1. Home
  2. Security Group Management​
  3. Managing NHSmail Security Groups

Managing NHSmail Security Groups

The NHSmail security groups functionality provides Local Administrators the ability to create, manage and control Microsoft 365 static mail-enabled and non-mail-enabled security groups.

Please note:

Automated All Users dynamic non-mail-enabled security groups for all users in an ODS code already exist and are managed by a stand-alone process that is automated and sits outside of the NHSmail Portal. For more information, please refer to the Automated All Users Security Groups article. Only static mail-enabled and non-mail-enabled security groups created via the NHSmail Portal can be managed in the NHSmail Portal.

The target audience for this guidance is Local Administrators. If you are a user with questions about security groups, please contact your Local Administrator.

Please refer to the Introduction to NHSmail Security Groups article for Local Administrators first, before reading this article. For more information, you can also refer to the NHSmail Security Groups Frequently Asked Questions (FAQs) article for Local Administrators.

Introduction

Security groups are a Microsoft 365 functionality that can be used to group users together that require the same permissions. They are primarily used for granting access to Microsoft 365 resources such as SharePoint Online, OneDrive and PowerApps.

For NHSmail, two types of security groups are available for management via the NHSmail Portal: static mail-enabled security groups and static non-mail-enabled security groups. Local Administrators can manage these types of security groups via the NHSmail Portal.

The following table provides an overview of the Microsoft 365 service offerings that are compatible with static mail-enabled security groups, static non-mail-enabled security groups, or both.

Please note:

Where there is the option to use both groups, the recommendation is to use non-mail-enabled security groups as these are supported by most services.

Service Name / Type Compatible with non-mail-enabled security groups? Compatible with mail-enabled security groups?
Teams No Yes
Teams Shared Channels Policies Yes (recommended) Yes
SharePoint Online Yes (recommended) Yes
OneDrive No Yes
PowerApps Yes (recommended) Yes
PowerAutomate Yes (recommended) Yes
Sway Yes (recommended) Yes
Power BI Yes (recommended) Yes
Power BI Tenant Settings Yes (recommended) Yes
Power BI Capacity Admins Yes (recommended) Yes
Application Access Policies No Yes
Please note:

Any security groups created via the Modern Authentication process will continue to be managed via the existing process, rather than via the NHSmail Portal. For more information, please refer to the Basic Authentication Deprecation Admin Guide article.

Pre-Requisites

Primary Local Administrators (PLAs) and Local Administrators will be able to manage and control static mail-enabled and non-mail-enabled security groups. There are no additional licensing requirement or other requirements to be able to manage and control NHSmail security groups.

Joiners, Movers and Leavers

The following table provides an overview of the joiners, movers and leavers process for NHSmail security groups and the required actions for Local Administrators.

User Type Action for Local Administrators
Joiners When an NHSmail user is marked as a new joiner, the user will not be automatically added to any of the new organisation’s security groups.

Local Administrators must manually add new joiners into any security groups they have created via the Portal.

Movers When an NHSmail user is marked as a mover, the user will not be removed from their existing organisation’s security groups and they will not be added to any of the new organisation’s security groups.

Local Administrators from the user’s original organisation must manually remove that user from any security groups they have created via the Portal.

Local Administrators from the user’s new organisation must manually add that user into any security groups they have created via the Portal.

Leavers When an NHSmail user is marked as a leaver, the user will retain their membership to the security groups until the account is removed by the Local Administrator or until the account is removed from the tenant.

Local Administrators can manually remove leavers from any security groups they have created via the Portal.

If Local Administrators do not manually remove leavers from their security groups, the current standard account hygiene process will be followed, resulting in that user’s account eventually being removed from the security group.

Please note:

The actions above only apply to security groups created by Local Administrators via the NHSmail Portal. For any Automated All Users security groups there is a separate automated process for joiners and movers. Joiners and movers will be automatically added into any all-organisation ODS security groups as this process is automated and managed outside of the NHSmail Portal. For more information, please refer to the Automated All Users Security Groups article.

To support the management of the joiners, movers and leaver process, Local Administrators with the Guest Inviter role can use the Microsoft Entra Admin Centre (Azure AD) to check the security groups a user is a member of. For more information about reporting, please refer to the Reporting section in this article.

Creating new security groups

Local Administrators can create new security groups via the NHSmail Portal.

Please note:

As a default setting, to restrict modification of the groups outside the Portal, the NHSmail Portal Service Account will be configured as the owner for all static mail-enabled and non-mail-enabled security groups.

How to name a security group

A consistent naming format must be used when creating NHSmail security groups to allow groups to be easily identified and to ensure they are searchable in the NHSmail Portal. The following table provides an overview of the naming convention to be used. Please note that the prefix, identifier and email domain will be automatically added by the NHSmail Portal.

Security Group Type Prefix* Identifier* Name Email Domain*
Mail-Enabled ODS Code msg Name inputed by Local Administrator @nhs.net
Non-Mail-Enabled ODS Code sg Name inputed by Local Administrator N/A

* Automatically added by the Portal

For example, the name of a mail-enabled security groups could be: lsp01.msg.name@nhs.net

The name of a non-mail-enabled security groups could be: lsp01.sg.name

How to create a new mail-enabled security group

Download the guidance to create a new mail-enabled security group

How to create a new non-mail-enabled security group

Download the guidance to create a new non-mail-enabled security group

How to create a new mail-enabled security group for all users in an ODS code

Download the guidance to create new mail-enabled security group for all users in an ODS code

Please note:

Automated All Users dynamic non-mail-enabled security groups for all users in an ODS code already exist and are managed by a stand-alone process that is automated and sits outside of the NHSmail Portal. For more information, please refer to the Automated All Users Security Groups article.

The required Local Administrator actions for joiners, movers and leavers apply to any all user security groups created via the NHSmail Portal. For more information, please refer to the Joiners, Movers and Leavers section of this article.

Viewing security groups

Local Administrators can view security groups for organisations they have access to as per the existing parent / child ODS code mapping via the NHSmail Portal.

How to view a security group

Download the guidance to to view a security group

Searching security groups

Local Administrators can search Security Groups for organisations they have access to as per the existing parent / child ODS code mapping via the NHSmail Portal.

How to search a security group

Download the guidance to search a security group

Please note:

If a Primary Local Administrator (PLA) or a Local Administrator is responsible for managing over 200 organisations and performs a search based on just a display name or email address, they might not see the expected results as the search will be carried out based on the first 200 ODS codes (in alphabetical order). To get the expected result, Primary Local Administrators (PLAs) and Local Administrators must use additional filters such as ODS code or organisation name along with display name and/or email.

Editing security groups

Local Administrators can edit security groups for organisations they have access to as per the existing parent / child ODS code mapping via the NHSmail Portal.

How to edit a security group

Download the guidance to edit a security group

Updating the membership of security groups

Local Administrators can update the membership of security groups for organisations they have access to as per the existing parent / child ODS code mapping via the NHSmail Portal.

How to individually update the members of a security group (limited to 100 users at a time)

Download the guidance on how to individually update members

How to bulk update the members of a security group (limited to 500 users and including nesting other security groups)

Download the guidance on how to bulk update members

Please note:

It is recommended that security groups are not nested across more than one level to avoid functionality issues.

Exporting the members of security groups

Local Administrators can export a list of the members of security groups for organisations they have access to as per the existing parent / child ODS code mapping via the NHSmail Portal.

How to export a list of the members of a security group

Download the guidance on how to export list of members

Raising an incident for security groups

Local Administrators can raise an incident related to security groups via the Raise an Incident form for the Portal on the Helpdesk Self-Service (HSS) platform.

Reporting for security groups

Local Administrators can use the NHSmail Portal Audit Logs to extract records related to creating, editing and updating security groups.

Download the guidance on how to access Audit reports

Local Administrators with the Guest Inviter role can also use the Microsoft Entra Admin Centre (Azure AD) to access additional reporting, such as checking the security groups a user is a member of.

Download the guidance on how to access other reports

Where can I find out more about NHSmail security groups?

For more information, please refer to the NHSmail Security Groups Frequently Asked Questions (FAQs) article for Local Administrators.

Last Reviewed Date 14/09/2023
Updated on 14/09/2023

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top