Overview
A Multi-Factor Authentication (MFA) exceptions process has been implemented as part of the April 2024 Portal Hendy release. Local Administrators can now request an exception for users who are unable to use the traditional MFA methods.
This article is intended to provide guidance to Local Administrators on how to apply for a short or long term MFA exception for an NHSmail user account. Users cannot self-request for an MFA exception and would need to contact their Local Administrator for further guidance and assistance.
MFA is being mandated for all user accounts to protect the service and organisations. Before proceeding with an MFA exception request, please ensure that:
- There is a valid and documented reason for providing an MFA exception for these user accounts.
- Alternative security measures are in place to compensate for the removal of MFA e.g., the use of a stronger password.
- The organisation’s Cyber Security Lead has been informed of the decision and its implications and has provided written approval to proceed. Please note that Local Administrators will not be required to submit this written approval.
Proceeding without proper consideration and acceptance of the risks involved may have severe consequences for both the organisation’s security posture and the overall stability of the NHSmail platform.
MFA Exceptions Categories
The MFA exceptions process consists of two categories:
- Short Term exception– This process is built directly into the NHSmail Portal for a Local Administrator to provide a 24-hour MFA exception for a user. It is a replacement of the previous 48-hour disablement functionality.
- Long Term exception – This process will take place outside the NHSmail Portal with the use of Microsoft Forms to request a 180-day exception for MFA prompts on the Portal and O365 apps. The option to submit an exception request for multiple users within the same form will also be available.
Once the short term (24 hours) or long term (6 months) exception period has expired, users will experience MFA prompts again and will be returned to their original Conditional Access MFA policy group. If a user was not in a Conditional Access MFA policy previously, they will be added into the Standard Conditional Access policy after the exception period.
If an account is marked as compromised, MFA will be enforced, regardless of whether it is in an exception policy. A compromised account is considered to pose a higher security risk.
MFA Exceptions will allow users to login into NHSmail services without MFA prompts. However, the user account must still have an Azure Authentication Method registered. NHS England recommends users to set up Microsoft Authenticator app as an authentication method: https://support.nhs.net/knowledge-base/getting-ready-to-use-self-service-password-reset-and-unlock/#set-up-microsoft-authenticator-app-as-your-authentication-method
MFA Short Term Exception
Short Term Exception Overview
A Local Administrator can follow the steps below to apply a 24-hour exception to an NHSmail user account:
- Step 1: Sign in with your NHSmail admin account at https://portal.nhs.net to begin the exception process.
- Step 2: Select ‘Admin’ on the top menu and click on the ‘User Management’ drop down option.
- Step 3: Type the email address of the user account in the ‘Email’ field and click on the magnifying glass icon to start the search.
- Step 4: Locate the user account in the list displayed and click on their ‘Displayed Name’.
- Step 5: On the ‘User Details’ page, locate the ‘Action’ pane and click on the ‘MFA 24 hour exception’ button.
- Step 6: A confirmation message will appear on the screen, and the exception will be then applied to the account which can take up to 5 minutes to replicate.
MFA Short Term Exception Validity
The table below illustrates valid reasons for Local Administrators to provide a short-term MFA exception for a user account
| Business Justification | Description | Additional Actions |
| Mobile phone stolen or lost | User has had their phone stolen or lost during the day | User to contact Helpdesk if their phone is stolen and when they have it replaced as they will have to re-enrol for MFA again |
| Mobile phone misplaced | User has misplaced their phone at work or left it at home | User to contact Helpdesk when they find or replace their phone as they will have to re-enrol for MFA |
| User temporarily attending a location without mobile signal and/or internet connection | User is attending a place inside or outside their organisation premises and the location either:
– Does not allow mobile phones – Mobile signal is weak or unavailable |
N/A |
| User having issues receiving Microsoft Azure MFA notification | User is having an issue with their mobile phone or Microsoft notification is not being sent/ received | User will need to contact Helpdesk if the issue continues as they may need to re-enrol for MFA |
| Other (under Local IT Helpdesk discretion) | Any other reason not documented above but under reasonable criteria to provide an exception |
MFA Long Term Exception
Long Term Exception Overview
A Local Administrator can follow the steps below to request a 6-month (180 day) exception to NHSmail user accounts:
- Step 1: Download the user list excel file template from here.
- Step 2: Open the excel file template and complete the information below:
-
-
- Type in the email address of the user in column A ‘EmailAddress’
- Select a business justification for each of the users using the drop-down menu in column B ‘BusinessJustification’
-
Notes:
Only 250 users can be processed at a time.
When inserting new rows in the excel file, ensure they are within the excel table and that the drop-down menu in column B is present. Your request may be rejected if do not use the column B reasons properly and type in a business reason instead.
- Step 3: Proceed to save the Excel file in a secure location.
- Step 4: Access the registration form and login using your NHSmail admin credentials.
- Step 5: Type in the organisation ODS code without spaces or special characters
- Step 6: Upload the Excel file with the list of users.
- Step 7: Confirm that:
-
- Your organisation accepts the risk of requesting Long Term MFA exceptions for the requested users.
- Your organisation has the approval to request an MFA Long Term Exception for the users provided in the uploaded file
- The excel template provided was used for this request.
- Step 8: Click on Submit.
This is an automated process with requests taking up to 8 hours to be processed. Once completed, the requestor will receive an email to confirm whether their request was either completed or rejected and reasons for rejections will be provided.
The Local Administrator who has raised the original request will be notified 6 weeks before a user exception is due to expire and a further final reminder 2 weeks prior to expiration. Local Administrators can then raise a new exception after the first notification has been sent. Once the exception period has expired, users will experience MFA prompts again and will be returned to their original Conditional Access MFA policy group. If a user was not in a Conditional Access MFA policy previously, they will be added into the Standard Conditional Access policy after the exception period.
Local Administrators will only be able to request exceptions for users within their organisation.
For organisations that manage multiple organisations, Local Administrators will need to input the parent organisation’s ODS code in the request form.
MFA Long Term Exception Validity
The table below illustrates the approved reasons for a long-term exception request to be accepted.
| Business Justification | Description |
| User has accessibility requirement | User unable to enrol for MFA due to lack of accessible authentication methods |
| User works from a secure location where MFA is not possible | User working from a secure location which does not have the capabilities to support MFA |
| MFA creates disproportionate clinical/ operational risk for user | Implementation of MFA presents a disproportionate clinical or operational risk for user, hindering their workflow |
| Account is a Shared User Account | The account is unable to enrol for MFA as it is a Shared Account |
| Other (under Local IT Helpdesk
discretion) |
Any other reason not documented above but under reasonable criteria to provide an exception for example mobile phone unavailable |
MFA Long Term Exception Rejections
The table below provides additional information on the most common reasons for rejection and suggested actions for Local Administrators.
| Rejection | Action |
| Request rejected due to an incorrect Excel file submitted | Local Administrator to submit new request using Excel template provided for this purpose |
| Request rejected and/ or user account not granted an exception as requestor is not a Local Administrator of their organisation | Local Administrator to check:
Then submit a new request. |
| User account not given an exception as account does not exist in the NHSmail shared tenant | Local Administrator to validate that the user email address submitted in the Excel file is correct and active.
Then submit a new request |
| User account not given an exception as account is not a user mailbox | Local Administrator to validate that the user email address submitted is correct and it is a user mailbox. Please note distribution lists and other resources cannot be given an MFA exception.
Then submit a new request. |
| User account not given an exception as user has Admin roles assigned | User accounts with Admin roles assigned will not be able to have an MFA exception |
| User account not given an exception as user has been marked as compromised | User accounts previously marked as compromised will not be able to have an MFA exception |
| User account not given an exception as user already has an exception in place | Local Administrations need to be within the 6-week window before the exception expires to submit a new request |
MFA Long Term Exception Removal
A Multi-Factor Authentication (MFA) long-term exception process was implemented as part of Portal Hendy release (April 2024).
Local Administrators can follow the steps below to remove a long-term exception applied to an NHSmail user account. Organisations may want to remove a user from a long-term exception prematurely i.e., before the full 180-day period has elapsed due to reasons such as a user has now access to an Azure MFA authentication method.
Step 1: A Local Administrator in the user’s organisation must perform the following validation checks before raising a request to remove their MFA long term exception.
-
- Confirm user’s account is active and password hasn’t expired.
- Confirm user belongs to their organisation.
- Confirm user can now use an existing Azure MFA authentication method.
- Confirm user has an Azure MFA authentication method set up on their account.
Step 2: Local Administrator to raise a request with NHSmail Helpdesk, providing a list of users who require their MFA long-term exceptions to be removed, including a reason to record in their audit log.
Step 3: Helpdesk will process the request and confirm back to the Local Administrator when the user has had the MFA exception removed.
Local Administrators are responsible for completing all validation checks prior to submitting a request via NHSmail Helpdesk. Helpdesk agents and will proceed to complete the request to remove the long-term exception from the user account once they confirm the requestor is a Local Administrator of the user’s organisation
| Last Reviewed Date | 04/07/2024 |
