Multi-Factor Authentication Conditional Access Service Overview

A new process to enrol for Multi-Factor Authentication (MFA) is now available on the NHSmail platform. This article sets out why this was introduced and how it works.

What is Multi-Factor Authentication (MFA)?

Multi-factor authentication (MFA) is an effective control against a wide range of account compromise techniques, stopping simple attacks altogether and making it much more difficult for even sophisticated attackers to succeed. In addition to their email address and password, users will need to set up a second form of authentication, such as an authentication app on their mobile phone, text message or phone call. This second layer of security is designed to prevent anyone but them from accessing their account, even if they know their password.

Industry research suggests that MFA can prevent 99.9% of account compromise attacks, and MFA is widely considered by cyber security authorities globally to be one of the most important controls that any organisation can deploy.

What is a Conditional Access (CA) Policy?

Conditional Access policies at their simplest are if-then statements; if a user wants to access a resource, then they must complete an action, and these are enforced after first-factor authentication (email address and password) is completed.

What is MFA CA policy for NHSmail?

MFA Conditional Access is the new strategic MFA solution made available by Microsoft – it is a feature of Entra ID that allows the definition of policies that require additional authentication methods before granting access to an application or service. In relation to the NHSmail platform, it works the same as MFA turned on per-user – users enabled for MFA CA are prompted to authenticate via a second factor when logging in.

What are the benefits for NHS organisations?

  • Strategically all users on the NHSmail platform will require MFA by 30 June 2024, MFA CA will make it easier for organisations to roll out MFA across their organisation prior to MFA being enforced for all
  • Per-user MFA, which is currently available on the NHSmail platform, is due to be deprecated by Microsoft in September 2024
  • The provision of a process to enable MFA CA will start the journey towards enabling all accounts and transitioning away from the legacy per-user MFA solution

How does it work?

Local Administrators can enable MFA CA for a subset of their users using static security groups. Once a security group has been created, it needs to be linked (onboarded) to an MFA CA policy using a Helpdesk Self-Service (HSS) form. The form is available for Local Administrators to raise MFA CA onboarding requests. Using this form, organisations will be required to input details into fields specifying their required setup.

Important Note:

It is critical that you only use this process and enable MFA CA for users within your parent / child ODS hierarchy. The enablement for users outside your jurisdiction will likely result in disruption for your colleagues. All MFA CA requests made are fully auditable.

Within the form, two types of enrolment options are available:

  • MFA CA Standard – users with this policy will have MFA enforced on their accounts and be prompted for MFA upon logon.
  • MFA CA Named Locations – users with this policy will have MFA enforced on their accounts but will not be prompted for it upon logon if their devices are connected to a named location network, this is detailed further in the next section.

Local Administrators can follow the onboarding process guidance to plan and submit a request.

Named Locations

Named locations is a Microsoft feature that supports the use of networks that are deemed secure and reliable by an organisation. Users working from these locations will not be prompted for MFA authentication when accessing O365 applications via desktop or browser ( will always prompt for MFA).

As part of the HSS request process, organisations can request the creation of a named locations submitting their IP address ranges that they determine are suitable, based on the criteria set out below.

Important Note:

HSCN/Secure Boundary is a named location by default. If your organisation uses HSCN/Secure Boundary as an internet gateway, you do not have to submit a request to register a named location but will still need to onboard to the MFA CA Named Location Policy via the onboarding process

Named Locations criteria (for non HSCN/Secure Boundary):

As part of a named location request, organisations must satisfy the below conditions:

  1. Approval from the Senior Information Risk Owner (SIRO), Chief Technology Officer (CTO) or equivalent person in the organisation and written confirmation that they have reviewed and confirmed the organisation meets all criteria to register a named location. Specifically, we require them to verify the following pre-requisite criteria:
    • Organisation’s IP address ranges are used within the organisation’s premises only.
    • Organisation’s IP address ranges are UK public, dedicated or fully assigned to the organisation – shared IP addresses will be rejected.
    • A network segmentation architecture and strong security is also in place.
    • Organisation has completed an online Data Security and Protection toolkit self-assessment and meets the criteria for the current year (CY) or previous year (CY-1) with either Standards Met or Standards Exceeded.
    • This can take the form of an email or word document with the list of criteria above included to demonstrate they are aware of the criteria that they are confirming. Please note the approver must also be publicly verifiable, for example via your organisation’s website.
  1. Additionally, a certificate or written confirmation from the organisation’s internet provider is required confirming that:
    • A list of IP address ranges provided to the organisation.
    • Organisation’s IP address ranges are UK public, dedicated or fully assigned to the organisation.

Please note: We would recommend you paste the pre-requisites in the approval email as explicit confirmation they have all been reviewed/ approved and the approver must be publicly verifiable in their role, for example via the organisation’s website or the ODS portal.

Approval process:

Organisations requesting the creation of a named location will be required to provide evidence as outlined above, this will then be passed to NHS England for approval. A decision will be shared back through the ticket raised as part of the process.

Local Administrators can follow the named locations registration guidance to plan and submit a request.

On-going Management

Once the HSS request for MFA CA onboarding has been raised and completed, LAs will be able to manage membership directly through the NHSmail Portal Security Group interface. Example scenarios are included below:

  • Example 1: As part of the HSS you created a specific MFA CA security group. You will be able to navigate to the NHSmail Portal Security Group functionality to add/remove users when required. This will determine if MFA CA is added/removed from your users.
  • Example 2: As part of the HSS you enrolled your entire organisation. In this scenario joiners, movers and leavers from your organisation will automatically be updated.

We would recommend all organisations to use the MFA CA Standard and apply it to only a subset of your users. Create a security group using a clear naming convention and track those users who have been added into this group. This should allow for easy identification of groups to add/remove users from it.

It is also recommended that you use the MFA Status Report to determine who from your user base has Per-User MFA applied, before you begin the process to enrol for MFA CA.

MFA Precedence

The image below shows the order of precedence for MFA policies on a user account; a user may have more than one policy on their account.


All Users ODS Group

Important Note:

It is strongly recommended that organisations review and confirm the risks associated before raising a request to add all users ODS group. The alternative is to use local security groups which will give Local Administrators flexibility to roll out MFA enablement across their organisation. This would mitigate the clinical risk possibility across their patient-facing staff and impacts to their local IT helpdesk.

Risks of Adding All Users ODS Group

Local Administrators must use the HSS form to add their all users ODS groups when their organisation has enabled MFA for most of their users and should internally discuss and accept the following risks before submitting a request:

    • All user accounts across the organisation will experience MFA prompts straight away once the allusergroup is linked to an MFA CA Policy, unless they have been placed in a Named Location security group and their internet traffic is being redirected via a registered IP address, HSCN or Secure Boundary network.
    • Users without a registered an Azure MFA authentication method (Microsoft Authenticator app, phone call, text) will have a grace period of 7 days to register, after which they will be unable to access their account until this action is completed.
    • All users registered with the Standard MFA Policy will be prompted for MFA and all users in a Named Location Policy will be prompted if they log in outside of their registered IP address, HSCN or Secure Boundary networks.
    • Any user accounts being used by an application or backend system will be impacted; ensure these accounts are converted into an application account. Any user accounts being shared by multiple users via credential sharing will be impacted. If a shared mailbox is required, ensure a true shared mailbox is used. Alternatively, delegation of a user account can be given to other users or request a MFA Long Term Exception.
    • Users with accessibility needs or those working in restricted areas will also experience MFA prompts; LAs should identify and confirm they can use an Azure MFA authentication method otherwise request a MFA Long Term Exception.
    • User accounts accessing NHSmail services outside the UK will not be able to register for an Azure MFA authentication method unless an exception to do so is in place.

Process to Add All Users ODS Group

If the organisation is ready and accepts the risks associated with adding all users ODS group into an MFA CA National Policy, please use the existing MFA Conditional Access HSS form to submit a request using the steps below.

Step 1: Fill in the requestor details and select the type of request to be “Onboarding”.

Step 2: Select the MFA Conditional Access Policy your organisation wants to be onboarded into, either “Standard” or “Named Locations”.

Step 3: Select “All Users in my organisation” for as who you want this MFA Conditional Access Policy to be applied to.

Step 4: Review the note shown on the screen, tick on the confirmation boxes and click on Submit.

Last Reviewed Date 30/05/2024
Updated on 30/05/2024

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top