MFA Admin Guide

Contents

Multi-Factor Authentication (MFA) helps protect users by making it more difficult for someone else to sign in to their NHSmail account. It uses two different forms of identity: the user’s password, and a contact method.

MFA Enablement & Disablement

As a Local Administrator, you will be able to enable and disable MFA for users via the Portal, either individually or in bulk. You can select users to enable or disable MFA by using filters available through the column picker, for example by organisation, organisation unit or user policy. Please note that there is currently a limit of 50 users at a time for the bulk edit feature. This can be repeated unlimited times for larger cohorts of users.

To see the MFA statuses of users at your organisation, you can download the MFA Status report from the Admin Reports section in Portal. For an overview of the reports alongside the other available admin reports, please refer here.

Below gives descriptions of each MFA Status that you will see on the MFA Status report:

User Enabled – when a user enables MFA via the Self-Enrol Flow

User Disabled – when a user disables MFA via the Self-Enrol Flow

Admin Enabled – when a Local Admin enables MFA via User Management

Admin Disabled – when a Local Admin disables MFA via User Management

MFA Enforced ATP Group – for a user that is added to an ATP Role (this act enables MFA for this user) – This applies for when granted ATP Approver through the DL and also when added to a ATP group.

MFA Disabled ATP Group – for a user that is removed from an ATP Role (this acts as disabling MFA for this user) – This applies when you have ATP Approver role removed from your account and/or when removed from ATP group.

MFA Enforced Admin Role – for a user that is given an admin role (Local Admin, Primary Local Admin, Global Admin, Global Helpdesk etc)

MFA Disabled Admin Role – If (Local Admin, Primary Local Admin, Global Admin, Global Helpdesk etc) is removed from the user account MFA is removed.

MFA Enforced Compromised – for a user whose account has been marked as compromised

The report also details Authentication Type used when signing in. The different types and their descriptions are outlined as follows:

OneWaySMS – A text message sent to the user

PhoneAppNotification – A notification is triggered to the user’s dedicated mobile application for authentication which will prompt for approval or rejection

PhoneAppOTP – A one-time unique passcode that will be displayed on the user’s dedicated application

TwoWayVoiceMobile – A mobile phone call where authentication will be granted upon the user entering a key

TwoWayVoiceAlternateMobile – A mobile phone call where authentication will be granted upon the user entering a key, for the user’s alternate registered mobile device

TwoWayVoiceOffice – A mobile phone call where authentication will be granted upon the user entering a key, for the user’s registered office phone

Individual – Enablement / Disablement of MFA

Steps on how to enable and/or disable MFA for individual user accounts:

To review/download the steps for individual enablement, click here.

To review/download the steps for individual disablement, click here.

Bulk – Enablement / Disablement of MFA

Steps on how to enable and/or disable MFA for a group of user accounts:

To review/download the steps for bulk enablement and disablement, click here.

For requests over 50 mailboxes, please see the interim process here.

MFA Re-Enrolment

Steps on how to re-enrol user accounts for MFA:

To review/download the steps for MFA re-enrolment, click here.

MFA Adoption Toolkit

We have created a toolkit to support local admins and local organisations with their MFA rollout. Please visit this page for more information.

Overview

What are the steps for a user to set up MFA?

The “Get Started with MFA” guide for users can be found here.

What are user’s options for MFA?

Users can choose between the Microsoft Authenticator app, text messages, calls, or depending on the local organisation, a FIDO2 token or an NHS Smartcard. Users should be encouraged to register more than one authentication method to ensure they never lose access to their account, even if something happens to their device.

Authentication App: Download the Microsoft Authenticator app to your smartphone to verify your sign in or to get a verification code.
Text message: A text message (SMS) is sent to the mobile phone number registered containing a verification code.
Call: An automated voice call is made to the mobile phone number registered prompting the user to press # on their keypad.
FIDO2: Use FIDO2 for MFA to sign in with a choice of security keys available and supported.

Users should enable MFA using mobile app, text message, phone call or FIDO2 token in addition to using an NHS smartcard for security purposes. If using an NHS Smartcard in addition to another MFA option, users won’t be challenged for MFA.

Set Up & Use

What applications / systems does MFA protect?

Multi-factor authentication (MFA) is currently being used to protect the NHSmail Portal and all Microsoft Office 365 (O365) applications including Outlook, Teams, OneNote, OneDrive and SharePoint.

What versions of Microsoft Office 365 (O365) applications are compatible with MFA?

The configuration requirements vary, depending on the Outlook version:

Outlook 2010 does not support MFA.
Outlook 2013 supports MFA but is not enabled by default. Instructions on how to enable this can be found here.
All versions of Outlook above 2016 support MFA by default.

Will users need to authenticate each time they log in to NHSmail?

Users will need to authenticate on each device and browser they log into. For desktop and mobile apps, users will be prompted to authenticate once and then will only be prompted again once a key account detail has changed, e.g. they have reset their password.

This will only differ in cases where a specific MFA licence has been assigned to a user by their local organisation, e.g. EMS E3 Intune or Azure AD Premium P1 (AADP1) Azure AD Premium P2 (AADP2) Conditional Access licences. In such cases, a change in the Conditional Access policy, such as a change in location of log-in, would result in a user getting prompted for MFA again.

What if a user gets locked out of their account (e.g. because they lost their authentication device)?

Users are advised to inform their local admin when they have misplaced their device and should be encouraged to register an alternative method of MFA for emergencies, such as an alternative mobile phone number or setting up the Microsoft Authenticator app on another device.

If a user has set up alternative authentication methods, they should be able to select “Sign in another way” when at the MFA prompt screen.

If a user is locked out of their account and cannot access it unless MFA is disabled, e.g. because they don’t have an alternative authentication method, please follow the instructions to disable MFA for another user at the top of this page. Once disabled, MFA should be re-enabled for the account by the local admin

What if a user has changed their mobile phone number?

Please direct users to update their MFA details here. On the ‘Security info’ page, they will need to click on change and edit this by adding in their new phone number. This number is independent of the mobile number listed in their NHSmail Portal profile.

Can users register a non-UK phone number as an authentication option?

No, only UK-based phone numbers are permissible for MFA. The use of mobile phone numbers registered outside of the UK is not permissible, as per this announcement. Users are encouraged to check the number associated with their MFA details here. If this number is a non-UK based phone number, they should delete it and update the field with a UK-based phone number.

What if a user has a new mobile phone but kept the same number?

If a user has kept the same mobile number and their method of authentication is call or text message, they do not have to do anything. If they have selected the Microsoft Authenticator app as their preferred authentication option, they just need to download the app on their new mobile device and backup the details from their old mobile device. To set up Microsoft Authenticator on a new phone, users need to follow these steps:

Step 1: Open the Microsoft Authenticator app on old mobile
Step 2: Tap on the three-dotted icon and go to Settings
Step 3: Toggle Cloud backup or iCloud backup option
Step 4: Add a recovery account
Step 5: Open the Microsoft Authenticator app on the new mobile
Step 6: Tap on the begin recovery button
Step 7: Enter the credentials of the recovery account
Step 8: Reverify accounts to start using them.

How can I monitor adoption of MFA in my local organisation?

To monitor adoption of MFA in your local organisation you can generate a mailbox report for your organisation. To do this click “Reports” then “Admin Reports” on the NHS Portal. This will show you the accounts that have MFA enabled and the type of authentication method registered.

User Advice

What if users don't want to use their personal mobile phone for MFA?

If users don’t have a corporate device, it is recommended that they use their personal device as this device is unique to them. This helps ensure their account can only be accessed by the person in possession of their phone. Even if someone has their log in details and password, they won’t be able to log into the NHSmail Portal or access their Microsoft Office 365 account without the user’s personal device.

If mobile devices are not allowed in the workplace, users are advised to contact their local admin to discuss alternatives, such as FIDO2 security tokens. This will be down to local organisation policy. For information about FIDO2, please visit this page. Please visit the NHS Care Identity Sign in Support site for more information.

Users are advised that using MFA on their personal device will ensure their account remains protected and will not result in the collection, storage or tracking of any personally identifiable data.

What if users are worried that MFA will allow data to be accessed on their personal phone?

The Microsoft Authenticator app does not collect or store any personally identifiable data. Keeping user’s NHSmail accounts secure will protect the organisation, their own personal data and patient data. Their personal mobile phone details are not used for any other purpose than protecting their account. Adding the Microsoft Authenticator app to their personal mobile phone this is just a way of confirming who they are. Further information can be found here.

How is MFA applied on compromised accounts?

As part of the ongoing efforts to protect the NHSmail platform, multi-factor authentication (MFA) will now be enforced by the NHSmail team on all NHSmail accounts that are identified as compromised. Further information can be found here.

What if I want to make use of Conditional Access MFA?

Information regarding the NHSmail Intune Service and specific licence requirements (e.g. EMS E3 Intune, AADP1 or AADP2 licences) can be found here.

Where can I learn more about FIDO2?

For information about FIDO2, please visit this page.

Additional Information

Where can I provide feedback related to the MFA process?

For feedback, please contact us via Your Voice or feedback@nhs.net

Last Reviewed Date

16/03/2023

Updated on 16/03/2023

Need Support?

Can’t find the answer you’re looking for? Don’t worry we’re here to help!

Contact Support