MFA Admin Frequently Asked Questions (FAQs)

Overview

What is Multi-Factor Authentication (MFA)?

Multi-factor authentication (MFA) is an effective control against a wide range of account compromise techniques, stopping simple attacks altogether and making it much more difficult for even sophisticated attackers to succeed. In addition to their email address and password, users will need to set up a second form of authentication, such as an authentication app on their mobile phone, text message or phone call. This second layer of security is designed to prevent anyone but them from accessing their account, even if they know their password.

How will exceptions work for the MFA mass rollout?

Please refer to guidance on Short and Long Term Exceptions here on the process and requirements to apply for exceptions. Further information related to the nationally enforced rollout will be confirmed closer to the time.

Is there a grace period when MFA is applied before it is enforced?

This depends on how MFA is applied, there is currently no grace period for Standard Conditional Access (CA) MFA. Named Location CA has a grace period of 14 days, during which the user can temporarily skip the registration process. After the 14-day grace period has passed, the user will not be able to login to their account until the MFA registration is completed.

Which MFA policy takes precedence when a user has more than one policy on their account??

For information on the order of precedence for MFA policies on a user account and the future changes to precedence, please see here.

How do I integrate Single Sign-On (SSO) with MFA?

You can request SSO via Entra ID on SSO web apps. The SSO request form here can be used to raise a request to the stores process. Further information on SSO can be found here.

What is the MFA acceptance criteria for the Acceptable Use Policy (AUP)?

Currently user accounts can be added to a Conditional Access MFA Policy (security group) before acceptance of the AUP.

Previously, user accounts could only be applied to a Per User policy after the acceptance of the AUP

Can NHS Smartcards be used as a core MFA method?

NHS Smartcards are not considered to be a “core” MFA option. Similar to FIDO2 tokens, they can be used as a workaround to by-pass MFA prompts once a core method has been set up on their account. They can only be used for web access and not with desktop applications.

What are the steps for a user to set up MFA?

The “Get Started with MFA” guide for users can be found here.

What are user’s options for MFA?

Users can choose between the Microsoft Authenticator app, text messages, or call. Users should be encouraged to register more than one authentication method to ensure they never lose access to their account, even if something happens to their device.

  • Authentication App: Download the Microsoft Authenticator app to your smartphone to verify your sign in or to get a verification code.
  • Text message: A text message (SMS) is sent to the mobile phone number registered containing a verification code.
  • Call: An automated voice call is made to the mobile phone number registered prompting the user to press # on their keypad.
  • Users should enable MFA using mobile app, text message or phone call in addition to using a FIDO2 Token or NHS smartcard for security purposes. If using a FIDO2 Token or NHS Smartcard in addition to another MFA option, users won’t be challenged for MFA. However NHS Smartcards only allow access to web applications and not desktop applications.

How is MFA applied on compromised accounts?

As part of the ongoing efforts to protect the NHSmail platform, multi-factor authentication (MFA) will now be enforced on all NHSmail accounts that are identified as compromised. Further information can be found here.

Mobile Phone Numbers and Devices

What if there are user issues related to unsupported authentication methods?

Local Administrators are expected to provide support for user issues related to currently unsupported authentication methods. Please refer to Setting up TOTP Software Tokens for guidance on authentication methods

What if I have problems with the Microsoft Authenticator app?

Please follow the guidance on How to Install Authenticator app and further guidance on steps for How to set up MFA on the Authenticator app.

If your Microsoft Authenticator app is not responding or you are not receiving a code, please ensure that your app is up to date and your device is connected to the internet and has a stable network connection. Your device would further need the permissions to send notifications to be turned on in your device settings.

If the issue persists, please try an alternative verification method such as a text message or phone call.

What if users don't want to use their personal mobile phone for MFA?

If users don’t have a corporate device, it is recommended that they use their personal device as this device is unique to them. This helps ensure their account can only be accessed by the person in possession of their phone. Even if someone has their log in details and password, they won’t be able to log into the NHSmail Portal or access their Microsoft Office 365 account without the user’s personal device.

If mobile devices are not allowed in the workplace, users are advised to contact their local admin to discuss alternatives, such as FIDO2 security tokens. This will be down to local organisation policy. For information about FIDO2, please visit this page. For NHS Smartcards please visit the NHS Care Identity Sign in Support site for more information.

Users are advised that using MFA on their personal device will ensure their account remains protected and will not result in the collection, storage or tracking of any personally identifiable data.

What if users are worried that MFA will allow data to be accessed on their personal phone or that their mobile numbers may be used if they register for SMS/ text authenticator methods?

The Microsoft Authenticator app does not collect or store any personally identifiable data. Keeping user’s NHSmail accounts secure will protect the organisation, their own personal data and patient data. Their personal mobile phone details are not used for any other purpose than protecting their account. Adding the Microsoft Authenticator app to their personal mobile phone is just a way of confirming who they are. Further information can be found here.

Set Up & Use

How would MFA work in secure units/ sterile environments?

If the core options of MFA are not suitable for these users, organisations can consider using:

Named Location Conditional Access MFA

NHS Smartcards

FIDO2 tokens

TOTP Software Tokens

If none of the above work arounds are viable, organisations can consider putting the user accounts into the exception process, once this process is in place.

Can users still self-enrol since Per User MFA has been deprecated?

Yes, users are still able to self-enrol for MFA. By self-registering, users will be added to the general Standard Conditional Access MFA policy. However, the function to self-disable MFA has now been removed.

How do I re-enrol a user for MFA?

To review/ download the steps for MFA re-enrolment, please click here and refer to Re-enrolling Per User and Conditional Access Multi-Factor Authentication for more information.

How can I reset MFA for a User?

1. Click Admin in the navigation bar at the top of the screen and select User Management from the drop down menu

selecting user management

2. Use the search box to find the account you wish to reset MFA settings for.

3. Click on the user’s Display Name to open the User Details page

Refer to the Searching for an Entry article for more information

MFA Enroll4. Click Re-enrol MFA in the Actions box

 

 

 

What applications / systems does MFA protect?

Multi-factor authentication (MFA) is currently being used to protect the NHSmail Portal and all Microsoft Office 365 (O365) applications including Outlook, Teams, OneNote, OneDrive and SharePoint.

What versions of Microsoft Office 365 (O365) applications are compatible with MFA?

The configuration requirements vary, depending on the Outlook version:

  • Outlook 2010 does not support MFA.
  • Outlook 2013 supports MFA but is not enabled by default. Instructions on how to enable this can be found here.
  • All versions of Outlook above 2016 support MFA by default.
Will users need to authenticate each time they log in to NHSmail?

Users will need to authenticate on each device and browser they log into. For desktop and mobile apps, users will be prompted to authenticate once and then will only be prompted again once a key account detail has changed, e.g. they have reset their password.

This will only differ in cases where a specific MFA licence has been assigned to a user by their local organisation, e.g. EMS E3 Intune or Azure AD Premium P1 (AADP1) Azure AD Premium P2 (AADP2) Conditional Access licences. In such cases, a change in the Conditional Access policy, such as a change in location of log-in, would result in a user getting prompted for MFA again.

What if a user gets locked out of their account (e.g. because they lost their authentication device)?

Users are advised to inform their local admin when they have misplaced their device and should be encouraged to register an alternative method of MFA for emergencies, such as an alternative mobile phone number or setting up the Microsoft Authenticator app on another device.

If a user has set up alternative authentication methods, they should be able to select “Sign in another way” when at the MFA prompt screen.

If a user is locked out of their account and cannot access it unless MFA is disabled, e.g. because they don’t have an alternative authentication method, please follow the instructions to apply for a short-term MFA exception for a user. The user should call the NHSmail Helpdesk when they replace their phone as they will have to re-enrol for MFA again.

What if a user has changed their mobile phone number?

Please direct users to update their MFA details here. On the ‘Security info’ page, they will need to click on change and edit this by adding in their new phone number. This number is independent of the mobile number listed in their NHSmail Portal profile.

Can users register a non-UK phone number as an authentication option?

No, only UK-based phone numbers are permissible for MFA. The use of mobile phone numbers registered outside of the UK is not permissible. Users are encouraged to check the number associated with their MFA details here. If this number is a non-UK based phone number, they should delete it and update the field with a UK-based phone number.

What if a user has a new mobile phone but kept the same number?

If a user has kept the same mobile number and their method of authentication is call or text message, they do not have to do anything. If they have selected the Microsoft Authenticator app as their preferred authentication option, they just need to download the app on their new mobile device and backup the details from their old mobile device. To set up Microsoft Authenticator on a new phone, users need to follow these steps:

  • Step 1: Open the Microsoft Authenticator app on old mobile
  • Step 2: Tap on the three-dotted icon and go to Settings
  • Step 3: Toggle Cloud backup or iCloud backup option
  • Step 4: Add a recovery account
  • Step 5: Open the Microsoft Authenticator app on the new mobile
  • Step 6: Tap on the begin recovery button
  • Step 7: Enter the credentials of the recovery account
  • Step 8: Reverify accounts to start using them.
How can I monitor adoption of MFA in my local organisation?

To monitor adoption of MFA in your local organisation you can generate a mailbox report for your organisation. To do this click “Reports” then “Admin Reports” on the NHS Portal. This will show you the accounts that have MFA enabled and the type of authentication method registered.

How can I enable Multi-Factor Authentication (MFA) for a large number of users simultaneously?

To set up MFA for multiple users concurrently please see Bulk Enablement of MFA.

MFA Conditional Access Policies

MFA CA Overview

What is a Conditional Access (CA) Policy?

Conditional Access policies at their simplest are ‘if-then’ statements; if a user wants to access a resource, then they must complete an action, and these are enforced after first-factor authentication (email address and+ password) is completed.

What is MFA CA policy for NHSmail?

MFA Conditional Access is the new strategic MFA solution made available by Microsoft – it is a feature of Azure AD that allows the definition of policies that require additional authentication methods before granting access to an application or service. In relation to the NHSmail platform, it works in the same way as per-user MFA – users enabled for it will be prompted to authenticate via a second factor when logging in.

What if I want to make use of Conditional Access MFA?

Further information regarding Conditional Access MFA policies can be found here.

What is a Named Location?

A named location is a virtual network environment or network location that is deemed secure, reliable by an organisation and meets certain criteria. This is established based on certain security measures and controls put in place by each organisation to ensure the integrity and confidentiality of data and resources within that location.

How many MFA CA Policies are available?

There are currently two Conditional Access policies available to enforce MFA and organisations will be able to use one or both policies.

  • Standard: This policy will enable MFA to the user account; MFA will be always prompted during the authentication flow.
  • Named Locations: This policy will enable MFA to the user account; MFA will not be prompted during the authentication flow if the user’s device is connected to any named locations (e.g., HSCN).
Can an organisation use both MFA CA policies?

Yes, an organisation can use both Standard and Named Locations policies. To do so, an organisation needs to submit the HSS onboarding request twice (one per policy).

Can I apply a policy just to a subset of users the organisation and what is the recommended user scope?

Yes, NHS England strongly recommends organisations to choose selected sub-set of users as their user scope.

Create a security group via NHSmail Portal before submitting an onboarding request via HSS form in Service Now.

MFA CA Onboarding

What are the steps for an organisation to start using an MFA CA policy?

Organisations are recommended to follow the below 4 step process to plan and use MFA CA policies:

  1. Review documentation and check pre-requisites
  2. Get the organisation ready
  3. Submit an onboarding request to link the security group to the chosen MFA CA policy
  4. Test and provide on-going maintenance
Where can an organisation find detailed information about the onboarding process?

MFA CA Policy Onboarding Guide sets out why this service is being introduced, how it works and additional information about the onboarding process.

How can an organisation submit an onboarding request?

Organisations can submit their onboarding requests via HSS form in ServiceNow. They are encouraged to read and digest the MFA CA Policy Onboarding Guide first.

Can organisations submit more than one onboarding request?

Organisations can submit up to two onboarding requests, one per each policy (Standard and Named Locations).

What is the recommended user scope?

NHS England strongly recommends organisations to choose a selected sub-set of users as their user scope.

Create a security group via NHSmail Portal before submitting an onboarding request via HSS form in Service Now.

What is the security group name that organisations need to provide as part of the onboarding process?

If the organisation chooses selected sub-set of users as their user scope, they are required to provide the security group Display Name, which can be found in the NHSmail Portal.

A security group display name usually starts with the organisation’s ODS code, followed by the letters “sg”, as per below example:

Display Name Example: X26.sg.MFA-CA-Std-Users

Can I change the name of a security group after the onboarding process request is submitted?

No, organisations must not change the name of their security groups.

Should an LA start adding users into an MFA CA Security Group before or after the onboarding request is completed?

Organisations are recommended to follow the below approach:

  1. Create a security group via NHSmail Portal
  2. Submit an onboarding request via HSS form
  3. Wait for an approvaland completedemail notification
  4. Execute a test using test accounts or a small number of users within their organisation
  5. Notify all impacted users
  6. Start adding users into the Security Group
How long does an onboarding request take to be completed?

Please note onboarding requests are expected to be processed between 1 to 3 working hours. Requestors will be notified over email when the onboarding process is approved and completed.

What can organisation do if they do not receive any notification of approval/completion?

Organisations can raise an incident with NHSmail helpdesk and ask for an update on the service request; organisations are required to provide the service request reference number (RITM).

Named Locations

How does Named Location Conditional Access MFA work?

MFA CA policy for Named Locations will enforce MFA to user accounts, this will result in the user experiencing MFA prompts every time an application or service requests the user to authenticate. However, if the user’s device is connected to a registered named location, the user will not experience MFA prompts during the authentication process.

Named Location Conditional Access MFA reduces MFA prompts in Office 365 applications only (portal.nhs.net is not supported). A user must always register an MFA authentication method to their account as an initial one-time activity. Please note that if the account is accessed outside the Named Location, the user will be prompted for MFA to complete authentication.

If an organisation has registered a network as a Named Location and the user’s device is connected to internet via this network, the user will not see MFA prompts when logging into Office 365 applications.

Please refer to the Named Locations Registration Guide for information on how to create or update a Named Location and see further Named Location MFA CA guidance here.

Notes:

  • NHSmail portal and SSO applications registered in ADFS will always prompt for MFA, regardless of where the user is connecting from or the MFA CA policy they are in.
  • Only O365 applications (Outlook, Teams, SharePoint, One Drive) work with MFA CA Named Locations policy, users will have to access to these apps using Microsoft URLs, for example:
  • HCSN/Secure Boundary networks have been registered as named locations by default. If the organisation uses these networks as internet providers (users’ internet traffic redirected via these networks), the organisation will not need to submit a request to register a named location. They will still need to submit a request to be onboarded into MFA CA Named Locations policy and have created a security group in the NHSmail portal to apply the policy to a subset of their users.
  • Organisations that are using their own internet providers (e.g. VM, BT, Sky, etc) and wish to have a registered named location, will need to submit a request following the guidance in this document.

Example 1:

  • An organisation has submitted a request to be onboarded into MFA CA Named Locations policy and has created a security group in the NHSmail portal to apply the policy to a subset of their users.
  • The organisation has not submitted a request for a named location to be registered, but user’s internet traffic in their premises is redirected via HSCN/Secure Boundary breakout.
  • A NHSmail user is added into the security group using the NHSmail Portal Security Groups functionality.
  • In the morning, the user is inside the organisation’s premises and connects their device to the NHSC/Secure Boundary network.
    • The user will not experience MFA prompts as their device is connected to a registered named location.
  • In the afternoon, the user heads home and connects their device to their home internet provider router.
    • The user will experience MFA prompts as the device is not connected to a registered named location.

Example 2:

  • Another organisation has submitted their own request to be onboarded into MFA CA Named Locations policy and has created their own security group in the NHSmail portal to apply the policy to a subset of users.
  • The organisation has not submitted a request for a named location to be registered, and they are using a 3rd party provider for their internet access (with dedicated IP addresses).
  • A NHSmail user is added into the security group using the NHSmail Portal Security Groups functionality.
  • In the morning, the user is inside the organisation’s premises and connects their device to their network.
    • The user will experience MFA prompts as the device is not connected to a registered named location.
  • In the afternoon, the user heads home and connect their device to their internet provider router.
    • The user will experience MFA prompts as the device is not connected to a registered named location.

Example 3:

  • The same organisation in example 2 has now submitted a request to register a named location, using the dedicated IP addresses their 3rd party provided has assigned to them.
  • After NHSE has reviewed the request, they have decided to approve it and the relevant support team has registered the IP addresses as a named location.
  • After this, the same user who has been added into their security group is already inside the organisation’s premises and has connected their device to the network.
  • The user will not experience MFA prompts as the device is now connected to a registered named location.
What are the steps for an organisation to register a Named Location?

Organisations must first follow the onboarding process for the Conditional Access Policy. If an organisation uses a Network other than HSCN / Secure Boundary they are then recommended to follow the below 4 step process to plan and use MFA CA policies:

  1. Review and meet criteria (including senior approval)
  2. Submit a registration request containing your IP address/ range
  3. Wait for NHS England approval
  4. Test and provide on-going maintenance
Where can an organisation find detailed information about the registration process?

MFA CA Policy Registration Guide provides detailed information for organisations that are looking to use MFA Conditional Access policies alongside Named Locations to enforce MFA to all or a subset of their users.

Does an organisation need to register a Named Location if they use HSCN/Secure Boundary as internet provider?

No, HSCN/Secure Boundary is a Named Location by default. The organisation will need to onboard the Conditional Access Named Location for their organisation so that those in the security group can use the named location policy even if the organisation uses HSCN.

How can an organisation submit a registration request?

Organisations can submit their registration requests via HSS form in ServiceNow. They are encouraged to read and digest the MFA CA Policy Registration Guide first.

Can organisations register more than one Named Location?

Yes, organisations can submit more than one request to register different named locations.

Can organisations register more than one IP address range in the same request?

Yes, local administrators can provide more than one IP address range using the specified field in the HSS form in ServiceNow, separating the values using a coma as per below example:

203.0.113.0/24,45.67.83.100/30,64.223.160.0/20

What are the criteria Named Locations must meet?

Named Locations criteria can be found in the MFA CA Policy Registration Guide.

What is a Senior Approval?

Organisations will be required to discuss the registration of a Named Location with a Senior Information Risk Owner (SIRO), Chief Technology Officer (CTO) or equivalent person in the organisation and obtain a written confirmation that they have reviewed and confirmed the organisation meets all criteria to register a named location.

How long does a registration for a Named Location request take to be completed?

Please note registration requests are expected to be processed between 5 to 10 working days. Requestors will be notified over email when the onboarding process is approved and completed.

What should organisations do if their request is rejected?

If a request to register a Named Location is rejected, local administrators are recommended to review the reasons for the rejection, take actions to address the issues, and submit a brand-new registration request using the HSS form.

Organisations that would like to contest the rejection can submit an escalation request via NHSmail Helpdesk.

More information can be found in the MFA CA Policy Registration Guide.

What risks do organisations need to consider when applying Named Location?

Information regarding risks and additional considerations for using MFA CA Named Locations can be found here.

Can compromised accounts or accounts with admin roles use Named Location CA MFA?

No, accounts with admin roles are always prompted for MFA. Please refer to further guidance on Named Location Conditional Access MFA here.

Compromised accounts will always have MFA enforced and cannot use Named Location Conditional Access MFA.

What could an organisation do if they have registered a Named Location, but their users are still being prompted for MFA?

If this is happening to a subset of users within the organisation’s premises, it is likely that this is due to their individual’s account set up. If this is the case, please check that:

  • The user was only added into the MFA CA Named Locations security group the organisation has created for this purpose.
  • The user may have Per User MFA enabled; there is a background process removing Per User MFA from user accounts that are added to the MFA CA Named Locations security group. Please allow up to 12 hours for this process to
  • The user does not have any administration roles on their account as this would mean they would always be prompted for MFA.

If this is happening to all users within the organisation’s premises, it is likely that the registration of the Named Location is taking time to replicate or was not registered successfully. If this is the case, please check that:

  • The public internet IP address ranges submitted as part of the registration process are correct.
  • The user’s internet traffic is being redirected via any of the public internet IP address ranges registered.

Managing MFA CA Policies

What is the user experience if both MFA CA Standard & MFA CA Named Locations policies are applied to a user?

If a user is in both the Standard and Named Location CA MFA policies, the Named Location policy will take precedence. Please see further guidance here.

Will administrators not be prompted for MFA if working from a registered named location?

No – all administrator roles, including Local Administrators (LAs) & ATP admins will always be prompted to authenticate. Named locations do not apply to administrator roles.

If a Local Administrator disables MFA from a user account, will the user still be prompted for MFA?

If a short or long-term MFA exception is granted and the user is enrolled for MFA CA, MFA will not be prompted when logging into NHSmail Portal or using O365 apps during the exception period.

If an organisation has user accounts with ’per-user’ MFA enabled, can they be moved into MFA CA Named Locations policy?

Yes, organisations can add existing user accounts with MFA enabled into the named locations security group they have created, and the policy will take effect in the following 8 hours.

Can organisations fully disable MFA for a user account?

Following the announcement of the NHS England MFA Policy, we recommend organisations not to fully remove MFA from users’ accounts to stay on track to meet the expected deadline. If an organisation must temporarily disable MFA, please apply for either a short term (24 hour) or long term (180 day) exception using the relevant process.

Additional Information

How will MFA work for a user mailbox being used as a shared mailbox?

User accounts used as shared mailboxes should be registered as an exception and go into an exception policy so they would not have MFA applied when it is turned on for all remaining accounts without MFA. Local administrators should make a list of those shared mailboxes and apply for a long-term exception. Please see further guidance here.

Later this year it will be possible to convert user accounts into genuine shared mailboxes. Once released, this will mean these accounts no longer need to go into an MFA exception policy.

How does MFA work for shared mailboxes?

Shared mailboxes, (i.e., when users access the shared mailbox from within their own mailbox without the need to enter a separate password) do not need MFA as they do not have passwords. Please see further guidance on shared mailboxes here.

What will happen when Per User is turned off to existing accounts?

User accounts will be moved from Per User MFA into MFA CA Standard using the central security group. Users’ experience will not be impacted.  Organisations using local security groups to roll out MFA with Standard Conditional Access should continue using local security groups until the enforcement is tenant wide.

What does the ADFS security group change mean?

Users logging into https://portal.nhs.net/ or single sign-on applications integrated with ADFS will always be required to complete MFA as part of the authentication process even if they are in a Named Location Conditional Access policy.

Where can I learn more about FIDO2?

For information about FIDO2, please visit this page.

Where can I provide feedback related to the MFA process?

For feedback, please contact us via Your Voice or Customer Service Portal – Customer Support 

Why are users who are MFA enrolled showing up as MFA Status Disabled in reporting?

It is likely that these users have registered for self-service password reset (SSPR) and therefore, the SSPR authentication method is shown in the MFA report. The users need enabling for MFA via the Portal or security groups and the same SSPR authentication method can then be used for MFA.

Last Reviewed Date 23/10/2024
Updated on 23/10/2024

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top