MFA Admin Frequently Asked Questions (FAQs)

Multi-factor authentication (MFA) is an effective control against a wide range of account compromise techniques, stopping simple attacks altogether and making it much more difficult for even sophisticated attackers to succeed. In addition to their email address and password, users will need to set up a second form of authentication, such as an authentication app on their mobile phone, text message or phone call. This second layer of security is designed to prevent anyone but them from accessing their account, even if they know their password.

Please refer to guidance on Short and Long Term Exceptions here on the process and requirements to apply for exceptions. Further information related to the nationally enforced rollout will be confirmed closer to the time.

This depends on how MFA is applied, there is currently no grace period for Standard Conditional Access (CA) MFA. Named Location CA has a grace period of 14 days, during which the user can temporarily skip the registration process. After the 14-day grace period has passed, the user will not be able to login to their account until the MFA registration is completed.

For information on the order of precedence for MFA policies on a user account and the future changes to precedence, please see here.

You can request SSO via Entra ID on SSO web apps. The SSO request form here can be used to raise a request to the stores process. Further information on SSO can be found here.

Currently user accounts can be added to a Conditional Access MFA Policy (security group) before acceptance of the AUP.

Previously, user accounts could only be applied to a Per User policy after the acceptance of the AUP

FIDO2 tokens are currently not considered to be a “core” MFA option. They can be used as a workaround to by-pass MFA prompts once a core MFA method has been set up on the user’s account.

It is on our future roadmap that FIDO2 tokens will become a core option, but there are currently no dates around this.

NHS Smartcards are not considered to be a “core” MFA option. Similar to FIDO2 tokens, they can be used as a workaround to by-pass MFA prompts once a core method has been set up on their account. They can only be used for web access and not with desktop applications.

The “Get Started with MFA” guide for users can be found here.

Users can choose between the Microsoft Authenticator app, text messages, or call. Users should be encouraged to register more than one authentication method to ensure they never lose access to their account, even if something happens to their device.

• Authentication App: Download the Microsoft Authenticator app to your smartphone to verify your sign in or to get a verification code.
• Text message: A text message (SMS) is sent to the mobile phone number registered containing a verification code.
• Call: An automated voice call is made to the mobile phone number registered prompting the user to press # on their keypad.
• Users should enable MFA using mobile app, text message or phone call in addition to using a FIDO2 Token or NHS smartcard for security purposes. If using a FIDO2 Token or NHS Smartcard in addition to another MFA option, users won’t be challenged for MFA. However NHS Smartcards only allow access to web applications and not desktop applications.

As part of the ongoing efforts to protect the NHSmail platform, multi-factor authentication (MFA) will now be enforced on all NHSmail accounts that are identified as compromised. Further information can be found here.

Local Administrators are expected to provide support for user issues related to currently unsupported authentication methods. Please refer to Setting up TOTP Software Tokens for guidance on authentication methods

Please follow the guidance on How to Install Authenticator app and further guidance on steps for How to set up MFA on the Authenticator app.

If your Microsoft Authenticator app is not responding or you are not receiving a code, please ensure that your app is up to date and your device is connected to the internet and has a stable network connection. Your device would further need the permissions to send notifications to be turned on in your device settings.

If the issue persists, please try an alternative verification method such as a text message or phone call.

If users don’t have a corporate device, it is recommended that they use their personal device as this device is unique to them. This helps ensure their account can only be accessed by the person in possession of their phone. Even if someone has their log in details and password, they won’t be able to log into the NHSmail Portal or access their Microsoft Office 365 account without the user’s personal device.

If mobile devices are not allowed in the workplace, users are advised to contact their local admin to discuss alternatives, such as FIDO2 security tokens. This will be down to local organisation policy. For information about FIDO2, please visit this page. For NHS Smartcards please visit the NHS Care Identity Sign in Support site for more information.

Users are advised that using MFA on their personal device will ensure their account remains protected and will not result in the collection, storage or tracking of any personally identifiable data.

The Microsoft Authenticator app does not collect or store any personally identifiable data. Keeping user’s NHSmail accounts secure will protect the organisation, their own personal data and patient data. Their personal mobile phone details are not used for any other purpose than protecting their account. Adding the Microsoft Authenticator app to their personal mobile phone is just a way of confirming who they are. Further information can be found here.

If the core options of MFA are not suitable for these users, organisations can consider using:

Named Location Conditional Access MFA

NHS Smartcards

FIDO2 tokens

TOTP Software Tokens

If none of the above work arounds are viable, organisations can consider putting the user accounts into the exception process, once this process is in place.

Yes, users are still able to self-enrol for MFA. By self-registering, users will be added to the general Standard Conditional Access MFA policy. However, the function to self-disable MFA has now been removed.

To review/ download the steps for MFA re-enrolment, please click here and refer to Re-enrolling Per User and Conditional Access Multi-Factor Authentication for more information.

1. Click Admin in the navigation bar at the top of the screen and select User Management from the drop down menu

2. Use the search box to find the account you wish to reset MFA settings for.

3. Click on the user’s Display Name to open the User Details page

Refer to the Searching for an Entry article for more information

Multi-factor authentication (MFA) is currently being used to protect the NHSmail Portal and all Microsoft Office 365 (O365) applications including Outlook, Teams, OneNote, OneDrive and SharePoint.

The configuration requirements vary, depending on the Outlook version:

• Outlook 2010 does not support MFA.
• Outlook 2013 supports MFA but is not enabled by default. Instructions on how to enable this can be found here.
• All versions of Outlook above 2016 support MFA by default.
  

Users will need to authenticate on each device and browser they log into. For desktop and mobile apps, users will be prompted to authenticate once and then will only be prompted again once a key account detail has changed, e.g. they have reset their password.

This will only differ in cases where a specific MFA licence has been assigned to a user by their local organisation, e.g. EMS E3 Intune or Azure AD Premium P1 (AADP1) Azure AD Premium P2 (AADP2) Conditional Access licences. In such cases, a change in the Conditional Access policy, such as a change in location of log-in, would result in a user getting prompted for MFA again.

Users are advised to inform their local admin when they have misplaced their device and should be encouraged to register an alternative method of MFA for emergencies, such as an alternative mobile phone number or setting up the Microsoft Authenticator app on another device.

If a user has set up alternative authentication methods, they should be able to select “Sign in another way” when at the MFA prompt screen.

If a user is locked out of their account and cannot access it unless MFA is disabled, e.g. because they don’t have an alternative authentication method, please follow the instructions to apply for a short-term MFA exception for a user. The user should call the NHSmail Helpdesk when they replace their phone as they will have to re-enrol for MFA again.

Please direct users to update their MFA details here. On the ‘Security info’ page, they will need to click on change and edit this by adding in their new phone number. This number is independent of the mobile number listed in their NHSmail Portal profile.

No, only UK-based phone numbers are permissible for MFA. The use of mobile phone numbers registered outside of the UK is not permissible. Users are encouraged to check the number associated with their MFA details here. If this number is a non-UK based phone number, they should delete it and update the field with a UK-based phone number.

If a user has kept the same mobile number and their method of authentication is call or text message, they do not have to do anything. If they have selected the Microsoft Authenticator app as their preferred authentication option, they just need to download the app on their new mobile device and backup the details from their old mobile device. To set up Microsoft Authenticator on a new phone, users need to follow these steps:

• Step 1: Open the Microsoft Authenticator app on old mobile
• Step 2: Tap on the three-dotted icon and go to Settings
• Step 3: Toggle Cloud backup or iCloud backup option
• Step 4: Add a recovery account
• Step 5: Open the Microsoft Authenticator app on the new mobile
• Step 6: Tap on the begin recovery button
• Step 7: Enter the credentials of the recovery account
• Step 8: Reverify accounts to start using them.
  

To monitor adoption of MFA in your local organisation you can generate a mailbox report for your organisation. To do this click “Reports” then “Admin Reports” on the NHS Portal. This will show you the accounts that have MFA enabled and the type of authentication method registered.

To set up MFA for multiple users concurrently please see Bulk Enablement of MFA.

Conditional Access policies at their simplest are ‘if-then’ statements; if a user wants to access a resource, then they must complete an action, and these are enforced after first-factor authentication (email address and+ password) is completed.

MFA Conditional Access is the new strategic MFA solution made available by Microsoft – it is a feature of Azure AD that allows the definition of policies that require additional authentication methods before granting access to an application or service. In relation to the NHSmail platform, it works in the same way as per-user MFA – users enabled for it will be prompted to authenticate via a second factor when logging in.

Further information regarding Conditional Access MFA policies can be found here.

A named location is a virtual network environment or network location that is deemed secure, reliable by an organisation and meets certain criteria. This is established based on certain security measures and controls put in place by each organisation to ensure the integrity and confidentiality of data and resources within that location.

There are currently two Conditional Access policies available to enforce MFA and organisations will be able to use one or both policies.

• Standard: This policy will enable MFA to the user account; MFA will be always prompted during the authentication flow.
• Named Locations: This policy will enable MFA to the user account; MFA will not be prompted during the authentication flow if the user’s device is connected to any named locations (e.g., HSCN).
  

Yes, an organisation can use both Standard and Named Locations policies. To do so, an organisation needs to submit the HSS onboarding request twice (one per policy).

Yes, NHS England strongly recommends organisations to choose selected sub-set of users as their user scope.

Create a security group via NHSmail Portal before submitting an onboarding request via HSS form in Service Now.

Organisations are recommended to follow the below 4 step process to plan and use MFA CA policies:

1. Review documentation and check pre-requisites
2. Get the organisation ready
3. Submit an onboarding request to link the security group to the chosen MFA CA policy
4. Test and provide on-going maintenance
   

MFA CA Policy Onboarding Guide sets out why this service is being introduced, how it works and additional information about the onboarding process.

Organisations can submit their onboarding requests via HSS form in ServiceNow. They are encouraged to read and digest the MFA CA Policy Onboarding Guide first.

Organisations can submit up to two onboarding requests, one per each policy (Standard and Named Locations).

NHS England strongly recommends organisations to choose a selected sub-set of users as their user scope.

Create a security group via NHSmail Portal before submitting an onboarding request via HSS form in Service Now.

If the organisation chooses selected sub-set of users as their user scope, they are required to provide the security group Display Name, which can be found in the NHSmail Portal.

A security group display name usually starts with the organisation’s ODS code, followed by the letters “sg”, as per below example:

Display Name Example: X26.sg.MFA-CA-Std-Users

No, organisations must not change the name of their security groups.

Organisations are recommended to follow the below approach:

1. Create a security group via NHSmail Portal
2. Submit an onboarding request via HSS form
3. Wait for an approvaland completedemail notification
4. Execute a test using test accounts or a small number of users within their organisation
5. Notify all impacted users
6. Start adding users into the Security Group
   

Please note onboarding requests are expected to be processed between 1 to 3 working hours. Requestors will be notified over email when the onboarding process is approved and completed.

Organisations can raise an incident with NHSmail helpdesk and ask for an update on the service request; organisations are required to provide the service request reference number (RITM).

MFA CA policy for Named Locations will enforce MFA to user accounts, this will result in the user experiencing MFA prompts every time an application or service requests the user to authenticate. However, if the user’s device is connected to a registered named location, the user will not experience MFA prompts during the authentication process.

Named Location Conditional Access MFA reduces MFA prompts in Office 365 applications only (portal.nhs.net is not supported). A user must always register an MFA authentication method to their account as an initial one-time activity. Please note that if the account is accessed outside the Named Location, the user will be prompted for MFA to complete authentication.

If an organisation has registered a network as a Named Location and the user’s device is connected to internet via this network, the user will not see MFA prompts when logging into Office 365 applications.

Please refer to the Named Locations Registration Guide for information on how to create or update a Named Location and see further Named Location MFA CA guidance here.

Notes:

• NHSmail portal and SSO applications registered in ADFS will always prompt for MFA, regardless of where the user is connecting from or the MFA CA policy they are in.
• Only O365 applications (Outlook, Teams, SharePoint, One Drive) work with MFA CA Named Locations policy, users will have to access to these apps using Microsoft URLs, for example:
  • https://outlook.office.com/owa/nhs.net
  • https://teams.microsoft.com
  • https://nhs.sharepoint.com/_layouts/15/sharepoint.aspx
• HCSN/Secure Boundary networks have been registered as named locations by default. If the organisation uses these networks as internet providers (users’ internet traffic redirected via these networks), the organisation will not need to submit a request to register a named location. They will still need to submit a request to be onboarded into MFA CA Named Locations policy and have created a security group in the NHSmail portal to apply the policy to a subset of their users.
• Organisations that are using their own internet providers (e.g. VM, BT, Sky, etc) and wish to have a registered named location, will need to submit a request following the guidance in this document.

Example 1:

• An organisation has submitted a request to be onboarded into MFA CA Named Locations policy and has created a security group in the NHSmail portal to apply the policy to a subset of their users.
• The organisation has not submitted a request for a named location to be registered, but user’s internet traffic in their premises is redirected via HSCN/Secure Boundary breakout.
• A NHSmail user is added into the security group using the NHSmail Portal Security Groups functionality.
• In the morning, the user is inside the organisation’s premises and connects their device to the NHSC/Secure Boundary network.
  • The user will not experience MFA prompts as their device is connected to a registered named location.
• In the afternoon, the user heads home and connects their device to their home internet provider router.
  • The user will experience MFA prompts as the device is not connected to a registered named location.

Example 2:

• Another organisation has submitted their own request to be onboarded into MFA CA Named Locations policy and has created their own security group in the NHSmail portal to apply the policy to a subset of users.
• The organisation has not submitted a request for a named location to be registered, and they are using a 3rd party provider for their internet access (with dedicated IP addresses).
• A NHSmail user is added into the security group using the NHSmail Portal Security Groups functionality.
• In the morning, the user is inside the organisation’s premises and connects their device to their network.
  • The user will experience MFA prompts as the device is not connected to a registered named location.
• In the afternoon, the user heads home and connect their device to their internet provider router.
  • The user will experience MFA prompts as the device is not connected to a registered named location.

Example 3:

• The same organisation in example 2 has now submitted a request to register a named location, using the dedicated IP addresses their 3rd party provided has assigned to them.
• After NHSE has reviewed the request, they have decided to approve it and the relevant support team has registered the IP addresses as a named location.
• After this, the same user who has been added into their security group is already inside the organisation’s premises and has connected their device to the network.
• The user will not experience MFA prompts as the device is now connected to a registered named location.
  

Organisations must first follow the onboarding process for the Conditional Access Policy. If an organisation uses a Network other than HSCN / Secure Boundary they are then recommended to follow the below 4 step process to plan and use MFA CA policies:

1. Review and meet criteria (including senior approval)
2. Submit a registration request containing your IP address/ range
3. Wait for NHS England approval
4. Test and provide on-going maintenance
   

MFA CA Policy Registration Guide provides detailed information for organisations that are looking to use MFA Conditional Access policies alongside Named Locations to enforce MFA to all or a subset of their users.

No, HSCN/Secure Boundary is a Named Location by default. The organisation will need to onboard the Conditional Access Named Location for their organisation so that those in the security group can use the named location policy even if the organisation uses HSCN.

Organisations can submit their registration requests via HSS form in ServiceNow. They are encouraged to read and digest the MFA CA Policy Registration Guide first.

Yes, organisations can submit more than one request to register different named locations.

Yes, local administrators can provide more than one IP address range using the specified field in the HSS form in ServiceNow, separating the values using a coma as per below example:

203.0.113.0/24,45.67.83.100/30,64.223.160.0/20

Named Locations criteria can be found in the MFA CA Policy Registration Guide.

Organisations will be required to discuss the registration of a Named Location with a Senior Information Risk Owner (SIRO), Chief Technology Officer (CTO) or equivalent person in the organisation and obtain a written confirmation that they have reviewed and confirmed the organisation meets all criteria to register a named location.

Please note registration requests are expected to be processed between 5 to 10 working days. Requestors will be notified over email when the onboarding process is approved and completed.

If a request to register a Named Location is rejected, local administrators are recommended to review the reasons for the rejection, take actions to address the issues, and submit a brand-new registration request using the HSS form.

Organisations that would like to contest the rejection can submit an escalation request via NHSmail Helpdesk.

More information can be found in the MFA CA Policy Registration Guide.

Information regarding risks and additional considerations for using MFA CA Named Locations can be found here.

No, accounts with admin roles are always prompted for MFA. Please refer to further guidance on Named Location Conditional Access MFA here.

Compromised accounts will always have MFA enforced and cannot use Named Location Conditional Access MFA.

If this is happening to a subset of users within the organisation’s premises, it is likely that this is due to their individual’s account set up. If this is the case, please check that:

• The user was only added into the MFA CA Named Locations security group the organisation has created for this purpose.
• The user may have Per User MFA enabled; there is a background process removing Per User MFA from user accounts that are added to the MFA CA Named Locations security group. Please allow up to 12 hours for this process to
• The user does not have any administration roles on their account as this would mean they would always be prompted for MFA.

If this is happening to all users within the organisation’s premises, it is likely that the registration of the Named Location is taking time to replicate or was not registered successfully. If this is the case, please check that:

• The public internet IP address ranges submitted as part of the registration process are correct.
• The user’s internet traffic is being redirected via any of the public internet IP address ranges registered.
  

If a user is in both the Standard and Named Location CA MFA policies, the Named Location policy will take precedence. Please see further guidance here.

No – all administrator roles, including Local Administrators (LAs) & ATP admins will always be prompted to authenticate. Named locations do not apply to administrator roles.

If a short or long-term MFA exception is granted and the user is enrolled for MFA CA, MFA will not be prompted when logging into NHSmail Portal or using O365 apps during the exception period.

Yes, organisations can add existing user accounts with MFA enabled into the named locations security group they have created, and the policy will take effect in the following 8 hours.

Following the announcement of the NHS England MFA Policy, we recommend organisations not to fully remove MFA from users’ accounts to stay on track to meet the expected deadline. If an organisation must temporarily disable MFA, please apply for either a short term (24 hour) or long term (180 day) exception using the relevant process.

User accounts used as shared mailboxes should be registered as an exception and go into an exception policy so they would not have MFA applied when it is turned on for all remaining accounts without MFA. Local administrators should make a list of those shared mailboxes and apply for a long-term exception. Please see further guidance here.

Later this year it will be possible to convert user accounts into genuine shared mailboxes. Once released, this will mean these accounts no longer need to go into an MFA exception policy.

Shared mailboxes, (i.e., when users access the shared mailbox from within their own mailbox without the need to enter a separate password) do not need MFA as they do not have passwords. Please see further guidance on shared mailboxes here.

User accounts will be moved from Per User MFA into MFA CA Standard using the central security group. Users’ experience will not be impacted.  Organisations using local security groups to roll out MFA with Standard Conditional Access should continue using local security groups until the enforcement is tenant wide.

Users logging into https://portal.nhs.net/ or single sign-on applications integrated with ADFS will always be required to complete MFA as part of the authentication process even if they are in a Named Location Conditional Access policy.

For information about FIDO2, please visit this page.

For feedback, please contact us via Your Voice or feedback@nhs.net

It is likely that these users have registered for self-service password reset (SSPR) and therefore, the SSPR authentication method is shown in the MFA report. The users need enabling for MFA via the Portal or security groups and the same SSPR authentication method can then be used for MFA.