Service Overview

A new process to enrol for Multi-Factor Authentication (MFA) is now available on the NHSmail platform. This article sets out why this is being introduced and how it will work.

What is Multi-Factor Authentication (MFA)?

Multi-factor authentication (MFA) is an effective control against a wide range of account compromise techniques, stopping simple attacks altogether and making it much more difficult for even sophisticated attackers to succeed. In addition to their email address and password, users will need to set up a second form of authentication, such as an authentication app on their mobile phone, text message or phone call. This second layer of security is designed to prevent anyone but them from accessing their account, even if they know their password.

Industry research suggests that MFA can prevent 99.9% of account compromise attacks, and MFA is widely considered by cyber security authorities globally to be one of the most important controls that any organisation can deploy.

What is a Conditional Access (CA) Policy?

Conditional Access policies at their simplest are if-then statements; if a user wants to access a resource, then they must complete an action, and these are enforced after first-factor authentication (email address and password) is completed.

What is MFA CA policy for NHSmail?

MFA Conditional Access is the new strategic MFA solution made available by Microsoft – it is a feature of Azure AD that allows the definition of policies that require additional authentication methods before granting access to an application or service. In relation to the NHSmail platform, it will work the same as MFA turned on per-user – users enabled for MFA CA will be prompted to authenticate via a second factor when logging in.

What are the benefits for NHS organisations?

  • Strategically all users on the NHSmail platform will require MFA by 30 June 2024, MFA CA will make it easier for organisations to roll out MFA across their organisation prior to MFA being enforced for all.
  • Per-user MFA, which is currently available on the NHSmail platform, is due to be deprecated by Microsoft in September 2024
  • The provision of a process to enable MFA CA will start the journey towards enabling all accounts and transitioning away from the legacy per-user MFA solution

How does it work?

A Helpdesk Self-Service (HSS) form is available for Local Administrators to raise MFA CA onboarding requests. Using this form, organisations will be required to input details into fields specifying their required setup.

Local Administrators will have the option to enable MFA CA for either:

  • A subset of their users – defined using the new Security Group Management solution that was deployed as part of the NHSmail Portal Hague release on Friday 08 September 2023.
  • All users in their entire organisation.
Important Note:

It is critical that you only use this process and enable MFA CA for users within your parent / child ODS hierarchy. The enablement for users outside your jurisdiction will likely result in disruption for your colleagues. All MFA CA requests made are fully auditable.

Within the form, two types of enrolment options are available:

  • MFA CA Standard – users with this policy will have MFA enforced on their accounts and be prompted for MFA upon logon.
  • MFA CA Named Locations – users with this policy will have MFA enforced on their accounts but will not be prompted for it upon logon if their devices are connected to a named location network, this is detailed further in the next section.

Local Administrators can follow the onboarding process guidance to plan and submit a request.

Named Locations

Named locations is a Microsoft feature that enables the definition of trusted IP ranges. Users working from these locations will not be prompted for MFA authentication.

As part of the HSS request process, organisations can request the creation of a named locations submitting their IP address ranges that they determine are suitable, based on the criteria set out below.

Important Note:

HSCN/Secure Boundary is a named location by default. If your organisation uses HSCN/Secure Boundary as an internet gateway, you do not have to submit a request to register a named location but will still need to onboard to the MFA CA Named Location Policy via the onboarding process

Named Locations criteria (for non HSCN/Secure Boundary):

As part of a named location request, organisations must satisfy the below conditions:

  • IP ranges must be public and dedicated – private or shared ranges will be rejected
  • Network segmentation and secure access control must be in place – IP ranges should be appropriately segmented from other networks. Access control from the locations is required – both from a logon perspective and also physical access
  • Wi-Fi access – strong encryption with WPA2/3 authentication
  • Data Security and Protection Toolkit (DSPT) – organisations must have submitted it and got   approved to either “Standards Met” or “Standards Exceeded” within the last year
  • A Senior Information Risk Officer (SIRO), Chief Technology Officer or equivalent written approval

Organisations will be prompted as part of the named location request process to confirm adherence to all pre-requisites as well as sharing evidence to demonstrate compliance.

Approval process:

Organisations requesting the creation of a named location will be required to provide evidence as outlined above, this will then be passed to NHS England for approval. A decision will be shared back through the ticket raised as part of the process.

Local Administrators can follow the named locations registration guidance to plan and submit a request.

On-going Management

Once the HSS request for MFA CA onboarding has been raised and completed, LAs will be able to manage membership directly through the NHSmail Portal Security Group interface. Example scenarios are included below:

  • Example 1: As part of the HSS you created a specific MFA CA security group. You will be able to navigate to the NHSmail Portal Security Group functionality to add/remove users when required. This will determine if MFA CA is added/removed from your users.
  • Example 2: As part of the HSS you enrolled your entire organisation. In this scenario joiners, movers and leavers from your organisation will automatically be updated.

We would recommend all organisations to use the MFA CA Standard and apply it to only a subset of your users. Create a security group using a clear naming convention and track those users who have been added into this group. This should allow for easy identification of groups to add/remove users from it.

It is also recommended that you use the MFA Status Report to determine who from your user base has Per-User MFA applied, before you begin the process to enrol for MFA CA.

Applications impacted by MFA CA Policies

MFA Conditional Access is firstly introduced to enforce MFA when users access Office 365 applications only. However, local administrators can enforce MFA when logging into NHSmail Portal or SSO applications by enabling the user via NHSmail Portal (per-user MFA).

Users with MFA enabled on

Users will experience MFA prompts when logging into

NHSmail Portal

(Per-User MFA) only

  • NHSmail Portal
  • Applications with NHSmail Single Sign On (SSO)
  • Office 365 apps (desktop and online)
    • Outlook
    • Teams
    • SharePoint
    • OneDrive, etc.

NHSmail Portal

(Per-User MFA)


MFA Conditional Access

  • NHSmail Portal
  • Applications with NHSmail Single Sign On (SSO)
  • Office 365 apps (desktop and online)
    • Outlook
    • Teams
    • SharePoint
    • OneDrive, etc.

MFA Conditional Access

  • Office 365 apps (desktop and online)
    • Outlook
    • Teams
    • SharePoint
    • OneDrive, etc.

Per-User MFA & MFA CA Coexistence

As the journey moving towards MFA CA begins, there will be a period of coexistence between both MFA types. This means that some functions within the NHSmail Portal will work for Per-User MFA application, whilst others will work for MFA CA. This is set out further in the below matrix. Longer term the roadmap is to align all functionality to MFA CA and phase out Per-User MFA.

Important Note:

Existing users with MFA enabled will have Per-User enabled in Azure. There is no need to add already MFA enabled users into a MFA CA Standard security group.

However, if the organisation adds the user into a MFA CA Named Locations security group, it can take up to 12 hours for Azure per-user MFA to be disabled.

NHSmail Portal Function MFA Type
User Management – Enable Azure MFA Per-User MFA
User Management – Disable Azure MFA Per-User MFA
Reports – MFA Status Report Per-User MFA
Security Groups – Add User* MFA CA
Security Groups – Remove User* MFA CA
Security Groups – Download Membership* MFA CA

*For Security Groups setup for MFA CA through the HSS process

Last Reviewed Date 22/09/2023
Updated on 22/09/2023

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top