This article provides an overview of the new licence offering and changes to the NHSmail Service, following the new NHS Collaboration licensing agreement between NHS England and Microsoft which came into effect in January 2024. This article will also provide an overview of the licence migration approach. The article covers:
NHSmail Licence Overview
In January 2024, the nationally provisioned O365 E3R (Restricted) licence was replaced as part of an improved agreement between NHS England and Microsoft.
The new licence offering is structured in the following way:
- NHSmail Standard Service, which consists of:
- M365 F3 FUSL Sub Per User (Without Windows & EMS except AADP)
- Azure Active Directory P2 K SU Azure Active Directory P1 K
- Exchange Online P2 SU Exchange Online Kiosk Per User
- Defender O365 F2 Sub Per User
- NHSmail Enhanced Service, which consists of:
- Microsoft 365 E3 Frontline Worker (Restricted – without M365 Apps for Enterprise)
- F5 Security & Compliance*
*Details of specific feature enablement’s will be shared via existing LA collaboration channels (Webinars, Bulletins)
NHSmail Enhanced Service
The NHSmail Enhanced Service is the collaboration and productivity service for healthcare workers, whilst also providing additional capabilities for those in NHS Trusts, Integrated Care Boards (ICBs), Commissioning Support Units (CSUs), the Arm’s Length Bodies (ALBs) and the Department for Health and Social Care users with NHS devices. This includes:
Device Management
- Control Over Devices: services to allow technical teams to provide better control over the devices you use for work, whether it’s a computer, tablet or smartphone. This means ensuring that only authorised devices can access and interact with our healthcare systems
- Security Policies: These policies dictate things like password requirements, encryption settings and other measures to make sure that devices are secure
Application Management
- Centralised App Deployment: This ensures that everyone in the organisation has access to the necessary and approved applications for their work, making it easier to maintain consistency across devices.
- Updates and Patching: Keeping applications up to date is crucial for security. NHSmail provides the services to help ensure that all applications are regularly updated with the latest security patches, reducing vulnerabilities and enhancing the overall security posture of the NHS.
Unified Endpoint Management:
- Simplified Management: NHSmail provides a unified approach to managing all types of devices, whether they are running Windows, macOS, iOS or Android. This simplifies the management process for technical teams, making it easier to ensure a consistent and secure experience across all devices.
Please note, to deliver this enhanced service, these users will benefit from 50 GB mailboxes and 1TB of OneDrive.
For a full feature overview for Enhanced Service Users please see the Feature Overview section.
NHSmail Standard Service
The NHSmail Standard Service is the collaboration and productivity service for healthcare workers including those organisations who indicated in the participation agreement that they were using their own tenant. Any organisation type not listed within with Enhanced Service ie NHS Trusts, Integrated Care Boards (ICBs), Commissioning Support Units (CSUs), the Arm’s Length Bodies (ALBs) and the Department for Health and Social Care users with NHS devices will continue to be provided the service that users are familiar with, including:
- Daily Productivity: your day-to-day work is streamlined with familiar and powerful online tools like Word, Excel, PowerPoint, and a 4GB Outlook mailbox. You can create and edit documents, spreadsheets, and presentations seamlessly.
- Smooth Communication: Instantly communicate with colleagues and service users using online meetings and chat with Teams. Plus use an email platform that helps you manage your inbox efficiently and integrates seamlessly with your calendar for scheduling and organising meetings.
- Anywhere Access: access your work from anywhere. Your files are stored securely in the cloud with 2GB OneDrive, making it easy to work on documents whether you’re in the clinic, in the community, or desk based.
For a full feature overview for Standard Service Users please see the Feature Overview section.
Licence Migration Approach
The licence migration approach from the existing Office 365 (E3R) offering to the NHSmail Standard Service and NHSmail Enhanced Service ensured minimal service impact to both Local Administrators and users, with no planned downtime.
Timeline
The migration will take place in early 2024. Communications will be sent to Local Administrators and relevant users ahead of this.
User Policy Management
The migration followed a 1:1 mapping as per the previous configuration in pre-existing user policies. Therefore, existing national and custom user policies remained, with users retaining their current user policy membership. Local Administrators continue to have the ability to create, edit and manage user policies in the same way via the Portal. This approach has ensured continuity and stability of user experience on the NHSmail Platform.
Portal Licence Naming Conventions
Now the licence migration has been completed, user policies appear under a different naming format within the portal. Please see the changes below for the national and custom policies:
| Current User Policies | Post Licence Migration | Example | |
| National Policy Name | ODS_NationalPolicy | ODS.Licence.NationalPolicy | LSP01_National will be replaced with LSP01.Licence.NationalPolicy |
| Custom Policy Name | ODS_PolicyName | ODS.Licence.Name | LSP01_PowerBI will be replaced with LSP01.Licence.PowerBI |
How to check which NHSmail Service profile has been assigned to my organisation
Local Administrators can follow the steps below to confirm their organisation’s NHSmail Service profile:
- Login to the NHSmail portal with your nhs.net credentials and visit Admin > User Policy Management
- Create a new policy by clicking on Add > Create User Policy
- Using the drop-down menu, select the organisation you wish to check
- Using the drop-down menu, view all base licences available to your organisation. In addition to top-up licences, this list will include one nationally provisioned licence type:
- If the available national licence reads ‘Organisation – National – Microsoft F3 – Date’, this means the organisation will receive the NHSmail Standard Service
- If the available national licence reads ‘Organisation – National – Microsoft E3 – Date’, the organisation will receive the NHSmail Enhanced Service
Top-up Licences
Organisations are able to procure add-on and top-up licences to top-up their base agreements, as needed, however as part of the improved national licensing agreement some licences are no longer required.
Following on from the agreement of the new licensing agreement, there may be scenarios whereby an add-on licence previously procured by an organisation is now centrally offered. It is the responsibility of the local organisation to engage their Cloud Solution Provider (CSP) directly to seek opportunities to either terminate the agreement or allow it to expire.
In these scenarios, the previous add-on licences have been replaced by the central provision. This means that there will be no additional admin overhead in moving user policies following the expiry of the add-ons.
For further information relating to top-up or add-on licenses, please see the Onboarding Guide for Local Administrators guidance.
NHSmail Standard Service – Top-up Licence Changes
From early 2024, the following top-up licences are centrally provided and are no longer be required for NHSmail Standard Service users:
- AAD P1 and AAD P2 (Entra ID P2) (Replaced with AAD P2 which is centrally provided)
- M365 Defender for Office P2 (Replaced with MDO F2)
Note: Once the AAD P2 (Entra P2) licences have expired, they will no longer be visible on the NHSmail portal and any existing configured users will have this licence removed.
NHSmail Standard Service organisations are not be able to uplift 10% of their user’s mailboxes to 50GB as part of the new licencing agreement. Instead, organisations can onboard their own BYO licences to uplift their user’s mailboxes, please see the Onboarding Guide for Local Administrators for steps. Alternatively, LAs can advise users to use their 100GB online archiving provision using the Exchange Online Archiving Guidance.
Changes with respect to the AAD P2 (Entra ID P2) add-on
There are several applications provided by the AAD P2 add-on licence which are covered under the Standard Service’s national licence offering. The following details what LAs can see and control on the portal, with respect to these applications.
National Policies
| Application | Application Toggle in Portal |
| Azure Active Directory Premium P1 (Entra ID P1) | No – Enabled by Default |
| Cloud App Security Discovery | No – Enabled by Default |
| Microsoft Azure Multi-Factor Authentication | No – Enabled by Default* |
| Azure Active Directory Premium P2 (Entra ID P2) | No – Enabled by Default |
Custom Policies with a locally procured base licence
| Application | Application Toggle in Portal |
| Azure Active Directory Premium P1 (Entra ID P1) | Yes |
| Cloud App Security Discovery | Yes |
| Microsoft Azure Multi-Factor Authentication | No – Enabled by Default* |
| Azure Active Directory Premium P2 (Entra ID P2) | Yes |
* Please note, the Multi-Factor Authentication (MFA) toggle will not appear within the NHSmail portal irrespective of licences assigned. For further guidance on MFA on the NHSmail platform, please see MFA Conditional Access – NHSmail Support.
Post migration, in instances where Standard Service organisations have user policies with AAD P2 assigned, the associated toggles no longer appear within the ‘add-on’ section of the portal as they are now mapped as part of the national base licence (and add-on) and included there. However, until locally procured AAD P2 licences expire they will still appear in the portal and can be selected, although, as outlined above, configuring any of the toggles that appear will not over-ride any that are ‘default enabled’ centrally.
Changes with respect to Enterprise Mobility + Security (EMS) add-ons
NHSmail Intune is not available for organisations using the NHSmail Standard Service, either through the central licensing offering, or through add-on or top up licenses.
NHSmail Enhanced Service – Top-up Licence Changes
The following top-up licences are no longer required for NHSmail Enhanced Service Users, as these are already covered under the uplifted national licensing:
- Office 365 E1: This is no longer needed as a top up for larger mailboxes, as under the new agreement users have received 50GB of storage. Enhanced Service Users with an E1 licence prior to the change have been upgraded to an M365 E3 licence type
- Enterprise Mobility & Security: This functionality is covered under the M365 E3 licence
- AAD P1 and AAD P2 (Entra ID P2): This has been replaced with F5 Security and compliance
- M365 Defender for Office P2: This is now replaced with F5 Security and Compliance
Changes with respect to the AAD P2 (Entra ID P2) add-on
There are several applications provided by the Azure Active Directory (AAD) P2 add-on licence which are centrally covered under the Enhanced Service’s national licence offering. The following details what LAs can control on the portal, with respect to these applications and any changes as a result of the licence migration.
National Policies
| Application | Application Toggle in Portal |
| Azure Active Directory Premium P1 (Entra ID P1) | No – Enabled by Default |
| Cloud App Security Discovery | No – Enabled by Default |
| Microsoft Azure Multi-Factor Authentication | No – Enabled by Default* |
| Azure Active Directory Premium P2 (Entra ID P2) | No – Enabled by Default (via F5 Security and Compliance) |
Custom Policies with the national M365 base licence
| Application | Application Toggle in Portal |
| Azure Active Directory Premium P1 (Entra ID P1) | Yes |
| Cloud App Security Discovery | Yes |
| Microsoft Azure Multi-Factor Authentication | No – Enabled by Default* |
| Azure Active Directory Premium P2 (Entra ID P2) | Yes (Also enabled as default via F5 Security and Compliance) |
* Please note, the Multi-Factor Authentication (MFA) toggle will not appear within the NHSmail portal irrespective of licences assigned. For further guidance on MFA on the NHSmail platform, please see MFA Conditional Access – NHSmail Support.
Custom Policies with a locally procured base licence
The locally procured base licence will determine which of the AAD P2 specific applications will be available. Therefore, it is important to determine which applications are offered by your organisation’s locally procured base licence first. If required, you may then need to purchase and apply your own AAD P2 add-on to experience the full functionality associated with AAD P2. Alternatively, organisations can switch to the nationally provisioned base licence offering.
The only exception is the Azure Active Directory Premium P2 (Entra ID P2) application which is now available to all Enhanced Service users via F5 Security & Compliance.
Enhanced Service organisations currently using a locally procured base licence and a AAD P2 top up are responsible for the onward management of the service post transition, following the expiry of their AAD P2 licences.
Where Enhanced Service organisations are using the National M365 E3 base licence (irrespective of whether it’s a national or custom policy) and have a AAD P2 add-on assigned, the associated toggles no longer appear within the ‘add-on’ section of the portal. This is because these applications are now mapped as part of the national base licence offering and thus, included there.
Additionally, until the locally procured AAD P2 licence has expired, it will still appear in the portal UI and can be selected. Although, as outlined above, configuring any of the toggles that do appear will not override any which are ‘default enabled’ centrally.
Changes with respect to Enterprise Mobility + Security (EMS) add-ons
In scenarios where the national M365 E3 licence serves as the base licence for a user policy, the Enterprise Mobility + Security (EMS) E3 and E5 add-on licences are not required. This is because the applications these licences provide are centrally covered under the Enhanced Service’s national licence offering. Therefore, the only EMS specific applications which can be controlled by LAs in the portal are Microsoft Intune and Azure Information Protection P1. These application toggles appear under the M365 E3 set of applications.
For custom user policies with a locally procured base licence, EMS E3 and EMS E5 continue to appear as add-on licences until they expire. These locally procured EMS licences can be selected, although, as outlined above, configuring any of the toggles that appear will not override any that are ‘default enabled’ centrally.
NHSmail Feature Overview
From January 2024, there has been some impact on the availability and management of applications under the new national licence agreement. This section outlines the features and applications available under the new offering.
The following tables provide a breakdown of these applications for both the NHSmail Standard Service and NHSmail Enhanced Service. They have been categorised as:
- ‘Manageable by LAs’ – Applications which can be managed by Local Administrators via the portal
- ‘Tenant Level Enabled’ – Applications which are switched on at tenant level but are not manageable through the portal by Local Administrators
NHSmail Standard Service
January 2024 onwards
* Microsoft Whiteboard – this can be managed via the portal by LAs and will be available to users due to changes in data hosting location to the UK
Phone System is available for Standard Service Users however require additional top-up licences as per the current process.
NHSmail Enhanced Service
January 2024 onwards
* Microsoft Whiteboard – this can be managed via the portal by LAs and is available to users due to changes in data hosting location to the UK
As part of the uplifted offering for NHSmail Enhanced Service users, the key restriction changes in their national licencing applications from E3R include the following:
- The Exchange Online mailboxes for all NHSmail Enhanced Service organisations have been uplifted to 50GB
- SharePoint storage has been uplifted to 10GB per user for those on the NHSmail Enhanced Service
In addition to increased storage, NHSmail Enhanced Service users have access to the following applications which can be managed by LAs in the portal:
- Intune – is available to NHSmail Enhanced Service users, pending onboarding for Intune services via HSS.
- Phone System – the current process which requires an additional top-up licence remains unchanged for both Standard Service and Enhanced Service users, following the migration
| Last Reviewed Date | 08/02/2024 |
