Security groups are a Microsoft 365 functionality that can be used to group users together that require the same permissions. They are primarily used for granting access to Microsoft 365 resources such as SharePoint Online, OneDrive and PowerApps.

For NHSmail, Local Administrators can manage static mail-enabled security groups and static non-mail-enabled security groups via the NHSmail Portal. Dynamic security groups are not currently supported. Automated All Users dynamic non-mail-enabled security groups for all users in an ODS code already exist and are managed by a stand-alone process that is automated and sits outside of the NHSmail Portal. For more information, please refer to the Automated All Users Security Groups article.

Mail-enabled security groups are compatible with all Microsoft 365 service offerings, whereas non-mail-enabled security groups are not compatible with some offerings. Mail-enabled security groups also include the ability to send mail to all the members of the group, but for the purposes of NHSmail, mail-enabled security groups should not be used for mail purposes as the Distribution List functionality should be used instead. For a full overview of which Microsoft 365 service offerings are compatible with mail-enabled and non-mail-enabled security groups, please refer to the Introduction to NHSmail security groups article.

For a full overview of which Microsoft 365 service offerings are compatible with mail-enabled and non-mail-enabled security groups, please refer to the Introduction to NHSmail Security Groups article. Where there is the option to use both groups, the recommendation is to use non-mail-enabled security groups as these are supported by most services.

Local Administrators can manage and control their security groups via the NHSmail Portal. Local Administrators can:

• Create new security groups (including mail-enabled all-user security groups for a particular ODS code)
• View their security groups
• Edit their security groups
• Search for security groups
• Update the user membership of their security groups (both individually and in bulk)
• Nest security groups within other security groups
• Export the members of a security group
• Access basic reporting for security groups

Primary Local Administrators (PLAs) and Local Administrators will be able to manage and control static mail-enabled and non-mail-enabled security groups. There are no additional licensing requirement or other requirements to be able to manage and control NHSmail security groups.

For an overview of the joiners, movers and leavers process for NHSmail security groups and the required actions for Local Administrators, please refer to the Managing NHSmail Security Groups article. This does not apply to Automated All Users dynamic non-mail-enabled security groups which are managed by a stand-alone process that sits outside of the NHSmail Portal.

When an NHSmail user is marked as a new joiner, the user will not be automatically added to any of the new organisation’s security groups. Similarly, when an NHSmail user is marked as a mover, the user will not be removed from their existing organisation’s security groups and they will not be added to any of the new organisation’s security groups. For an overview of the joiners, movers and leavers process for NHSmail security groups and the required actions for Local Administrators, please refer to the Managing NHSmail Security Groups article.

For information on the naming format that should be used when creating NHSmail security groups, please refer to the Managing NHSmail Security Groups article.

For information on how to create NHSmail security groups, please refer to the Managing NHSmail Security Groups article.

Automated All Users dynamic non-mail-enabled security groups for all users in an ODS code already exist and are managed by a stand-alone process that is automated and sits outside of the NHSmail Portal. For more information, please refer to the Automated All Users Security Groups article. The required Local Administrator actions for joiners, movers and leavers apply to any all user security groups created via the NHSmail Portal. For more information, please refer to the Joiners, Movers and Leavers section of this article.

For information on how to view NHSmail security groups, please refer to the Managing NHSmail Security Groups article.

When searching for security groups, please note that partial searches are not accepted. To search for individual security groups, it is recommended that Local Administrators use either the full display name, or the full email address if it is a mail-enabled security group. To search for security groups at organisation level, it is recommended that Local Administrators use the ODS code or the organisation name to search for all security groups in the organisation. Please note that only the first 500 security groups will be visible if more than that are present in the tenant. For further information on how to search for NHSmail security groups, please refer to the Managing NHSmail Security Groups article.

For information on how to view NHSmail security groups, please refer to the Managing NHSmail Security Groups article.

For information on how to update the membership of NHSmail security groups, both individually and in bulk, please refer to the Managing NHSmail Security Groups article.

When editing and updating security groups, updates can take up to 5 minutes to show in the NHSmail Portal whilst the sync completes. If the update does not show after this time, please re-try. Please note that for mail-enabled security groups for all users in an ODS code this may take more than 5 minutes, depending on the total number of users. If the problem persists, Local Administrators can raise an incident related to security groups via the Raise an Incident form for the Portal on the Helpdesk Self-Service (HSS) platform.

For information on how to export the members of NHSmail security groups, please refer to the Managing NHSmail Security Groups article.

Local Administrators can raise an incident related to security groups via the Raise an Incident form for the Portal on the Helpdesk Self-Service (HSS) platform.

Local Administrators can use the NHSmail Portal Audit Logs to extract records related to creating, editing and updating security groups. Local Administrators can also use Azure AD to generate a report for their security groups and to check the security groups a user is a member of.

For the updated guidance on how Local Administrators can opt-in users for the BYO device security controls, please refer to the Bring Your Own Device Security Controls guidance article for Local Administrators.

Intune Admins can now leverage both the NHSmail Portal and the Intune PowerApp for the creation of static security groups, as long as the correct naming format is used.

The creation of dynamic and device-based security groups will remain unchanged and managed via the Intune PowerApp.

All static security groups created by the Intune PowerApp will automatically appear in the NHSmail Portal with no manual naming convention steps required.

All static security groups created via the NHSmail Portal will be required to use the following specific Intune naming convention shown via the table below in order to appear within the PowerApp:

* Automatically added by the Portal

For more information, please refer to the Introduction to NHSmail Security Groups article or the Managing NHSmail Security Groups article for Local Administrators.