Please note this information is correct at the time of publishing.
Local Administrator (LA) bulletin – 31 March 2023
Dear Local Administrator,
To be actioned:
Basic Authentication Deprecation
Microsoft and NHSmail are planning to disable Basic Authentication for Microsoft Exchange Online. The below table shows the protocols in scope of deprecation and the retirement dates. If you need additional information, please refer to NHSmail support pages about Basic Authentication Deprecation.
| Protocol | Retirement Date |
| Exchange ActiveSync (EAS) &
Remote Procedure Call (RPC) |
27 April 2023 (evening) |
| Exchange Web Services (EWS),
Post Office Protocol (POP), Internet Messaging Access Protocol (IMAP) & Remote Power Shell (RPS) |
25 May 2023 (evening) |
Organisations and NHSmail users with managed or personal mobile and desktop devices could have mail/calendar applications connected with Exchange Online using basic authentication to send and receive emails which are likely to be impacted by this change.
Organisations’ in-house and third-party backend applications that are currently integrated with Exchange Online using RPS, POP or IMAP are also likely to be impacted by this change.
When these protocols are disabled, any mobile application or desktop client using basic authentication will not be able to connect to Exchange Online to send and receive email messages.
We strongly advise organisations and users to proactively act and follow the guidance in this article to avoid any potential disruption.
The below table provides an overview of the impact and point out to the guidance that organisations and users can follow to update their mobile applications and desktop clients.
| Protocol | User Impact | Guidance |
| EAS, EWS, POP & IMAP | Users with personal mobile and desktop devices using mail/calendar applications | User Guidance |
| Organisations with managed desktops using Microsoft Office Outlook clients | Admin Guidance | |
| RPC | Organisations with managed desktops using Microsoft Office Outlook 2010 or later | Admin Guidance |
| POP, IMAP & RPS | Organisations using in-house or third-party backend applications | Admin Guidance (Will be available soon) |
Important reminder: Private vs. public settings in O365
Microsoft Teams, SharePoint, and OneDrive are Microsoft apps that should have their privacy settings reviewed.
Default privacy settings should always be set to private otherwise you risk sharing content with all users on the NHSmail shared tenant and is not restricted to your organisation.
Always use the private setting when working on patient, employee, or other sensitive documents holding personal information as required by the Acceptable User Policy (AUP), you are responsible for those to be adhered to.
Please look at the NHSmail instructions to find out how to check these settings for these applications.
Multifactor Authentication (MFA) update
We recently confirmed that the MFA programme of work planned for 30 June 2023 to enable all user accounts will now take a change of approach, based on your thoughts and feedback.
Starting on Monday 3 July our focus will be on enabling MFA for new users upon account creation (this process will be automated) also providing the ability for organisations to use trusted sites via conditional access and mandating that all accounts signing in from outside the UK have MFA enabled as standard.
From 3 July 2023 to March 2024, we will look to enhance our reporting to support organisations when implementing and tracking MFA activity, supporting organisations in their own adoption planning and rollout following our policy and supporting guidance.
PODS users are initially out of scope but will be included towards the end of the year and Application accounts are also out of scope until certificate-based authentication is live within Microsoft and the NHSmail platform.
We expect the platform to have adopted MFA by 29 March 2024 and we have created an MFA Adoption Toolkit – NHSmail Support to help with this process.
Organisations are still encouraged to proceed with any current plans and activities for rolling out MFA utilising the current guidance available on the NHSmail support site – Multi-Factor Authentication (MFA) – NHSmail Support
Local Administrator webinar date change
The Local Administrator (LA) webinars are held every fortnight on a Friday at 12.30-1.30pm to support our LA community. Due to the Easter break, the next webinar has been rescheduled to Thursday 6 April 2023.
Further information:
Exchange Online Archiving
Exchange online archiving is a solution that allows you to store emails outside of your primary mailbox. The solution offers 100GB of initial storage alongside your standard 4GB mailbox and can be accessed via Outlook desktop application or Outlook on the Web.
We recommend that organisations utilise the Online archiving feature. This will free up space within your mailbox and improve Outlook performance.
It’s user’s responsibility to ensure the mailbox data is archived regularly in accordance with the local archiving policy and that mailbox quota is not breached. Failure to manage your mailbox quota may result in being unable to send or receive email potentially compromising clinical safety.
NHSmail Bring Your Own Device (BYO) solution
New Bring Your Own Device security controls are now available to all NHSmail organisations, regardless of whether the organisation has onboarded to the NHSmail Intune service. The solution provides security controls for an organisation’s Bring Your Own (BYO) devices that access NHSmail Office 365 services and are not enrolled to the NHSmail Intune service.
The BYO device security controls come in the form of 10 conditional access policies. Organisations can select from a range of options to apply security controls and restrict access to NHSmail O365 services. Local Administrators (LAs) can opt-in or opt-out users in their organisation of different controls.
For more information, please visit the BYO device Overview article and Local Administrator Guidance for more in-depth information about the licence requirements, the security controls available and how to adopt the solution.
An overview and deep dive webinar was held last month and the recording is available on the NHSmail support pages.
Self-service password reset
NHSmail is introducing an enhanced self-service password reset function that will enable users to reset their passwords 24/7 without the need to contact their local IT or NHSmail helpdesks.
The replacement self-service password reset function will be made available mid-April to all NHSmail users. We will be communicating with Local Administrators (LAs) shortly and with all users once it is available to share guidance on how to register and make use of this service.
We will be providing an overview of the password reset service in the next Local Administrator (LA) webinar (currently planned for Thursday 6 April 12.30-1.30pm).
NHSmail Solution Store
The NHSmail Solution Store is now live for users on the central tenant. The Solution Store is a central repository for Power Platform solutions. This allows users to share and discover solutions to common issues within the digital health space and enable best practice nationally.
Currently there is no centralised location for the NHS community to share their solutions. The Store will be a one stop shop for users looking for a solution to an issue or requirement from their organisation and will aim to reduce duplication and enhance service provision. This will free up time for developers to work on other projects.
Users will have the ability to both upload solutions they have developed and download solutions they find on The Store to implement within their organisations. The Store will exist on Microsoft Teams, and users will need a Power App licence to access The Store. To check if you have a Power App licence, please contact your Local Administrator.
To access The Store, please visit the NHSmail Support Site page.
If you have any questions about the NHSmail Solution Store, please contact feedback@nhs.net
Microsoft Teams Phone System is Coming Soon!
The NHSmail service is proud to provide an exciting update on Microsoft Teams Phone System. As per the NHSmail roadmap, organisations will shortly be able to request to onboard to the NHSmail Phone System Service.
The NHSmail Teams Phone System Service is a central tenant telephony capability, supporting external calling to Public Switched Telephone Network (PSTN) numbers directly from a user’s Teams client using their nhs.net address.
A custom Power App front-end will deliver a host of telephony and reporting services facilitating the management and administration of the service by each organisation.
The service provides two Public Switched Telephone Network (PSTN) connection offerings.
- Calling Plans: Microsoft’s end-to-end all in the cloud voice solution
- Direct Routing: SBCs deployed and managed by NHS organisations that will allow for integration with existing on-prem PBXs
Onboarding to the service will be done in a phased manner with monthly onboarding slots available on a first come, first served basis.
Look out for Phone System updates and guidance being published on the Support Site from next week.
Organisations can also register to attend the Phone System Launch and Deep Dive Webinar on Monday 17 April to hear more and ask any questions.
Best wishes,
NHSmail Team
