The Refreshed NHSmail service will provide all NHSmail users in England with a nationally allocated O365 licence. Please visit the O365 Feature Introduction to see what applications and services are included as part of this provision.
Local Administrators (LAs) will now be able to manage these O365 services via the NHSmail Portal, through user policies and application toggles. This ‘Getting Started’ article will introduce all the basic functions of O365 management via the NHSmail Portal so you can begin to provision services for your users.
A full range of guidance materials can be found via the Local Administrator O365 Portal Guide.
For organisations that have previously procured and onboarded their own O365 licenses as part of the NHSmail Office 365 Hybrid Service. There are some process and interface changes to the NHSmail Portal O365 admin functions to be aware of. Please read the rest of this article to familiarise yourself with what these are.
Introduction to User Policy Management
User policies enable LAs to manage O365 application access and settings for their users through the NHSmail Portal. Step by step guidance on how to login, create, edit and amend policies can be found in the How to manage user policies section of this article.
As part of the NHSmail Refresh, one National User Policy has been created for every Organisation Data Service (ODS) code on the NHSmail platform. This National User Policy represents the default O365 configuration available under the national N365 E3 Restricted licence provision and will be the default policy all users are added to through the NHSmail Refresh programme. The National User Policy will show as – ODS National Policy in the NHSmail Portal.
LAs also have the ability to create additional policies for their organisation alongside the national policy and move users between them at their discretion (for their respective organisations). The default user policy will be configured as per the application settings outlined in the table below. It cannot be changed however; LAs can create new user policies to provide access to applications that are turned off by default.
Once users are migrated into Exchange Online they will automatically be added into the National User /default Policy for their organisation. Please note some features are only available once a mailbox has been migrated to Exchange online (Office 365).
| Application Name | National User Policy Setting |
| Microsoft To Do | On |
| Microsoft Stream | On |
| Microsoft Shift / Staff Hub | On |
| Microsoft PowerAutomate (Flow) | On |
| Microsoft PowerApps | On |
| Microsoft Teams | On |
| Microsoft Planner | On |
| Microsoft OneDrive for Business and Office Online | On |
| Microsoft SharePoint Online | On |
| Microsoft Exchange Online | On |
| Microsoft Search | On |
| Microsoft Whiteboard | Off |
| Microsoft Forms | Off |
| Microsoft Sway | Off |
| Microsoft Yammer | Off |
It is the responsibility of local organisation’s to enable or disable O365 functionality for their users subject to local risk appetite and Data Protection policies on offshoring. Information on data residency for O365 applications can be found here.
User Policy Management for your organisation
An organisation can have multiple user policies, alongside the standard National User Policy, with different settings applied to each policy. This allows organisations to create different user policies based on a variety of user needs.
For example, a Local Administrator can create a policy for users who need access to Microsoft Teams, OneDrive and SharePoint only, and a different policy for users who only need access to Microsoft Shifts. It is also possible to create a policy to require users to have multi factor authentication enabled on their account.
It is recommended that LAs do not enable MFA for their user base until they have completed their migration to Exchange Online. If MFA is enabled for on-premise users, they will be required to complete additional steps to establish connectivity to Exchange Online during the Refresh process. Further detailed MFA guidance can be found here.
Any additional policies will utilise the nationally provisioned O365 allocation for that organisation and its associated users. Organisations that have procured a top up licence can use those as well as or instead of these to enable any additional capabilities.
Procuring add-on or top-up licenses
Organisations can continue to procure add-on or top-up licenses and onboard them to the NHSmail tenant, should they wish to access additional features or higher O365 licence types. Please visit the onboarding guide for detailed step by step instructions of how to do so.
Add-on or top-up licenses procured and onboarded by an organisation, can be managed the same way as standard user policies in the NHSmail Portal. These licenses will appear automatically in the User Policy Management page once onboarded.
How to Manage User Policies
The following quick start guides aim to provide instruction on how to perform key tasks in user policy management:
- Creating a User Policy
- Editing/Updating a User Policy
Create a new User Policy
1. Log in to the NHSmail Portal using your nhs.net credentials (the Admin toolbar will only show for LAs)
2. Navigate to Admin > User Policy Management
3. In the User Policy List page, click on Add > Create User Policy
4. Select the organisation you want to create the policy for, name the new policy and add a description to it if required
Note: only the organisations you are a LA for will appear in the drop-down menu
5. Select a base licence from the drop-down menu and an add on Licence if required.
Note: The base licence will be what is provisioned to your organisation through the nationally allocated N365 Office 365 licence pool. If your organisation has also procured other licenses and onboarded them to the NHSmail central tenant (instructions above) – E.g. E3 or E5, these will also appear in the drop-down box. Examples of add on licence types include functionality like Dial-In Conferencing, Visio or Project. Again, these will only appear if directly procured by an organisation and onboarded.
The nationally allocated base licence (otherwise known as N365, E3 Restricted or E3R) will show as: ACCENTURE – LSP01 – National – Office 365 User – 30/04/2023.
6. You can then toggle on or off any applications as required for the new policy you are creating. Please refer to the O365 Feature Guidance article for more information on what each of the O365 applications does.
Any applications included in the base licence appear and can be controlled via toggles.
Add-on licenses must be applied to the policy via the drop-down menu – these will not appear as toggles. Multiple add-on licenses can be applied to the same policy via the drop down menu licence.
Apps for Enterprise: When applied as an add-on, all the different O365 applications included within this licence type will be enabled by default. These are included below and are not currently configurable through toggles:
- Forms (Plan 1)
- Office Web
- Office Desktop
- Sway
- OneDrive for Business (Plan 1)
- Whiteboard
Whiteboard, Forms, Sway host data outside of the UK and as mentioned above will be applied automatically through the Apps for Enterprise add-on. It is the local organisation’s responsibility to determine if it is appropriate to use these apps, subject to local risk appetite and Data Protection policies on offshoring.
Note: Visit this guide to find out about managing mailbox size quotas.
7. You can add members to the policy by selecting the Add button and searching for the user
Note: The Import button can be utilised to add users in bulk if required
8. Once selected, click Update and a green success pop up will appear at the top right corner of the screen to confirm the user has been added.
Handy Tips:
- User policy names are automatically prefixed with the (ODS) code of the organisation the user policy belongs to
- Duplicate names: A single organisation cannot have 2 user policies with the same name. However, 2 or more different organisations can use the same name for their policies
- The name must not be more than 35 characters and may contain letters, numbers and spaces. Special characters are not allowed
- The description must not be more than 250 characters and may contain letters, numbers and any special characters
- LAs can add a maximum of 5,000 mailboxes at a time to a policy through the bulk update process. If the policy is larger than 5,000, the bulk import process can be repeated
- The Teams Call Recording toggle will be enabled by default on all newly created User Policies. It can be turned off in the Applications Settings box
- If an LA disables all the User Policy application toggles, but applies the Apps for Enterprise add-on – the users within the policy will still have access to all the applications provided through Apps for Enterprise, including OneDrive
- Microsoft provide a grace period for SharePoint/OneDrive access. If LA’s disable the toggle for these applications in a user policy, there will be a period where users can continue to access the applications. LA’s can delete a user’s OneDrive content where appropriate and SharePoint Site Owners can actively remove access from Site Collections if needed
Creating a new user policy and adding users into it will automatically remove them from the National User Policy for that organisation – and as a result, they will lose the standard O365 configuration and be given access to whatever applications are enabled in the newly created custom policy.
Editing or updating a policy
- Navigate to User policy management following the steps above (Admin > User Policy Management)
- Search for the name of the policy that you would like to edit
- Edit the policy by updating the appropriate fields – i.e. name, description or base licence
- You can edit membership of the policy by selecting the Add button and searching for new users. If you want to add more users in bulk, click Import and fill in the excel sheet with the users you want to add. Import that excel sheet by selecting Upload.
- Click Update and a green success pop up will appear at the top right corner of the screen
Additional User Policy Information
There are some additional user policy features to be aware of, please find these detailed below:
1. Default Policies: Organisations can update their default policy via a service request to the NHSmail helpdesk, and from December 2020 newly created accounts will be automatically added to this default policy.
Please note, all users migrated to Exchange Online as part of the NHSmail Refresh will automatically be put into their organisation’s National User Policy, and Local Administrators can move users between this policy and the local default policy as required (this does not include pre-existing user policies set-up by Hybrid Organisations – users within these policies will not be affected by the migration process).
To check what your default policy is, go to Admin, Organisations, Manage Organisations. Choose your organisation and select Policies. Your default policy will be shown as per the image below
- Joiners, Movers and Leavers:
- Joiners: Will automatically be added to your organisation’s National User Policy (or Default policy if it has been changed). This will happen at the point of migration to Exchange Online through the NHSmail Refresh.
- Movers: All users must be part of a user policy. There are two mechanisms to transfer users between user policies;
i. Via the User Policy Management: adding a user to a new policy will automatically remove them from their old one
ii. Via the User Management Page: Search for an individual user, select edit user policy property and hit transfer. This will take you to the page shown below where you can select a new user policy
- Leavers: When marking a user as a leaver there are a few additional considerations to make – such as whether the user needs to retain their OneDrive content. Please see further guidance on how to mark an NHSmail Office 365 user as a leaver.
3. Teams Recording: Will be enabled as default on all newly created user policies, in line with current settings on the platform. This can be manually disabled by Local Admins if required. Please see further guidance on Teams Call Recording, including instructions on how to setup, access and manage call recordings.
4. Policy Status: Users can only be assigned to one policy. To check a specific user’s policy: navigate to Admin, User Management, search for the user in question, you will see the user policy detail within the directory properties. This will show what policy the user is part of (if any).
Creating Microsoft Teams & SharePoint Collections
LAs can also create new Teams and SharePoint Collections through the NHSmail Portal. Specific guidance on how to perform these actions can be found via the links below:
