A new process to enrol for Multi-Factor Authentication (MFA) is now available on the NHSmail platform. This article sets out why this is being introduced and how it will work.
What is Multi-Factor Authentication (MFA)?
Multi-factor authentication (MFA) is an effective control against a wide range of account compromise techniques, stopping simple attacks altogether and making it much more difficult for even sophisticated attackers to succeed. In addition to their email address and password, users will need to set up a second form of authentication, such as an authentication app on their mobile phone, text message or phone call. This second layer of security is designed to prevent anyone but them from accessing their account, even if they know their password.
Industry research suggests that MFA can prevent 99.9% of account compromise attacks, and MFA is widely considered by cyber security authorities globally to be one of the most important controls that any organisation can deploy.
What is a Conditional Access (CA) Policy?
Conditional Access policies at their simplest are if-then statements; if a user wants to access a resource, then they must complete an action, and these are enforced after first-factor authentication (email address and password) is completed.
What is MFA CA policy for NHSmail?
MFA Conditional Access is the new strategic MFA solution made available by Microsoft – it is a feature of Azure AD that allows the definition of policies that require additional authentication methods before granting access to an application or service. In relation to the NHSmail platform, it will work the same as MFA turned on per-user – users enabled for MFA CA will be prompted to authenticate via a second factor when logging in.
What are the benefits for NHS organisations?
- Strategically all users on the NHSmail platform will require MFA by 30 June 2024, MFA CA will make it easier for organisations to roll out MFA across their organisation prior to MFA being enforced for all.
- Per-user MFA, which is currently available on the NHSmail platform, is due to be deprecated by Microsoft in September 2024
- The provision of a process to enable MFA CA will start the journey towards enabling all accounts and transitioning away from the legacy per-user MFA solution
How does it work?
A Helpdesk Self-Service (HSS) form is available for Local Administrators to raise MFA CA onboarding requests. Using this form, organisations will be required to input details into fields specifying their required setup.
Local Administrators will have the option to enable MFA CA for either:
- A subset of their users – defined using the new Security Group Management solution that was deployed as part of the NHSmail Portal Hague release on Friday 08 September 2023.
- All users in their entire organisation.
Within the form, two types of enrolment options are available:
- MFA CA Standard – users with this policy will have MFA enforced on their accounts and be prompted for MFA upon logon.
- MFA CA Named Locations – users with this policy will have MFA enforced on their accounts but will not be prompted for it upon logon if their devices are connected to a named location network, this is detailed further in the next section.
Local Administrators can follow the onboarding process guidance to plan and submit a request.
Named locations is a Microsoft feature that enables the definition of trusted IP ranges. Users working from these locations will not be prompted for MFA authentication.
As part of the HSS request process, organisations can request the creation of a named locations submitting their IP address ranges that they determine are suitable, based on the criteria set out below.
Named Locations criteria (for non HSCN/Secure Boundary):
As part of a named location request, organisations must satisfy the below conditions:
- IP ranges must be public and dedicated – private or shared ranges will be rejected
- Network segmentation and secure access control must be in place – IP ranges should be appropriately segmented from other networks. Access control from the locations is required – both from a logon perspective and also physical access
- Wi-Fi access – strong encryption with WPA2/3 authentication
- Data Security and Protection Toolkit (DSPT) – organisations must have submitted it and got approved to either “Standards Met” or “Standards Exceeded” within the last year
- A Senior Information Risk Officer (SIRO), Chief Technology Officer or equivalent written approval
Organisations will be prompted as part of the named location request process to confirm adherence to all pre-requisites as well as sharing evidence to demonstrate compliance.
Organisations requesting the creation of a named location will be required to provide evidence as outlined above, this will then be passed to NHS England for approval. A decision will be shared back through the ticket raised as part of the process.
Local Administrators can follow the named locations registration guidance to plan and submit a request.
Once the HSS request for MFA CA onboarding has been raised and completed, LAs will be able to manage membership directly through the NHSmail Portal Security Group interface. Example scenarios are included below:
- Example 1: As part of the HSS you created a specific MFA CA security group. You will be able to navigate to the NHSmail Portal Security Group functionality to add/remove users when required. This will determine if MFA CA is added/removed from your users.
- Example 2: As part of the HSS you enrolled your entire organisation. In this scenario joiners, movers and leavers from your organisation will automatically be updated.
We would recommend all organisations to use the MFA CA Standard and apply it to only a subset of your users. Create a security group using a clear naming convention and track those users who have been added into this group. This should allow for easy identification of groups to add/remove users from it.
It is also recommended that you use the MFA Status Report to determine who from your user base has Per-User MFA applied, before you begin the process to enrol for MFA CA.
Applications impacted by MFA CA Policies
MFA Conditional Access is firstly introduced to enforce MFA when users access Office 365 applications only. However, local administrators can enforce MFA when logging into NHSmail Portal or SSO applications by enabling the user via NHSmail Portal (per-user MFA).
Users with MFA enabled on
Users will experience MFA prompts when logging into
(Per-User MFA) only
MFA Conditional Access
MFA Conditional Access
Per-User MFA & MFA CA Coexistence
As the journey moving towards MFA CA begins, there will be a period of coexistence between both MFA types. This means that some functions within the NHSmail Portal will work for Per-User MFA application, whilst others will work for MFA CA. This is set out further in the below matrix. Longer term the roadmap is to align all functionality to MFA CA and phase out Per-User MFA.
|NHSmail Portal Function||MFA Type|
|User Management – Enable Azure MFA||Per-User MFA|
|User Management – Disable Azure MFA||Per-User MFA|
|Reports – MFA Status Report||Per-User MFA|
|Security Groups – Add User*||MFA CA|
|Security Groups – Remove User*||MFA CA|
|Security Groups – Download Membership*||MFA CA|
*For Security Groups setup for MFA CA through the HSS process
|Last Reviewed Date||22/09/2023|