As part of the recent NHS England and Microsoft Collaboration licensing agreement, this article has been created for Local Administrators (LAs) and NHSmail users within Health and Care organisations, to provide information on frequently asked questions on NHSmail tenant licensing, including key queries associated with the agreement.
National Licences:
All users on the NHSmail platform will receive a nationally allocated licence. Licences have been allocated based on the user requirements of the organisation with two licence profiles provisioned. These are as follows (please see the below FAQs for more detail on the profile definitions):
- NHSmail Standard Service
- NHSmail Enhanced Service
The national licences associated with these user groups are as follows:
NHSmail Standard Service, which consists of:
- M365 F3 FUSL Sub Per User (Without Windows & EMS except AADP)
- Azure Active Directory P2 K SU Azure Active Directory P1 K
- Exchange Online P2 SU Exchange Online Kiosk Per User
- Defender O365 F2 Sub Per User
NHSmail Enhanced Service, which consists of:
- Microsoft 365 E3 Frontline Worker (Restricted – without M365 Apps for Enterprise)
- F5 Security & Compliance*
*details of specific feature enablement’s will be shared via existing communications channels, for example Local Administrator collaboration channels.
For the national licences outlined above, LAs are not required to take any action to set them up as a national user policy has been created for every organisation as part of the licence migration. As part of the NHSmail service, users will automatically be added into their organisation’s default policy. For further information on NHSmail licences, please review the NHSmail M365 Licence Matrix.
The NHSmail Standard Service is the collaboration and productivity service for healthcare workers including those organisations who indicated in the Participation Agreement that they are using their own tenant. This service will continue to provide the service that users are familiar with. For more information please visit NHSmail Licence Overview and Migration Approach support site guidance.
The NHSmail Enhanced Service is the collaboration and productivity service for healthcare workers, whilst also providing additional capabilities for those in NHS Trusts, Integrated Care Boards (ICBs), Commissioning Support Units (CSUs), the Arm’s Length Bodies (ALBs) and the Department for Health and Social Care users with NHS devices. For more information please visit NHSmail Licence Overview and Migration Approach.
Local Administrators should follow the steps below to confirm their organisation’s service eligibility/categorisation:
- Login to the NHSmail portal with your nhs.net credentials and visit Admin > User Policy Management
- Create a new policy by clicking on Add > Create User Policy
- Using the drop-down menu, select the organisation you wish to check
- Using the drop-down menu, view all base licences available to your organisation. In addition to top-up licences, this list will include one nationally provisioned licence type:
- If the available national licence reads ‘Organisation – National – Microsoft F3 – Date’, this means the organisation will receive the NHSmail Standard Service
- If the available national licence reads ‘Organisation – National – Microsoft E3 – Date’, the organisation will receive the NHSmail Enhanced Service
NHSmail Users should follow the steps:
- Login to Microsoft 365 with your nhs.net credentials
- Select your icon in the top right corner of the window
- Select View account
- Select Subscriptions
- Here you should see the licence which has been assigned to your account
- If you have the Microsoft 365 F3 licence, this means you are on the NHSmail Standard Service
- If you have the Microsoft 365 E3 licence, this means you are on the NHSmail Enhanced Service
- If you have a different licence present, this means your organisation has provided you with a self-funded, local licence (as per the Bring Your Own Licence model).
The migration followed a 1:1 mapping as per the previous configuration in existing user policies. Therefore, previous national and custom user policies remain unchanged, except for a new policy naming convention (see below), with users retaining their existing user policy membership. For this scenario, LAs will have received separate communications on any notable policy changes.
The following naming conventions are used for custom and national policies:
User Policy | Example | |
National Policy Name | ODS.Licence.NationalPolicy | LSP01.Licence.National Policy |
Custom Policy Name | ODS.Licence.Name | LSP01.Licence.PowerBI |
Local Administrators will continue to have the ability to create, edit and manage user policies in the same way via the Portal. This approach will help ensure continuity and stability of user experience on the NHSmail Platform. For further information please see User Policy Management.
Licence Onboarding:
Organisations can purchase ‘top up’ licences from their Microsoft licence reseller. LAs must raise a service request with the NHSmail helpdesk who will transfer the licences to the NHSmail M365 service.
Once completed, the licences will become available within the NHSmail Portal and LAs can then allocate them to their users. Further information is available in the Onboarding Guide for LAs.
Organisations may ‘top up’ the nationally provided NHSmail service. Please see NHSmail M365 Licence Matrix for a complete list of supported licences.
NHSmail Standard Service User Top-up Licence Changes:
From January 2024, the following top-up licences will no longer be required for Standard Service Users:
- AAD P1 and AAD P2 (Entra P2) – this has been centrally provided
- MDO Plan 2 – this has been replaced by MDO F2
Important Note:
Organisations using the NHSmail Standard Service that have onboarded onto Intune with Enterprise Mobility & Security E3 will require their own locally procured EMS licence. Once a local Enterprise Mobility & Security licence has been onboarded, LAs must assign the licence to a user policy and toggle-on Intune. For further guidance, please see Intune Overview.
NHSmail Enhanced Service Users Top-up Licence Changes
From January 2024, the following top-up licences will no longer be required for NHSmail Enhanced Service Users, as this should already be covered under the uplifted default licensing:
- Office 365 E1: This will not be needed to top up for larger mailboxes as under the new agreement users have received 50GB of storage, and therefore NHSmail users with an E1 licence have been upgraded to an M365 E3 licence Type
- Enterprise Mobility & Security: This functionality is now covered under the Microsoft 365 E3 (Restricted) licence
- AAD P1 and AAD P2 (Entra P2) – this has been replaced with F5 Security and compliance
- MDO Plan 2 – this has been replaced with F5 Security and Compliance
*Please note that in instances where a locally procured base licence has been applied, organisations may be required to apply their own AAD P2 add-on if they wish to experience all the applications AAD P2 offers. The locally procured base licence will determine whether this add-on is required. Alternatively, organisations can switch to the nationally provisioned base licence offering.
The AAD P2 add-on licence is not required for Enhanced Service organisations using a national base. This is because applications provided by this licence are centrally covered under the Enhanced Service’s national licence offering. The following details what LAs can control on the portal, with respect to these applications and any changes as a result of the January 2024 licence migration
National Policies
Application | Application Toggle in Portal |
Azure Active Directory Premium P1 (Entra ID P1) | No – Enabled by Default |
Cloud App Security Discovery | No – Enabled by Default |
Microsoft Azure Multi-Factor Authentication | No – Enabled by Default* |
Azure Active Directory Premium P2 (Entra ID P2) | No – Enabled by Default (via F5 Security and Compliance) |
Custom Policies with the national M365 base licence
Application | Application Toggle in Portal |
Azure Active Directory Premium P1 (Entra ID P1) | Yes |
Cloud App Security Discovery | Yes |
Microsoft Azure Multi-Factor Authentication | No – Enabled by Default* |
Azure Active Directory Premium P2 (Entra ID P2) | Yes (Also enabled as default via F5 Security and Compliance) |
* Please note, the Multi-Factor Authentication (MFA) toggle will not appear within the NHSmail portal irrespective of licences assigned. For further guidance on MFA on the NHSmail platform, please see MFA Conditional Access – NHSmail Support.
Custom Policies with a locally procured base licence
The locally procured base licence will determine which of the AAD P2 specific applications will be available. Therefore, it is important to determine which applications are offered by your organisation’s locally procured base licence first. If required, you may then need to purchase and apply your own AAD P2 add-on to experience the full functionality associated with AAD P2.
The only exception is the Azure Active Directory Premium P2 (Entra ID P2) application which will be available to all Enhanced Service users via F5 Security & Compliance.
In scenarios where the national M365 E3 licence serves as the base licence for a user policy, the Enterprise Mobility + Security (EMS) E3 and E5 add-on licences are not required. This is because the applications these licences provide are centrally covered under the Enhanced Service’s national licence offering. Therefore, the only EMS specific applications which can be controlled by LAs in the portal are Microsoft Intune and Azure Information Protection P1. These application toggles appear under the M365 E3 set of applications.
For custom user policies with a locally procured base licence, EMS E3 and EMS E5 continue to appear as add-on licences until they expire.
Following the January 2024 licence migration, in instances where Enhanced Service organisations have user policies with EMS (E3 and E5) assigned, the associated toggles will no longer appear within the ‘add-on’ section of the portal as they will be mapped as part of the national base licence and included there. However, until locally procured EMS licences expire they will still appear in the portal and can be selected, although, as outlined above, configuring any of the toggles that appear will not over-ride any that are ‘default enabled’ centrally.
National Policies and Custom Policies with the nationally provisioned M365 E3 base licence
As per the above scenarios, where Enhanced Service organisations have a AAD P2 add-on assigned, the associated toggles will no longer appear within the ‘add-on’ section of the portal. This is because these applications will be mapped as part of the national base licence offering and thus, included there.
Additionally, until the locally procured AAD P2 licence has expired, it will still appear in the portal UI and can be selected. Although, as outlined above, configuring any of the toggles that do appear will not override any which are ‘default enabled’ centrally.
Custom Policies with a locally procured base licence
The locally procured base licence will determine which of the AAD P2 specific applications will be available. Therefore, it is important to determine which applications are offered by your organisation’s locally procured BYOL base licence first. If required, you may then need to purchase and apply your own AAD P2 add-on to experience the full functionality associated with AAD P2.
The only exception is the Azure Active Directory Premium P2 (Entra ID P2) application which will be available to all Enhanced Service users via F5 Security & Compliance.
Therefore, any AAD P2 applications should still appear under the ‘Add-On’ section within the portal UI.
The AAD P2 add-on licence is not required for Standard Service organisations. This is because applications provided by this licence are centrally covered under the Standard Service’s national licence offering. The following details what LAs can control on the portal, with respect to these applications and any changes as a result of the January 2024 licence migration
National Policies
Application | Application Toggle in Portal |
Azure Active Directory Premium P1 (Entra ID P1) | No – Enabled by Default |
Cloud App Security Discovery | No – Enabled by Default |
Microsoft Azure Multi-Factor Authentication | No – Enabled by Default* |
Azure Active Directory Premium P2 (Entra ID P2) | No – Enabled by Default |
Custom Policies with a locally procured base licence
Application | Application Toggle in Portal |
Azure Active Directory Premium P1 (Entra ID P1) | Yes |
Cloud App Security Discovery | Yes |
Microsoft Azure Multi-Factor Authentication | No – Enabled by Default* |
Azure Active Directory Premium P2 (Entra ID P2) | Yes |
Following the January 2024 licence migration, in instances where Standard Service organisations have user policies with AAD P2 assigned, the associated toggles will no longer appear within the ‘add-on’ section of the portal as they will be mapped as part of the national base licence (and add-on) and included there. However, until locally procured AAD P2 licences expire they will still appear in the portal and can be selected, although, configuring any of the toggles that appear will not over-ride any that are ‘default enabled’ centrally.
Following on from the agreement of the new Microsoft deal, there may be scenarios whereby an add-on licence previously procured by a local organisation is now centrally offered. It is the responsibility of the local organisation to engage their licensing reseller (LSP) directly to seek opportunities to true down or remove these licences from their agreement. This will need to be assessed on a case-by-case basis and is dependent on the agreement between the local organisation and LSP.
In these scenarios, the previous add-on licences will be replaced by the central provision. This means that there will be no additional admin overhead in moving user policies following the expiry of the add-ons.
For further information relating to top-up or add-on licences, please see NHSmail M365 Licence Matrix.
Feature Management
Organisations can onboard their own BYO (bring your own) licenses to uplift their user’s mailboxes, please see the Onboarding Guide for Local Administrators for steps. Alternatively, LAs can advise users to use their 100GB online archiving provision using the Exchange Online Archiving Guidance.
In scenarios where organisations choose to apply a locally procured licence to uplift user mailboxes, they must toggle on the Larger Mailbox feature via the relevant user policy. This feature enables members to benefit from the larger mailbox capacity provided by the licence. If not turned on, these users are provided with the standard mailbox size available under their organisation’s licence profile. Please note, the Larger Mailbox toggle is not available for national policies.
LAs should work with users to manage down their OneDrive should they reach the limit. In these scenarios, LAs should reach out to the NHSmail helpdesk for support.
LAs will not be able to edit features in a national policy. If different feature settings are required, a custom policy should be created. Please see User Policy Management guidance for more information.
LAs will be able to manage certain features for a custom policy where a toggle exists within the portal. Please note, when an ‘M365 Apps for Enterprise’ licence top-up is purchased, the associated features are not configurable through toggles by an LA. Please see User Policy Management guidance for more information.
For Enhanced Service Users:
Intune is available as part of the nationally provisioned M365 E3 Restricted licence for NHS Enhanced Service Users. LAs are required to toggle on Intune within their user policies, however, must also onboard their organisation via the guidance located on the NHSmail support site – Intune Overview. Until they have completed the onboarding steps outlined, Intune will not be available.
For Standard Service Users:
Standard Service Users do not have access to Intune with their base licensing. To use Intune, the organisation must have onboarded their own Enterprise Mobility and Security (EMS) licence. An LA must then create a user policy assigning the EMS licence and toggle-on Intune. Following this, they must then onboard their organisation to Intune via the guidance located on the NHSmail support site –Intune Overview.
LAs can manage features associated with the national licences within the NHSmail portal, however there are some features which are turned on at tenant level and are not manageable by LAs. Alternatively, some services are not available.
All NHSmail Enhanced users have been assigned with an F5 Security and Compliance licence. Details regarding specific feature configuration and enablement will be shared with Local Administrators via the existing BAU channels (webinars, support site, release notes). These features will be prioritised in alignment with the NHSmail security roadmap.
Licence Administration & User Policy Management
Yes, the new licensing agreement, assigned to users from January 2024, ensures continuation in how the NHSmail Service is managed by LAs. Local Administrators can continue to manage both national and locally procured licences via user policies in the NHSmail portal. LAs can create user policies, edit them and add members, alongside managing features within a user policy. For more detail on managing user policies please visit User Policy Management guidance.
LAs will not be able to delete user policies from January 2024. If policies are no longer required LAs should look to rename and repurpose them in the first instance, otherwise contact the Service Desk for deletion.
LAs will be able to check for licensing errors within a user policy through the ‘Export Licensing Errors’ button.
LAs must first navigate to Admin > User Policy Management and select the policy they wish to check. Once in the user policy, LAs will be able to run the report via the ‘Export Licensing Errors’ button. LAs will then be emailed a CSV which contains the members assigned to the policy and the licensing status for each of them. In the instance where a member has a licensing error, LAs should reach out to the Service Desk via the licence HSS process for resolution. Please note, the ‘Export Licensing Errors’ functionality can only be used if there are members added to the user policy. For further information please see User Policy Management: Editing a policy.
Yes, if the LA has appropriate access rights.
LAs will not be able to edit the national licence for their organisation(s). Therefore, if an organisation is assigned either the Standard Service or Enhanced Service licence set this cannot be amended by an LA. Instead, from January 2024 LAs will be able to select which of their organisation’s policies is their default policy, whether custom or the national policy. This will be the policy that new joiners and movers are automatically assigned to.
Joiners, Movers, Leavers
Local Administrators can select either the national policy assigned to their organisation(s) or a custom policy to be the default policy for an organisation by raising a ticket to the Service Desk. It is therefore up to the LAs discretion to assign a default policy best fit for their organisation’s users. When a new joiner starts, they will be automatically assigned to the default policy for that organisation. For more information, please see User Policy Management guidance.
When an LA moves an NHSmail user from one organisation to another organisation, the user will be removed from their existing organisation’s user policy. At the same time, they will be added to the new organisation’s default user policy. After the move is completed, it will be the responsibility of the new organisation’s LA to add the moved account to an alternative user policy if required.
When an NHSmail user is marked as a leaver, a user will retain their membership to the user policy (custom or default organisation licensing group). The user will remain in the policy for 30 days from being marked as a leaver. Once this 30 day retention period has completed the user will automatically be removed from the user policy.
Last Reviewed Date | 29/01/2024 |