MFA Admin Guide

Multi-Factor Authentication (MFA) helps protect users by making it more difficult for someone else to sign in to their NHSmail account. It uses two different forms of identity: the user’s password, and a contact method.

MFA Enablement & Disablement

As a Local Administrator, you will be able to enable and disable MFA for users via the Portal, either individually or in bulk. You can select users to enable or disable MFA by using filters available through the column picker, for example by organisation, organisation unit or user policy. Please note that there is currently a limit of 50 users at a time for the bulk edit feature. This can be repeated unlimited times for larger cohorts of users.

Individual – Enablement / Disablement of MFA

Steps on how to enable and/or disable MFA for individual user accounts:

To review/download the steps for individual enablement, click here.

To review/download the steps for individual disablement, click here.

Bulk – Enablement / Disablement of MFA

Steps on how to enable and/or disable MFA for a group of user accounts:

To review/download the steps for bulk enablement and disablement, click here.

MFA Re-Enrolment

Steps on how to re-enrol user accounts for MFA:

To review/download the steps for MFA re-enrolment, click here.

MFA Adoption Toolkit

We have created a toolkit to support local admins and local organisations with their MFA rollout. Please visit this page for more information.

Top Tips and Frequently Asked Questions

Here are some answers to questions you may have about Multi-Factor Authentication (MFA).

Overview

What are the steps for a user to set up MFA?

The “Get Started with MFA” guide for users can be found here.

What are user’s options for MFA?

Users can choose between the Microsoft Authenticator app, text messages, calls, or depending on the local organisation, a FIDO2 token or an NHS Smartcard. Users should be encouraged to register more than one authentication method to ensure they never lose access to their account, even if something happens to their device.

  • Authentication App: Download the Microsoft Authenticator app to your smartphone to verify your sign in or to get a verification code.
  • Text message: A text message (SMS) is sent to the mobile phone number registered containing a verification code.
  • Call: An automated voice call is made to the mobile phone number registered prompting the user to press # on their keypad.
  • FIDO2: Use FIDO2 for MFA to sign in with a choice of security keys available and supported.
  • NHS smartcard: If you have an NHS Care Identity Smartcard, register it with NHSmail and use it as an alternative to sign into NHSmail Portal and Office 365 web-based applications.

Users should enable MFA using mobile app, text message, phone call or FIDO2 token in addition to using an NHS smartcard for security purposes. If using an NHS Smartcard in addition to another MFA option, users won’t be challenged for MFA.

Set Up & Use

What applications / systems does MFA protect?

Multi-factor authentication (MFA) is currently being used to protect the NHSmail Portal and all Microsoft Office 365 (O365) applications including Outlook, Teams, OneNote, OneDrive and SharePoint.

What versions of Microsoft Office 365 (O365) applications are compatible with MFA?

The configuration requirements vary, depending on the Outlook version:

  • Outlook 2010 does not support MFA.
  • Outlook 2013 supports MFA but is not enabled by default. Instructions on how to enable this can be found here.
  • All versions of Outlook above 2016 support MFA by default.
Will users need to authenticate each time they log in to NHSmail?

Users will need to authenticate on each device and browser they log into. For desktop and mobile apps, users will be prompted to authenticate once and then will only be prompted again once a key account detail has changed, e.g. they have reset their password.

This will only differ in cases where a specific MFA licence has been assigned to a user by their local organisation, e.g. EMS E3 Intune or Azure AD Premium P1 (AADP1) Azure AD Premium P2 (AADP2) Conditional Access licences. In such cases, a change in the Conditional Access policy, such as a change in location of log-in, would result in a user getting prompted for MFA again. 

What if a user gets locked out of their account (e.g. because they lost their authentication device)?

Users are advised to inform their local admin when they have misplaced their device and should be encouraged to register an alternative method of MFA for emergencies, such as an alternative mobile phone number or setting up the Microsoft Authenticator app on another device.

If a user has set up alternative authentication methods, they should be able to select “Sign in another way” when at the MFA prompt screen.

If a user is locked out of their account and cannot access it unless MFA is disabled, e.g. because they don’t have an alternative authentication method, please follow the instructions to disable MFA for another user at the top of this page. Once disabled, MFA should be re-enabled for the account by the local admin

What if a user has changed their mobile phone number?

Please direct users to update their MFA details here. On the ‘Security info’ page, they will need to click on change and edit this by adding in their new phone number. This number is independent of the mobile number listed in their NHSmail Portal profile.

 

Can users register a non-UK phone number as an authentication option?

No, only UK-based phone numbers are permissible for MFA. The use of mobile phone numbers registered outside of the UK is not permissible, as per this announcement. Users are encouraged to check the number associated with their MFA details here. If this number is a non-UK based phone number, they should delete it and update the field with a UK-based phone number.

What if a user has a new mobile phone but kept the same number?

If a user has kept the same mobile number and their method of authentication is call or text message, they do not have to do anything. If they have selected the Microsoft Authenticator app as their preferred authentication option, they just need to download the app on their new mobile device and backup the details from their old mobile device. To set up Microsoft Authenticator on a new phone, users need to follow these steps:

  • Step 1: Open the Microsoft Authenticator app on old mobile
  • Step 2: Tap on the three-dotted icon and go to Settings
  • Step 3: Toggle Cloud backup or iCloud backup option
  • Step 4: Add a recovery account
  • Step 5: Open the Microsoft Authenticator app on the new mobile
  • Step 6: Tap on the begin recovery button
  • Step 7: Enter the credentials of the recovery account
  • Step 8: Reverify accounts to start using them.
How can I monitor adoption of MFA in my local organisation?

To monitor adoption of MFA in your local organisation you can generate a mailbox report for your organisation. To do this click “Reports” then “Admin Reports” on the NHS Portal. This will show you the accounts that have MFA enabled and the type of authentication method registered.

User Advice

What if users don't want to use their personal mobile phone for MFA?

If users don’t have a corporate device, it is recommended that they use their personal device as this device is unique to them. This helps ensure their account can only be accessed by the person in possession of their phone. Even if someone has their log in details and password, they won’t be able to log into the NHSmail Portal or access their Microsoft Office 365 account without the user’s personal device.

If mobile devices are not allowed in the workplace, users are advised to contact their local admin to discuss alternatives, such as FIDO2 security tokens or NHS Smartcards. This will be down to local organisation policy. For information about FIDO2, please visit this page. Please visit the NHS Care Identity Sign in Support site for more information.

Users are advised that using MFA on their personal device will ensure their account remains protected and will not result in the collection, storage or tracking of any personally identifiable data.

What if users are worried that MFA will allow data to be accessed on their personal phone?

The Microsoft Authenticator app does not collect or store any personally identifiable data. Keeping user’s NHSmail accounts secure will protect the organisation, their own personal data and patient data. Their personal mobile phone details are not used for any other purpose than protecting their account. Adding the Microsoft Authenticator app to their personal mobile phone this is just a way of confirming who they are. Further information can be found here.

How is MFA applied on compromised accounts?

As part of the ongoing efforts to protect the NHSmail platform, multi-factor authentication (MFA) will now be enforced by the NHSmail team on all NHSmail accounts that are identified as compromised. Further information can be found here.

What if I want to make use of Conditional Access MFA?

Information regarding the NHSmail Intune Service and specific licence requirements (e.g. EMS E3 Intune, AADP1 or AADP2 licences) can be found here.

Where can I learn more about FIDO2?

For information about FIDO2, please visit this page.

Additional Information

Where can I provide feedback related to the MFA process?

For feedback, please contact us via Your Voice or feedback@nhs.net 

Last Reviewed Date 28/11/2022
Updated on 28/11/2022

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top