Local Administrator (LA) bulletin – 2nd October 2023

Please note this information is correct at the time of publishing.

Local Administrator (LA) bulletin – 2 October 2023

Dear Primary / Local Administrator,

To be actioned:

Coming soon: MFA for new NHSmail users as default

We would like to advise you that all new user accounts will have MFA applied by default from the 5 October 2023 (excluding PODS users) as part the Hague 2.0 portal release

What will this mean for new users?

When a new user activates their account for the first time, they will need to:

  • Accept the AUP and set their account secret
  • They will be logged out and upon next log-in they will be prompted to register for MFA
  • Once registered for MFA their account will be secured and they will be prompted for MFA when logging into their NHSmail account

Please note: Users will not be able to bypass the MFA registration, however, LAs will be able to disable MFA via the user management page if necessary. Organisations should consider the cyber security implications of disabling MFA and record associated risks locally.

What action do LAs need to take?

  • We advise that you update any local guidance for new starters to include MFA registration as part of setting up their NHSmail account

Please note: New NHSmail accounts converted to application accounts will automatically have MFA removed as part of the conversion process.

To find out more about the MFA roadmap and upcoming changes please join our fortnightly MFA webinars and review previous recording of webinars.

Please also see MFA guidance on the support site.

Live: Multi-Factor Authentication (MFA) Conditional Access Policies

A new process to enrol existing users for MFA is now available on the NHSmail platform.

What is MFA Conditional Access (CA)?

MFA Conditional Access (CA) is the new strategic MFA solution made available by Microsoft. It is a feature of Azure AD that allows the definition of policies that require additional authentication methods before granting access to an application or service.

There are two types of MFA CA Policies:

  • MFA CA Standard Policy –users with this policy will have MFA enforced on their accounts and be prompted for MFA upon log-on
  • MFA CA Named Locations Policy –users with this policy will also have MFA enforced on their accounts but will not be prompted for MFA upon logon if their devices are connected to a named location network

What action do Local Administrators (LAs) need to take?

  • LAs can create security groups using the new Security Group Management solution that was deployed as part of the latest NHSmail Portal release on 7 September 2023
  • Once the security group is created, it can be linked to an MFA CA policy using a Helpdesk Self-Service (HSS) form
  • In addition to the above steps, organisations that want to use the MFA CA Named Location Policy will require HSCN connections or to submit their IP addresses via the HSS form for approval (subject to all prerequisites being met)

Per-User MFA & MFA CA Coexistence

There will be a period of coexistence between both MFA types, with a view to move solely to MFA CA in future. This means that some functions within the NHSmail Portal will work for Per-User MFA application, whilst others will work for MFA CA. Longer term, we are working to align all functionality to MFA CA and phase out Per-User MFA.

Live: Security Group Management for NHSmail

The NHSmail security groups functionality provides Local Administrators the ability to create, manage and control Microsoft 365 static mail-enabled and non-mail-enabled security groups.

Security groups are a Microsoft 365 functionality that can be used to group users together that require the same permissions. They are primarily used for granting access to Microsoft 365 resources such as SharePoint Online, OneDrive and PowerApps. For example, security groups can be used to configure SharePoint and OneDrive permissions, or they can be used for sharing a PowerApps.

For NHSmail, two types of security groups are available for management via the NHSmail Portal: static mail-enabled security groups and static non-mail-enabled security groups. Local Administrators can manage static mail-enabled and non-mailenabled security groups via the NHSmail Portal.

Coming Soon: Teams shared channels

We are pleased to announce that during October 2023 we plan to release Teams shared channels.

Shared channels act as collaboration spaces in Microsoft Teams for colleagues inside and outside of NHSmail to chat and collaborate on documents. A shared channel functions like any other channel within a Teams site, so users can seamlessly chat, store, edit and collaborate on documents and files held within the shared channel.

To learn more about how Teams shared channels will work, please attend the LA Webinar on 6 October at 12.30.

Further information and guidance will also be published on the NHSmail support site in the coming weeks.

Office Script Files on unmanaged devices

Microsoft is implementing SharePoint and OneDrive conditional access policies for unmanaged devices for Office Scripts files. This means that users on unmanaged devices will have their access to Office Scripts functionality restricted based these policies.

When this will happen:

We will be turning enforcement on in late September 2023 and start rolling out an updated error message for Excel clients.


Users on unmanaged devices may start encountering errors if they attempt to use Office Scripts in Excel or Power Automate. In older versions of Excel, they will see the error: “We weren’t able to load your script. Please try again.” Eventually, this error message will be updated to: “Due to organizational policies, you can’t access this script from this untrusted device.”


We recommend organisations choose to enrol their users’ devices into an appropriate device management solution.

Further information:

Avatars for Microsoft Teams Minimum Hardware requirements – MC672518

Avatars for Microsoft Teams app is updating the minimum hardware requirements to access this feature. The new minimum hardware requirement is a two core CPU with 6GB RAM. Users will not be able to utilise this feature if their device does not meet the minimum hardware requirements.

Microsoft advise that the rollout for the hardware requirements is expected to be completed by end of September. Whilst no action is required by PLA/LA for the change, it is recommended that communications are shared with your colleagues where it is known that devices do not meet the minimum standards, to reduce impact on your IT support processes.

The NHSmail team will be communicating this through an Office 365 update (Company Communicator) message and updates to the NHSmail support site article.

Check out the MS Teams guide for further information on our NHSmail support site.

Personalise your M365 experience using Microsoft 365 themes

NHSmail has enabled Microsoft 365 themes which are designed to improve the user experience.

Users can now change from the default organisational theme and choose a different one to best suit their needs.

To find out more visit our NHSmail support page for changing themes in M365.

Asset Booker in Humber and North Yorkshire ICB

Read about Steve Waudby’s journey, a Primary Local Administrator (PLA) for the Integrated Care Board (ICB) and how he has implemented DigPacks asset booking solution across four regions reducing the need for staff overheads.

To read the story about Steve journey please visit the NHSmail support page: Efficient Facility Management through Desk Booking Apps in Humber and North Yorkshire ICB – NHSmail Support

NHSmail Collaboration Services Townhall recordings

The NHSmail Collaboration Services townhalls are held monthly for collaboration software licensing nominated contacts within your organisation.

The Townhall on 21 September recording is available on the NHSmail support site.

Best wishes,
The NHSmail team

Updated on 04/10/2023

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top