factor Authentication (MFA) being applied for all users across the NHSmail shared tenant to improve security, increase the protection of user and organisational data, and comply with the recently released national NHS England MFA policy.
To support this MFA roll out, a new process to enrol existing users for MFA will be available on the NHSmail platform from the week commencing 18 September 2023.
What is MFA Conditional Access (CA)?
MFA Conditional Access (CA) is the new strategic MFA solution made available by Microsoft. It is a feature of Azure AD that allows the definition of policies that require additional authentication methods before granting access to an application or service.
There will be two types of MFA CA Policies:
- MFA CA Standard Policy – users with this policy will have MFA enforced on their accounts and be prompted for MFA upon log-on
- MFA CA Named Locations Policy – users with this policy will also have MFA enforced on their accounts but will not be prompted for MFA upon logon if their devices are connected to a named location network
What action do Local Administrators (LAs) need to take?
- LAs can create security groups using the new Security Group Management solution that was deployed as part of the latest NHSmail Portal release on 7 September 2023
- Once the security group is created, it can be linked to an MFA CA policy using a Helpdesk Self-Service (HSS) form
- In addition to the above steps, organisations that want to use the MFA CA Named Location Policy will require HSCN connections or to submit their IP addresses via the HSS form for approval (subject to all prerequisites being met)
Per-User MFA & MFA CA Coexistence
There will be a period of coexistence between both MFA types, with a view to move solely to MFA CA in future. This means that some functions within the NHSmail Portal will work for Per-User MFA application, whilst others will work for MFA CA. Longer term we are working to align all functionality to MFA CA and phase out Per-User MFA.
Further information
To find out more about the MFA roadmap and upcoming changes please join our fortnightly MFA webinars and review previous recording of webinars.
Please also see MFA guidance on the NHSmail support site.
Best wishes,
NHSmail Team
| Last Reviewed Date | 29/09/2023 |
