Local Administrator Webinars

Application Account Conversion – new process
The recent Franklin-Jones release gave all Local Admins the ability to convert application accounts directly without the need for a HSS request. 

Please be aware that user accounts which belong to actual individuals should not be converted to application accounts. The NHSmail team will be doing regular checks on recently converted accounts to ensure that no accounts belonging to individual users have been converted in error. 

Example: 

john.doe@nhs.net should not be converted to an application account as this account belongs an individual and a new generically named account needs to be created to then be converted 

Delayed Email Delivery Issue – 18 July 2023  (INC37076937 – Delayed eMail Delivery – RESOLVED – NHSmail Support) 

Email delivery delay issue potentially triggered by two Microsoft service degradations: 

• https://support.nhs.net/2023/07/microsoft-365-alert-service-degradation-exchange-online-users-inbound-and-outbound-email-delivery-may-be-delayed-for-15-minutes-or-longer-in-exchange-online/ 
• https://support.nhs.net/2023/07/microsoft-365-alert-service-degradation-exchange-online-some-users-may-be-unable-to-send-exchange-online-email-messages/ 

Emails continued to be delivered throughout the incident, however, some users may have experienced delays in emails being received in the recipient’s mailbox.  

Detailed overview of incident and remediation provided by Accenture. 

GP Phone System Retirement (Information – GP Phone System Retirement – NHSmail Support)
As highlighted by the Digital Primary Care team in May, the central provision and availability for Teams Phone System for GPs to use for outbound called will cease on 31 July 2023 at the end of the grace period. 

From this point onwards, users at impacted organisations will be unable to make outbound calls to external PTSN numbers via the Teams client. This will not impact any organisations who have purchased and are using their own Teams Phone System licences. 

Please note that any NHSmail User Policies that were created as part of the central service roll out will be renamed to remove the Phone System suffix from the naming convention. After 31 July, LAs will then be able to edit or re-name these policies as required. 

O365 Updates – Ideas Welcome 

https://forms.office.com/e/LiBTKC8pcF 

You’ll all be familiar with the central O365 updates that appear in Teams to keep you all in the loop. We’re keen to source ideas for these updates from the LA community – if there are any specific topics you’d like 

REMINDER: SMTP on user accounts
Quick reminder that SMTP should not be enabled on standard user accounts. If you have an account which requires SMTP to be enabled, this needs to be converted to an application account prior to SMTP being enabled. 

SMTP on standard user accounts is being removed as part of a standard BAU background process and we recommend that LAs check their mailbox reports regularly to capture and proactively remediate any standard user accounts that have had SMTP enable in error.  

FastTrack Overview – Danish Mahmood 

• General Updates
• Live demo of the released Self-Service Password Reset
• Bring Your Own Device security controls and deep dive webinar reminder
• An update on converting user accounts to shared mailboxes
• O365 Company Communicator updates from Centre of Excellence Team
• Q&A time

•  This week LA bulletin covered developments on the new user account secret questions 

• Intune and MFA updates. In terms of numbers, there are 5k Intune devices enrolled and 180k accounts with MFA enabled. 

• The Franklin Jones release on Wednesday 5 July will give the ability for LA/PLA to convert user mailboxes to Application account – NHSmail Support 

• SMTP on user accounts will be withdrawn from user accounts on a regular basis; it is critical that this protocol is not re-added. 

• Discussion about Otter. Ai and similar tooling, local governance as to whether it should be used or not. 
• PODS team general update 
• Updates were done by the Technical Architects team 

• Update on the Microsoft contract and the participation agreement 

All User Comms – NHSmail Annual Survey 

Many of you will have already spotted, an all user comms was sent out yesterday to thank everyone for their participation in the NHSmail Annual Survey and share the key scores on the door with everyone.

Myself and the wider Service Management team would also like to pass on our personal thanks to everyone who took part. We appreciate you taking time out of your hectic schedules to do so and for continuing to collaborate with us year-round to continually improve the service. 

Infrastructure Upgrade 23-25 June
Information – Planned Infrastructure Upgrade (NHSmail Datacentre) – First Notice – NHSmail Support 

We will be completing an infrastructure upgrade next week starting at 7:00pm on Friday 23 June and completing on 25 June. During this period, all traffic will be actively routed via the active data centre to ensure there is no impact on end users. 

Any organisations that are using direct IP addresses rather than DNS to access the email gateways may potentially lose service during the upgrade and if you believe that this affects your organisation, we recommend using our standard DNS settings to prevent any loss of service. Guidance regarding the relay config – https://support.nhs.net/knowledge-base/relay-configuration/ 

Where switching to the standard DNS settings is not possible or you perceive that there could potentially be significant user impact resulting in a clinical risk, we would encourage you to contact the Helpdesk for further guidance.

We expect there to be no service impacts as mentioned earlier, but as ever I’d encourage you to review your service continuity plans. 

Trend/Junk Issue
INC36247960 – Legitimate Mail Being Directed to Junk Folder – RESOLVED – NHSmail Support 

This audience will also be aware of the issue we had last week around legitimately emails being falsely flagged as Junk mail and move to Junk Mail in error.

This issue has now been fully resolved and the Accenture team continue to work closely with our third-party security provider on this and any wider improvements that are required to prevent a recurrence. 

Pronouns Option in Teams 

As it is Pride Month this month, I am delighted to announce that the option to add your Pronouns to your profile in Teams will be available in the NHSmail tenant from the middle of next week. 

Adding your Pronouns to your Teams profile card will be entirely optional. However, I would like to encourage as many of you to do so as possible as it is a quite uncomplicated way that you can show your support for your LGBT colleagues across health & social care all year round. 

REMINDER: Public vs Private 

Reminder that in most cases Teams, SharePoint and Stream content should be set to Private rather than Public or visible to Everyone in my organisation. If content is set to be accessible by Everyone in my organisation, this will make the content viewable by every user on the NHSmail shared tenant which is unlikely to be appropriate in most cases.

As you will all be aware, we have the privacy notifications in place that are triggered when any Teams, SharePoint or Streams content is change from the default Private setting to Public and notifies both LAs and the content owners. However, we are still seeing quite a lot of the content that is being set to Public and then left as Public. It is the responsibility of LAs and content owners to review and act on any privacy notifications received.

To try and help organisations with this we will be sending out some additional comms in the near future to give organisations a better picture of their numbers in this space.

Current guidance: Private vs. public settings in O365 – NHSmail Support
Privacy monitoring: O365 Privacy Monitoring – NHSmail Support

 REMINDER: SMTP on user accounts 

Another quick reminder that SMTP should not be enabled on standard user accounts. If you have an account which requires SMTP to be enabled, this needs to be converted to an application account prior to SMTP being enabled.  

Accessibility Testing Volunteers – Portal Refresh – Last Chance! 

We still have a few places left for Accessibility testers for the Portal refresh project, but they are filling up quickly.

If anyone on this call would be interested in taking part in this, please contact Hafsa (hafsa.hersi1@nhs.net) directly to register. 

VN162 User Secret – New Users – presentation (see recording for full details) 

Findlay Release – 22 May 2023 – Findlay Release – Content Summary – NHSmail Support
The Findlay release was successfully deployed on Monday 22 May. This release was largely aimed at completing further preparatory work ahead of the platform-wide MFA changes that will start rolling out from July.

Couple of key items to note include:

• A bug fix to improve the MFA reporting in relation to the Authentication Type information that is present in the current report.
• A new onboarding flow for the M365 E5 licence to enabled organisations to onboard this licence type.
• Improvements to the telephone field to allow extension numbers to be added.

Basic Auth Deprecation

Thank you to all LAs for the work they have put in to prepare their organisations for the basic auth deprecation and remediate affected accounts as needed.

Portal Issue – LA functions
Details of the issue whereby an error message was being throw when LAs trying to undertake certain LA functions on 23 May.

INC35997807 – Portal Local Administrator Functions – RESOLVED – NHSmail Support

Relay issue – Delayed delivery –

Details of the email delivery delay issue also identified on 23 May impacting various external and internal domains.

INC36002954 – Delayed Email Delivery – RESOLVED – NHSmail Support

Public vs Private
Reminder that in the majority of cases Teams, SharePoint and Stream content should be set to Private rather than Public or visible to Everyone in my organisation. If content is set to be accessible by Everyone in my organisation, this will make the content viewable by every user on the NHSmail shared tenant which is unlikely to be appropriate in most cases.

As you will all be aware, we have the privacy notifications in place that are triggered when any Teams, SharePoint or Streams content is change from the default Private setting to Public and notifies both LAs and the content owners. However, we’re still seeing quite a lot of the content that is being set to Public and then left as Public. It is the responsibility of LAs and content owners to review and act on any privacy notifications received.

To try and help organisations with this we will be sending out some additional comms in the near future to give organisations a better picture of their numbers in this space.

• NHSmail Roadmap – NHSmail Support has been published with addition of Microsoft Defender for Endpoint slides
• Overview of the new elements of licence agreement for example: audio conferencing.
• Basic Authentication Deprecation – NHSmail Support progress update
• Conditional Access for the MFA progress update
• Accenture Team update

General updates:

• Basic Authentication presentation covers how users can register their applications to use OAuth 2.0; how users can configure their applications depends on the software they are using.
• Brief Service management updates: Multi-factor Authentication abroad update,
• A reminder that the Teams Rooms Licencing expiration date is July 1^st
• A reminder about the GP telephony deadline expired on 30 April 2023 and is now following a 30-day grace period
• Bulletins and communications – NHSmail Support – latest bulletin can be found here
• Latest LA bulletin is available on NHSmail support pages

Technical Architects updates:

• Roadmap now includes MDE changes and updated application approved/rejected
• Basic Auth deprecation updates for EAS/RPC
• GP Phone System decommissioning
• Security Groups work has begun; delivery is planned in 3-4 months.
• Self Service Password Reset – status – work in progress

Other information:

We will establish a page for events that are taking on in the NHSmail team. Various Deep Dive sessions are available on the NHSmail support pages and are listed below.

• Intune,
• Phone System Deep Dive
• Conditional Access Deep Dive for Bring Your Own Device
• Planning TanSync Deep Dive for June/July

Infrastructure Upgrade 21-23 April

Information – Planned Infrastructure Upgrade (NHSmail Datacentre) – Postponed – NHSmail Support

Updated note: this upgrade has since been postponed and new notifications will be added to the Announcements section of the NHSmail support site closer to the new dates.

Guidance regarding the relay config – https://support.nhs.net/knowledge-base/relay-configuration/

VN121B Release – 13 April 2023

The VN121B release was successfully deliver last week.

This release included a fix for the Multifactor Authentication (MFA) disablement bug mentioned on the previous session and after a period of monitoring post-release we can confirm that fix included in the release has resolved this issue.

The release also included a fix for the MFA status report issue we saw around the report timing out and not running for organisations. We have also been monitoring this since the release last week and can confirm that the timeout issue is resolved. We are aware that there are one or two tickets from organisations about this report, but these do not appear to be related to the timeout issue that the release fix was targeting and are being picked up separately

Portal Issue / Microsoft Global (SMB) Issue / Email Send Issue
We’ve had 3 key issues this week affecting the service, all of which are now fully resolved.

Further details on each can be found on the announcement links below:

• Portal Slowness:INC35358395 – Portal Slowness – RESOLVED – NHSmail Support
• Microsoft Global Issue (NHSmail impacts):
  INC35398047 – Shared Mailbox Access Issue – RESOLVED – NHSmail Support
• Intermittent email send issue to Microsoft email addresses:
  7016347354 – Issues Sending Mail to Microsoft Email Addresses – RESOLVED – NHSmail Support

Public vs Private

Reminder that in the majority of cases Teams, SharePoint and Stream content should be set to Private rather than Public or visible to Everyone in my organisation.

Current guidance: Private vs. public settings in O365 – NHSmail Support
Privacy monitoring: O365 Privacy Monitoring – NHSmail Support

MFA Update
Update: the NHSmail MFA policy has now been published: NHSmail MFA Policy – NHSmail Support

Next webinar – Basic Auth demo – 5 May 2023

We will also have a demo on the next webinar around the basic auth process that will cover the use of both in-house and third-party applications that need to register with Azure Active Directory ahead of the basic auth deprecation deadline in June

Infrastructure Upgrade (Hemel) 14 April – 15 April –

Information – Planned Infrastructure Upgrade (Hemel Datacentre) – First Notice – NHSmail Support
Work will begin at 19:00 on the Friday and similar to the recent Slough upgrade, there will be 3 notices to raise awareness on the support site beginning from Tuesday 11 April.

During the change window, all traffic will be re-routed to the active data centre to ensure there is zero-impact on NHSmail users.

Please note that any remote organisations that use direct IP addresses rather than DNS to access the email gateways my potentially lose service during the upgrade activity. If you believe that your organisation is using direct IPs for any system config, we would strongly advice that these are changed to use our standard DNS settings to prevent any loss of service. The following guidance shows how this change can be made: https://support.nhs.net/knowledge-base/relay-configuration/

If changing to use DNS is not possible and significant end user impact that could potentially result in clinical risk during the change window is identified, please contact the Helpdesk for further guidance.

Whilst we expect there to be zero impact to end user, we would advise that you ensure that your service continuity plans are reviewed in advance.

High-Send Solution Issue (30 March) – INC35069133 – High Send Authentication Errors – Monitoring – NHSmail Support
This issue is fully resolved and the high-send solution is operating as normal. Full details of the incident can be found on the Announcements page.

Portal Slowness Issue (4 April) – INC35148773 – Portal Slowness – RESOLVED – NHSmail Support
Intermittent Portal slowness issue affecting the User Management section. This appears to have been a transient issue and no further impacts have been seen since.

MFA issue
Issue identified whereby a small number of platform uses have had MFA disabled as the result of a bug. An interim solution is now in place that will run every 30 minutes during the working day to reapply MFA to any users who have been affected by this.

Please note that this only impact users who fit a specific set of criteria and have also had MFA enabled via either their LA or self-enrol. Users with role-based MFA or who have had MFA enforced by the compromised account process remain unaffected.

A high priority permanent fix is under development and will be released as soon as possible.

Telephony Deep Dive – Reminder
Reminder that the Telephony Deep Dive session will take place on 17 April.

Form to register interest – https://forms.office.com/Pages/ResponsePage.aspx?id=slTDN7CF9UeyIge0jXdO48nRfTTqG_pEn5qR_xNEMv5UQlhPRFpWQ1lFWTBNMzdGUDExMlA0UTlNRSQlQCN0PWcu

Basic Authentication Deprecation
Update provided by David Middleton

SSPR demo

Overview provided by Hector from the Accenture team.

TA Update

Reminder that the legacy alluser groups will be removed later in the year. Organisations should review all uses of these groups to ensure that the new version is being used.

Platform-wide MFA
Update provided by Jess Davenport.

Technical Update:

• Basic Authentication Depreciation reminder about upcoming changes
• Phone system launch and deep dive webinar planned for 17 April 2pm-3.30pm.

Centre of Excellence:

An overview of the NHSmail Solution Store – an app that aims to encourage collaboration and share best practice

Multi-factor Authentication (MFA):

INC34945419 – Multifactor Authentication (MFA) Prompt – RESOLVED – NHSmail Support

It has been confirmed that the issue has been caused by a recent update applied to a section of Microsoft infrastructure responsible for regulating user geo-location.

MFA report – looking to fix in early April and will exclude deleted permanent accounts

Angela Goody from NHS HERTFORDSHIRE AND WEST ESSEX ICB – produced a video on XLOOKUP, this demo is for the MFA report and mailbox report and how best to utilise them both – Thank you very much for your support.

The next LA webinar will be held on Thursday 6 April and will include an overview of the new Self Service Password Service.

Technical updates:

The dates for the retirement of the EAS and RPC, EWS, POP, IMAP, and RPS protocols and the implementation of Basic Authentication have changed.

Please refer to the Basic Authentication Deprecation guide on the NHSmail support sites if you’re interested in learning more about the implications for your organisation.

Telephony update

INC34485546 – Scan to E-mail Delivery Delay – CLOSED

After mail delays and discussions with our third-party supplier, we changed the configuration of Relay to improve peak processing stability and efficiency. These modifications have eliminated mail delays. We appreciate your patience and apologise for the inconvenience.

Fast track availability reminder:

Until June 30, 2023, the NHS will be able to take advantage of the Fast Track tool for migrating personal and shared data to OneDrive for Business and SharePoint Online. Please see NHSmail FastTrack File Share Migrations | Requirements – NHSmail Support for further information regarding this service.

Centre of Excellence:

Update on Power Platform Data Lost Prevention Policy changes which can be found on NHSmail support pages Power Platform Guidance – NHSmail Support

New features and improvements for the Asset Booking Tool implementation process are on the horizon. Information on how to do this can be found on the NHSmail support sites dedicated to the Desk Booking App.

Multi-factor Authentication (MFA) update:

An up-to-date explanation of the issues affecting the MFA report and the proposed iterative approach to fixing them by combining the data from the Mailbox Report and the MFA report is now available. For more info, check out NHSmail Support Pages about – MFA Status Report

To further ensure the satisfaction of LA Webinar attendees, MFA will be added as a regular agenda topic.

Other information:

NHSmail all user survey: Please thank everyone who helped spread the word; we got almost 58,000 answers; this is fantastic!

On March 21, 2023, we will be disabling Yammer’s public Storylines to reduce spam communications.

Service Updates:

Portal Access issue – 20 February – Resolved

INC34412483 – Portal Intermittently Inaccessible – RESOLVED – NHSmail Support

Intermittent Portal access issue occurred on Monday 20 February causing an error when users attempted to log in.

MS Bookings issue – 14 February – Resolved

INC34265287 – MS Bookings Admin Functions – RESOLVED – NHSmail Support

Issue with MS Bookings preventing users from adding or amending Bookings calendars within the NHSmail Portal.

Release updates:

Dickson release delivered on Thursday 2 March – Dickson Release – Content Summary – NHSmail Support

Key items:

• PnP update – functionality returned to the platform for use by LAs.
• My Approvals performance update – 58913
• Guest Inviter view update – 47507
• MAC email notification updates – 70222 / 70928

The service will be moving to a new release cadence post-Dickson that will see smaller releases being delivered on a shorter cycle to ensure we get new features out onto the platform sooner.

Service Reminders:

Old NHSmail Power Platform default environment decommissioning

Reminder that the old NHSmail Power Platform default environment has now been decommissioned in full.

Information – Power Platform Old Default Environment Decommissioning – NHSmail Support

NHSmail access from outside the UK

Also a reminder for anyone who wasn’t able to make the last webinar, that we have recently made changes to NHSmail access from outside the UK and recommend that organisations ensure that MFA has been enabled on accounts prior to users leaving the UK if NHSmail access is going to be required.

Information – NHSmail users working outside of the United Kingdom (UK) – NHSmail Support

NHSmail annual survey reminder

Final reminder from me that the NHSmail annual survey is now live for responses and will be open until Friday 10 March.

We’d like to encourage as many people to respond as possible as the more feedback we get from yourselves, the more we can improve the service to meet your needs.

https://survey.nhs.net/nhsmail-user-survey-2023/

Other Key Updates:

• MFA Update – platform-wide enforcement announced.
• REMINDER: BYOD Technical Deep Dive session (28 February) – Bring Your Own Device Security Controls | Overview and Deep Dive Webinar – NHSmail Support

Telephony capability overview

• Delivery delay issues  

Two issues with delayed delivery of emails either to or from external domains this week

The first issue occurred on Monday and only had intermittent impacts which were very minor. The issue was resolved quickly, and the queues completely cleared by close of play on the same day. 

Further information here: INC34183362 – NHSmail Delivery Delay – RESOLVED – NHSmail Support 

• The second issue occurred on Thursday and further details can be found here: INC34243035 – Mail Delivery Delay – RESOLVED – NHSmail Support 

• Old NHSmail Power Platform default environment decommissioning
  Information – Power Platform Old Default Environment Decommissioning – NHSmail SupportUpdate regarding the old NHSmail Power Platform environment which will be decommissioned from this week.This should have minimal to no impact on organisations as the new default environment with updated data residency in the UK has been in place since September 2022. Any specific PowerApp users who will be affected have been contacted via target comms over the last few weeks with details of any actions required. 

•  NHSmail access from outside the UK
  Information – NHSmail users working outside of the United Kingdom (UK) – NHSmail SupportPlease be aware that a change was implemented on Friday evening (10 February) that will require any users attempting to access the service from outside the UK to have MFA enabled on their accounts. 

• NHSmail annual survey – will go out this week for users to respond to.  

• Chatbot walkthrough & demo – Accenture team 

• Deskbooking App walkthrough – Centre of Excellence team

• Teams Delete Status Portal issue – resolved

On Tuesday of this week, we had a recurrence of Teams showing as deleted in the NHSmail portal, which has now been resolved.

Please take into account that the problem on Tuesday was only cosmetic, and there was no loss of Teams or Teams data at any point.

Full details – INC33938944 – Teams Group Status – UNDER MONITORING – NHSmail Support

• Microsoft O365 issue – resolved

Those on this call will also be aware that there was a global Microsoft issue this week that may have impacted your users’ access to O365 services.

This incident has been fully resolved and details can be reviewed on the support site:

Microsoft 365 Alert – Service Degradation – Microsoft 365 suite – Users may be unable to access multiple Microsoft 365 services – RESOLVED – NHSmail Support

• Portal slowness issue – resolved

On Wednesday morning, we experienced a brief intermittent issue that caused Portal slowness for some users.

This was quickly resolved with little disruption to the service.

Full information can be found on the Announcements page – INC33981101 – Portal Slowness – RESOLVED – NHSmail Support

• Multi-Factor Authentication (MFA) Number Matching

We enabled number matching for all users of the Microsoft Authenticator app on Thursday evening (25 January 2023).

This is to ensure the change is managed closely, prior to the enforced change by Microsoft starting 27 February 2023.

Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator.

When a user responds to an MFA push notification using the Authenticator app, they will be presented with a number. They need to type that number into the app to complete the approval.

We expect this change to have no negative impacts for users and any issues should be reported to the Helpdesk.

We have also updated our current guidance to reflect the new number matching capability and the guidance can be found here:

Getting Started with MFA – NHSmail Support

• NHSmail access from outside the United Kingdom (UK)

We would also recommend that MFA is applied to the accounts of any users who may have a valid need to access their NHSmail from outside the UK as permitted by your organisation’s own local policies before they leave the country.

We do not recommend that users access their account via non-corporate VPNs when outside of the UK as there is a risk that their access will be blocked.

In the near future, we will be enforcing MFA on any connections to the service made from outside the UK. Where MFA is not in place, the user will be unable to access their account or any other NHSmail services.

More details regarding timelines for when this will be enforced will be added to the Announcement page of the support site shortly.

• Accessibility: Teams Live Captions

Please note that function to turn on/off Live Captions in Teams has moved and now sits under Language & Speech within the extended settings menu.

• NHSmail survey

The NHSmail survey is due to go out in early February.

General update:

• All user survey – the questionnaire will be released shortly
• Accessibility: Sign Language View – available now in Microsoft Teams
• Information Governance – update on number matching on the authenticator app

Technical update:

• New roadmap published: NHSmail Roadmap – NHSmail Support
• MFA, which will shortly be implemented, is necessary for access from outside the UK.Planning to change the default behaviour for new accounts to require MFA by default, and you will need to delete it if doing so puts your organisation at clinical risk
• The projects for conditional access and the phone system have begun and are scheduled to be completed in the first quarter of 2023. Thank you to everyone who responded to the deep dive survey, and please feel free to join the deep dive sessions as soon as they are announced.
• Legacy Security group housekeeping – allusers moving to allusersgroup.
• MMA – Microsoft management agent – deprecation in MDE
• Azure will no longer accept connections from older versions of the Windows Log Analytics agent, also known as MMA that uses an older method for certificate handling. The affected versions are Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 and Windows Server 2012 R2/2016. The new minimum supported MMA version is 10.20.18053.0 Expected: February 2023
• Office 2013 will reach end of Extended Support on April 11, 2023. MC482560 | December 10 – This is a reminder to post (MC357842, April 2022): Office 2013 end of support: Reduce your exposure to security risks by moving to a newer version of Office. Office 2013 will reach the end of Extended Support on April 11, 2023. This means Office 2013 will no longer receive security updates, bug fixes, technical support, or online technical content support after April 11, 2023.
• Additional guidance in CVE-2022-41099 for devices with WinRE. Devices with Windows Recovery Environment (WinRE) will need to update both Windows and WinRE to address security vulnerabilities in CVE-2022-41099. Installing the update normally into Windows will not address this security issue in WinRE. For guidance on how to address this issue in WinRE, please see CVE-2022-41099.