A new process to enrol for Multi-Factor Authentication (MFA) is now available on the NHSmail platform. MFA Conditional Access is a feature of Azure AD that allows the definition of policies that require additional authentication methods before granting access to an application or service. In relation to the NHSmail platform, it will work in the same way as per-user MFA – users enabled for it will be prompted to authenticate via a second factor when logging in.
The target audience for this guidance is Local Administrators. If you are a user with questions about MFA, please contact a Local Administrator in your organisation.
Please refer to the MFA Conditional Access Service Overview article first, before reading this article.
MFA Conditional Access Overview
Multi-factor authentication (MFA) is an effective control against a wide range of account compromise techniques, stopping simple attacks altogether and making it much more difficult for even sophisticated attackers to succeed. In addition to their email address and password, users will need to set up a second form of authentication, such as an authentication app on their mobile phone, text message or phone call. This second layer of security is designed to prevent anyone but them from accessing their account, even if they know their password.
Conditional Access policies at their simplest are ‘if-then’ statements; if a user wants to access a resource, then they must complete an action, and these are enforced after first-factor authentication (email address and+ password) is completed.
MFA Conditional Access is the new strategic MFA solution made available by Microsoft – it is a feature of Azure AD that allows the definition of policies that require additional authentication methods before granting access to an application or service. In relation to the NHSmail platform, it will work in the same way as per-user MFA – users enabled for it will be prompted to authenticate via a second factor when logging in.
A named location is a virtual network environment or network location that is deemed secure, reliable by an organisation and meets certain criteria. This is established based on certain security measures and controls put in place by each organisation to ensure the integrity and confidentiality of data and resources within that location.
There are currently two Conditional Access policies available to enforce MFA and organisations will be able to use one or both policies.
- Standard: This policy will enable MFA to the user account; MFA will be always prompted during the authentication flow.
- Named Locations: This policy will enable MFA to the user account; MFA will not be prompted during the authentication flow only if the user’s device is connected to any named locations (e.g., HSCN).
Yes, an organisation can use both Standard and Named Locations policies. To do so, an organisation needs to submit the HSS onboarding request twice (one per policy).
Yes, NHS England strongly recommends organisations to choose selected sub-set of users as their user scope. This will give local administrators plenty of flexibility to add users into their own security groups and remove them in situations when users need to have MFA temporarily disabled e.g., lost their mobile phone.
MFA Conditional Access Onboarding
Organisations are recommended to follow the below 4 step process to plan and use MFA CA policies:
1. Review documentation and check pre-requisites
2. Get the organisation ready
3. Submit an onboarding request to link the security group to the chosen MFA CA policy
4. Test and provide on-going maintenance
MFA CA Policy Onboarding Guide sets out why this service is being introduced, how it works and additional information about the onboarding process.
Organisations can submit up to two onboarding requests, one per each policy (Standard and Named Locations).
NHS England strongly recommends organisations to choose a selected sub-set of users as their user scope. This will give local administrators plenty of flexibility to add users into their own security groups and remove them in situations when users need to have MFA temporarily disabled e.g., user lost their mobile phone.
If the organisation chooses selected sub-set of users as their user scope, they are required to provide the security group Display Name, which can be found in the NHSmail Portal.
A security group display name usually starts with the organisation’s ODS code, followed by the letters “sg”, as per below example:
Display Name Example: X26.sg.MFA-CA-Std-Users
No, organisations must not change the name of their security groups.
Organisations are recommended to follow the below approach:
1. Create a security group via NHSmail Portal
2. Submit an onboarding request via HSS form
3. Wait for an approval and completed email notification
4. Execute a test using test accounts or a small number of users within their organisation
5. Notify all impacted users
6. Start adding users into the Security Group
Please note onboarding requests are expected to be processed between 1 to 3 working hours. Requestors will be notified over email when the onboarding process is approved and completed.
Organisations can raise an incident with NHSmail helpdesk and ask for an update on the service request; organisations are required to provide the service request reference number (RITM).
Named Locations Registration
Organisaitons must first follow the onboarding process for the Conditional Access Policy. If an organisation uses a Network other than HSCN / Secure Boundary they are then recommended to follow the below 4 step process to plan and use MFA CA policies:
1. Review and meet criteria (including senior approval)
2. Submit a registration request containing your IP address/ range
3. Wait for NHS England approval
4. Test and provide on-going maintenance
MFA CA Policy Registration Guide provides detailed information for organisations that are looking to use MFA Conditional Access policies alongside Named Locations to enforce MFA to all or a subset of their users.
No, HSCN/Secure Boundary is a Named Location by default. The organisation will need to onboard the Conditional Access Named Location for their organisation so that those in the security group can use the named location policy even if the organisation uses HSCN
Yes, organisations can submit more than one request to register different named locations.
Yes, local administrators can provide more than one IP address range using the specified field in the HSS form in ServiceNow, separating the values using a coma as per below example:
Named Locations criteria can be found in the MFA CA Policy Registration Guide.
If an organisation has registered a network as a Named Location and the user’s device is connected to internet via this network, the user will not see MFA prompts when logging into Office 365 applications.
Organisations will be required to discuss the registration of a Named Location with a Senior Information Risk Owner (SIRO), Chief Technology Officer (CTO) or equivalent person in the organisation and obtain a written confirmation that they have reviewed and confirmed the organisation meets all criteria to register a named location.
Please note registration requests are expected to be processed between 5 to 10 working days. Requestors will be notified over email when the onboarding process is approved and completed.
If a request to register a Named Location is rejected, local administrators are recommended to review the reasons for the rejection, take actions to address the issues, and submit a brand-new registration request using the HSS form.
Organisations that would like to contest the rejection can submit an escalation request via NHSmail helpdesk.
More information can be found in the MFA CA Policy Registration Guide.
Managing MFA CA Policies
CA MFA Standard will take precedence and the user will be prompted to authenticate even if working from a registered Named Location. Remove the user from one of the MFA CA security groups created by the organisation to avoid duplication.
No – all administrator roles, including LAs & ATP admins will always be prompted to authenticate. Named locations do not apply to administrator roles.
If the user is enrolled for MFA CA, it is expected that MFA will be prompted when using O365 applications, but not when logging into NHSmail Portal. Remove the user from the organisation MFA security group to totally disable MFA for the user account.
Yes, organisations can add existing user accounts with MFA enabled into the named locations security group they have created, and the policy will take effect in the following 8 hours.
Following the announcement of the NHS England MFA Policy, we recommend organisations not to fully remove MFA from users’ accounts to stay on track to meet the expected deadline. If an organisation must temporarily disable MFA, confirm the user has MFA disable via NHSmail portal and remove the user from any organisation MFA security group created to totally disable MFA for the user account.
If this is happening to a subset of users within the organisation’s premises, it is more likely this is due to their individual’s account set up. If this is the case, check that:
- The user was only added into the MFA CA Named Locations security group the organisation has created for this purpose.
- The user was not enabled for MFA via NHSmail Portal after being added into the MFA CA Named Locations security group. If this is the case, disable MFA for the user in the NHSmail portal.
- The user does not have any administration roles on their account as this would mean they would always be prompted for MFA.
If this is happening to all users within the organisation’s premises, it is more likely the registration of the named location is taking time to replicate or was not registered successfully. If this is the case, check that:
- The public internet IP address ranges submitted as part of the registration process are correct.
- Check the user’s internet traffic is being redirected via any of the public internet IP address ranges registered.
|Last Reviewed Date||22/09/2023|