Now available: Multi-Factor Authentication (MFA) Conditional Access Policies
Coming Soon: MFA for new users by default w/c 2 October
Dear Local/Primary Local Administrator,
As you are aware we are working towards Multi-Factor Authentication (MFA) being applied for all users across the NHSmail shared tenant to improve security, increase the protection of user and organisational data, and comply with the recently released national NHS England MFA policy.
To support this MFA roll out, a new process to enrol existing users for MFA is now available on the NHSmail platform.
What is MFA Conditional Access (CA)?
MFA Conditional Access (CA) is the new strategic MFA solution made available by Microsoft. It is a feature of Azure AD that allows the definition of policies that require additional authentication methods before granting access to an application or service.
There are two types of MFA CA Policies:
- MFA CA Standard Policy – users with this policy will have MFA enforced on their accounts and be prompted for MFA upon log-on
- MFA CA Named Locations Policy – users with this policy will also have MFA enforced on their accounts but will not be prompted for MFA upon logon if their devices are connected to a named location network
For full guidance on how to onboard to the Conditional Access Policies please see the MFA CA Policy Onboarding Guide.
What action do Local Administrators (LAs) need to take?
- Review the Conditional Access support site guidance and plan how this will fit in with your organisation’s plan to roll out MFA
- LAs can create security groups using the new Security Group Management solution that was deployed as part of the latest NHSmail Portal release on 7 September 2023
- Once the security group is created, it can be linked to an MFA CA policy using a Helpdesk Self-Service (HSS) form
- In addition to the above steps, organisations that want to use the MFA CA Named Location Policy will require HSCN connections or to submit their IP addresses via the HSS form for approval (subject to all prerequisites being met). Please see the Named Locations Registration Guide
Coming soon: MFA on for new NHSmail users as default
We would like to advise you that all new user accounts will have MFA applied by default the week commencing 2 October 2023 (excluding PODS users).
We will be communicating the exact date and further details shortly.
What action do LAs need to take?
- We recommend that you update any local guidance for new starters to include MFA registration as part of setting up their NHSmail account
Further information
To find out more about the MFA roadmap and upcoming changes please join our fortnightly MFA webinars and review previous recording of webinars.
Please also see MFA guidance on the NHSmail support site.
Best wishes,
NHSmail team
| Last Reviewed Date | 29/09/2023 |
