A new process to enrol for Multi-Factor Authentication (MFA) is now available on the NHSmail platform. This article sets out why this was introduced and how it works.
What is Multi-Factor Authentication (MFA)?
Multi-factor authentication (MFA) is an effective control against a wide range of account compromise techniques, stopping simple attacks altogether and making it much more difficult for even sophisticated attackers to succeed. In addition to their email address and password, users will need to set up a second form of authentication, such as an authentication app on their mobile phone, text message or phone call. This second layer of security is designed to prevent anyone but them from accessing their account, even if they know their password.
Industry research suggests that MFA can prevent 99.9% of account compromise attacks, and MFA is widely considered by cyber security authorities globally to be one of the most important controls that any organisation can deploy.
What is a Conditional Access (CA) Policy?
Conditional Access policies at their simplest are if-then statements; if a user wants to access a resource, then they must complete an action, and these are enforced after first-factor authentication (email address and password) is completed.
What is MFA CA policy for NHSmail?
MFA Conditional Access is the new strategic MFA solution made available by Microsoft – it is a feature of Entra ID that allows the definition of policies that require additional authentication methods before granting access to an application or service. In relation to the NHSmail platform, it works the same as MFA turned on per-user – users enabled for MFA CA are prompted to authenticate via a second factor when logging in.
What are the benefits for NHS organisations?
- Strategically all users on the NHSmail platform will require MFA by 30 June 2024, MFA CA will make it easier for organisations to roll out MFA across their organisation prior to MFA being enforced for all
- Per-user MFA, which is currently available on the NHSmail platform, is due to be deprecated by Microsoft in September 2024
- The provision of a process to enable MFA CA will start the journey towards enabling all accounts and transitioning away from the legacy per-user MFA solution
How does it work?
Local Administrators can enable MFA CA for a subset of their users using static security groups. Once a security group has been created, it needs to be linked (onboarded) to an MFA CA policy using a Helpdesk Self-Service (HSS) form. The form is available for Local Administrators to raise MFA CA onboarding requests. Using this form, organisations will be required to input details into fields specifying their required setup.
It is critical that you only use this process and enable MFA CA for users within your parent / child ODS hierarchy. The enablement for users outside your jurisdiction will likely result in disruption for your colleagues. All MFA CA requests made are fully auditable.
Within the form, two types of enrolment options are available:
- MFA CA Standard – users with this policy will have MFA enforced on their accounts and be prompted for MFA upon logon.
- MFA CA Named Locations – users with this policy will have MFA enforced on their accounts but will not be prompted for it upon logon if their devices are connected to a named location network, this is detailed further in the next section.
Local Administrators can follow the onboarding process guidance to plan and submit a request.
Named Locations
Named locations is a Microsoft feature that supports the use of networks that are deemed secure and reliable by an organisation. Users working from these locations will not be prompted for MFA authentication when accessing O365 applications via desktop or browser (portal.nhs.net will always prompt for MFA).
As part of the HSS request process, organisations can request the creation of a named locations submitting their IP address ranges that they determine are suitable, based on the criteria set out below.
HSCN/Secure Boundary is a named location by default. If your organisation uses HSCN/Secure Boundary as an internet gateway, you do not have to submit a request to register a named location but will still need to onboard to the MFA CA Named Location Policy via the onboarding process
Named Locations criteria (for non HSCN/Secure Boundary):
As part of a named location request, organisations must satisfy the below conditions:
- IP ranges must be public and dedicated – private or shared ranges will be rejected
- Network segmentation and secure access control must be in place – IP ranges should be appropriately segmented from other networks. Access control from the locations is required – both from a logon perspective and also physical access
- Wi-Fi access – strong encryption with WPA2/3 authentication
- Data Security and Protection Toolkit (DSPT) – organisations must have submitted it and got approved to either “Standards Met” or “Standards Exceeded” within the last year
- A Senior Information Risk Officer (SIRO), Chief Technology Officer or equivalent written approval
Organisations will be prompted as part of the named location request process to confirm adherence to all pre-requisites as well as sharing evidence to demonstrate compliance.
Please note: We would recommend you paste the pre-requisites in the approval email as explicit confirmation they have all been reviewed/ approved and the approver must be publicly verifiable in their role, for example via the organisation’s website or the ODS portal.
Approval process:
Organisations requesting the creation of a named location will be required to provide evidence as outlined above, this will then be passed to NHS England for approval. A decision will be shared back through the ticket raised as part of the process.
Local Administrators can follow the named locations registration guidance to plan and submit a request.
On-going Management
Once the HSS request for MFA CA onboarding has been raised and completed, LAs will be able to manage membership directly through the NHSmail Portal Security Group interface. Example scenarios are included below:
- Example 1: As part of the HSS you created a specific MFA CA security group. You will be able to navigate to the NHSmail Portal Security Group functionality to add/remove users when required. This will determine if MFA CA is added/removed from your users.
- Example 2: As part of the HSS you enrolled your entire organisation. In this scenario joiners, movers and leavers from your organisation will automatically be updated.
Recommended Approach
We would recommend all organisations to use the MFA CA Standard and apply it to only a subset of your users. Create a security group using a clear naming convention and track those users who have been added into this group. This should allow for easy identification of groups to add/remove users from it.
It is also recommended that you use the MFA Status Report to determine who from your user base has Per-User MFA applied, before you begin the process to enrol for MFA CA.
MFA Precedence
The below image shows the order of precedence for MFA policies on a user account and the future changes to precedence; a user may have more than one policy on their account.
Per-User MFA & MFA CA Coexistence
During the ongoing transition of aligning all functionality towards MFA CA and the gradual phasing out of Per-User MFA, there will be a period of coexistence between both MFA types. This means that some functions within the NHSmail Portal will work for CA MFA application, whilst others will work for both MFA CA and Per-User MFA. This is set out further in the below table.
Existing users with MFA enabled will have Per-User enabled in Azure. There is no need to add already MFA enabled users into a MFA CA Standard security group.
However, if the organisation adds the user into a MFA CA Named Locations security group, it can take up to 12 hours for Azure per-user MFA to be disabled.
| NHSmail Portal Function | MFA Type |
| User Management – Enable Azure MFA | MFA CA |
| Reports – MFA Status Report | Per-User MFA and MFA CA |
| Security Groups – Add User* | MFA CA |
| Security Groups – Remove User* | MFA CA |
| Security Groups – Download Membership* | MFA CA |
*For Security Groups setup for MFA CA through the HSS process
| Last Reviewed Date | 04/04/2024 |
