Microsoft Online Services Licensing Guide
The NHSmail service allows health and care organisations to access O365 services using their existing NHSmail identity. The Service provides two nationally provisioned M365 licence types (M365 E3 for NHSmail Enhanced Users and M365 F3 for NHSmail Standard Users) but also offers a bring-your-own licence model, where organisations can locally procure Microsoft Online Service licences from re-sellers and onboard them to NHSmail.
For further information relating to the nationally provisioned licence types, please see the Licence Overview and Migration Approach guidance.
The NHSmail service allows organisations to subscribe and manage their O365 users via the existing NHSmail Portal. Local Administrators (LAs) can administer O365 services via the NHSmail Portal, including assigning licences, enabling applications and creating SharePoint sites.
This guide is for organisations that want to onboard their locally procured M365 licences to the NHSmail shared tenant, including those with pre-existing licences that they wish to transfer from another Office 365 tenant to the NHSmail shared tenant. Please visit the most appropriate section below for advice on:
O365 Licence True-Ups and Anniversaries
O365 Licence Transfers (into the tenant)
O365 Licence Transfers (out of the tenant)
Important information: Licence Agreement Renewals and Anniversaries
Organisations that are renewing a Microsoft Licence Agreement (typically every 3 years) or adding new products to an existing agreement will need to follow the standard onboarding process outlined in O365 Licence Onboarding section below. This will ensure the new licence subscriptions created by Microsoft as part of your renewal agreement are correctly assigned to your organisation in the NHSmail Portal.
Organisations that are performing a true up/down of an existing product that has been previously onboarded through one of the processes below do not need to act, as the update will flow through from Microsoft to the NHSmail Portal automatically. If it doesn’t reflect in the NHS Portal within 48 hours, please refer to the O365 Licence True-Ups and Anniversaries section.
If an Agreement Renewal or Anniversary true down results in the quantity of users within the associated User Policy being greater than the new licences onboarded, your policy will be in a position of overage and will need to be updated within 1 month to avoid users being moved to your organisations national policy. View the User Policy Management page for more information on how to move users to a new policy. If the same or more licences are available, then no action is required.
Supported Licence top ups
The following licence top ups are supported with NHSmail:
Add-on Licences:
- Exchange Online (Plan 2)
- Microsoft Teams Room Standard
- Power BI
-
- Power BI Free
- Power BI Pro
- Power BI Premium
- Power BI Premium (Per user)
-
- Project
-
- Project Plan 1
- Project Plan 3
- Project Plan 5
- Project Plan Essential
-
- Visio Online
-
- Microsoft Visio Plan 1
- Microsoft Visio Plan 2
-
- Power Apps
-
- Power Apps Per App
- Power Apps Per User
- Dataverse DB Storage
- Dataverse File Storage
-
- Power Automate
-
- Power Automate Per User
- Power Automate Per Flow
- Power Automate Attended RPA
- Microsoft 365 Apps for enterprise (User only)
-
- Power Apps
-
- Power Apps Per App
- Power Apps Per User
- Dataverse DB Storage
- Dataverse File Storage
-
- SharePoint
-
-
- SharePoint Online Storage
-
-
- Team Phone System and Calling Plan
-
-
- Microsoft Teams Phone System (MCOEV)
- 120 minute Domestic Calling Plan (MCOPSTN_5)
- 1200 minute Domestic Calling Plan (MCPPSTN_1)
- Domestic and International Calling Plan (MCOPSTN2)
- Microsoft Teams Phone with Calling Plan (country zone 1 – UK/Canada))
-
-
- Microsoft Teams Premium
- Microsoft Teams Premium (Intelligent Recap)
- Microsoft Teams Audio Conferencing
*These add on licences can be onboarded to the NHSmail central tenant and assigned in the portal. Please note that organisations must be onboarded to the NHSmail Intune service before the licences can be used for Intune. More information about the NHSmail Intune service is available here.
NHSmail Intune is not available for organisations using the NHSmail Standard Service, either through the central licensing offering, or through add-on or top up licenses.
For more details on the new national licensing agreement and organisation categorization, further information can be found at Licence Overview and Migration Approach guidance
NHSmail Enhanced Service Bring Your Own Licence (BYOL) Changes
From January 2024, the following BYOL licences will no longer be required for NHSmail Enhanced Service Organisations as functionality will be covered by centrally provided licences:
-
- Office 365 E1
- Enterprise Mobility + Security E3
- Enterprise Mobility + Security E5
- Microsoft Entra ID P1
- Microsoft Entra ID P2
- M365 Defender for Office P2
Users with the above licence types prior to January 2024 will be upgraded to the M365 E3 and F5 Security & Compliance licence types.
In the case of these procured licence types, it is the responsibility of the local organisation to engage their licensing reseller (known as LSP) directly to seek opportunities to true down or remove licences from their own agreement. This will need to be assessed on a case by-case basis and is dependent on the agreement between the local organisation and LSP.
In these scenarios, the previous top-up or add-on licences will be replaced by the central provision. This means that there will be no additional admin overhead in moving user policies following the expiry of the add-ons.
For further information, please see the NHSmail Licence Overview and Migration Approach guidance.
Changes with respect to the AAD P2 (Entra ID P2) add-on
There are several applications provided by the Microsoft Entra ID P2 add-on licence which are centrally covered under the Enhanced Service’s national licence offering. The following details what LAs can control on the portal, with respect to these applications and any changes as a result of the licence migration.
National Policies:
| Application | Application Toggle in Portal |
| Microsoft Entra ID P1 | No – Enabled by Default |
| Cloud App Security Discovery | No – Enabled by Default |
| Microsoft Azure Multi-Factor Authentication | No – Enabled by Default* |
| Microsoft Entra ID P2 | No – Enabled by Default (via F5 Security and Compliance) |
Custom Policies with the national M365 base licence:
| Application | Application Toggle in Portal |
| Microsoft Entra ID P1 | Yes |
| Cloud App Security Discovery | Yes |
| Microsoft Azure Multi-Factor Authentication | No – Enabled by Default* |
| Microsoft Entra ID P2 | Yes (Also enabled as default via F5 Security and Compliance) |
* Please note, the Multi-Factor Authentication (MFA) toggle will not appear within the NHSmail portal irrespective of licences assigned. For further guidance on MFA on the NHSmail platform, please see MFA Conditional Access – NHSmail Support.
Custom Policies with a locally procured base licence:
The locally procured base licence will determine which of the AAD P2 specific applications will be available. Therefore, it is important to determine which applications are offered by your organisation’s locally procured base licence first. If required, you may then need to purchase and apply your own AAD P2 add-on to experience the full functionality associated with AAD P2. Alternatively, organisations can switch to the nationally provisioned base licence offering.
The only exception is the Microsoft Entra ID P2 application which will be available to all Enhanced Service users via F5 Security & Compliance.
Enhanced Service organisations currently using a locally procured base licence and a AAD P2 top up are responsible for the onward management of the service post transition, following the expiry of their AAD P2 licences.
Where Enhanced Service organisations are using the national M365 E3 base licence (irrespective of whether it is a national or custom policy) and have a AAD P2 add-on assigned, the associated toggles will no longer appear within the ‘add-on’ section of the portal. This is because these applications will be mapped as part of the national base licence offering and thus, included there.
Additionally, until the locally procured AAD P2 licence has expired, it will still appear in the portal UI and can be selected. Although, as outlined above, configuring any of the toggles that do appear will not override any which are ‘default enabled’ centrally.
Changes with respect to Enterprise Mobility + Security (EMS) add-ons
In scenarios where the national M365 E3 licence serves as the base licence for a user policy, the Enterprise Mobility + Security (EMS) E3 and E5 add-on licences are not required. This is because the applications these licences provide are centrally covered under the Enhanced Service’s national licence offering. Therefore, the only EMS specific applications which can be controlled by LAs in the portal are Microsoft Intune and Azure Information Protection P1. These application toggles appear under the M365 E3 set of applications.
For custom user policies with a locally procured base licence, EMS E3 and EMS E5 continue to appear as add-on licences until they expire. These locally procured EMS licences can be selected, although, as outlined above, configuring any of the toggles that appear will not override any that are ‘default enabled’ centrally.
NHSmail Standard Service Bring Your Own Licence (BYOL) Changes
From January 2024, the following BYOL licences will no longer be required for NHSmail Standard Service Organisations as functionality will be covered by centrally provided licences:
-
- M365 Defender for Office P2 (Replaced with MDO F2)
- AAD P1 and AAD P2 (replaced with AAD P2 which will be centrally provided)
Changes with respect to the AAD P2 (Entra ID P2) add-on
There are several applications provided by the AAD P2 add-on licence which are covered under the Standard Service’s national licence offering. The following details what LAs can see and control on the portal, with respect to these applications.
National Policies
| Application | Application Toggle in Portal |
| Microsoft Entra ID P1 | No – Enabled by Default |
| Cloud App Security Discovery | No – Enabled by Default |
| Microsoft Azure Multi-Factor Authentication | No – Enabled by Default* |
| Microsoft Entra ID P2 | No – Enabled by Default |
Custom Policies with a locally procured base licence
| Application | Application Toggle in Portal |
| Microsoft Entra ID P1 | Yes |
| Cloud App Security Discovery | Yes |
| Microsoft Azure Multi-Factor Authentication | No – Enabled by Default* |
| Microsoft Entra ID P2 | Yes |
* Please note, the Multi-Factor Authentication (MFA) toggle will not appear within the NHSmail portal irrespective of licences assigned. For further guidance on MFA on the NHSmail platform, please see MFA Conditional Access – NHSmail Support.
Post migration, in instances where Standard Service organisations have user policies with AAD P2 assigned, the associated toggles will no longer appear within the ‘add-on’ section of the portal as they will be mapped as part of the national base licence (and add-on) and included there. However, until locally procured AAD P2 licences expire they will still appear in the portal and can be selected, although, as outlined above, configuring any of the toggles that appear will not over-ride any that are ‘default enabled’ centrally.
Changes with respect to Enterprise Mobility + Security (EMS) add-ons
Organisations using the NHSmail Standard Service that have onboarded onto Intune with Enterprise Mobility & Security E3 will require their own local EMS licence. Once a local Enterprise Mobility and Security licence has been onboarded, LAs must assign the licence to a user policy and toggle-on Intune. For further guidance, please see Intune Overview.
O365 Licence Onboarding
|
Organisation procures M365 licences. Upon purchase, the organisation will receive a licence activation email from Microsoft. NOTE: It is important not to click on any links in the activation email. This will be explained later on in this guide. |
The Local Administrator (LA) raises a NHSmail Helpdesk Self-Service licence onboarding request. The helpdesk uses the information provided in the request to enable licences in the NHSmail O365 Shared tenant | Licences will be available in the NHSmail Portal. LAs will be able to log into view licences, manage and assign users to applications, create teams, distribution lists, etc. |
IMPORTANT: It is not possible to split a single subscription across more than one Organisation, including Parent and Child Organisations. If a Parent Organisation needs to purchase a subscription on behalf of a Child Organisation, this is perfectly possible; however, the purchasing Organisation need to ensure they provide the details of the Child Organisation when populating the MDS in the onboarding form on the Helpdesk Self-Service Portal.
If a Parent and Child Organisation each need the same license type, two separate subscriptions will need to be purchased and allocated.
Step 1: Licensing and registration
M365 licences must be procured by NHS organisations directly from Microsoft or their licence re-seller.
M365 licences will not be available to procure nationally through NHSmail. Organisations are not required to procure Azure Active Directory (AD) licences to use the O365 service.
NHS organisations should not purchase CSP licenses from their reseller for use in the NHSmail Shared Tenant, this licence type cannot currently be onboarded to the portal.
For information on renewing an active licence view the steps outlined in the renewing your subscription section.
It is now possible to procure and onboard Apps for Enterprise licences. This is done through the same process outlined in this document. Once onboarded these licences will appear in the add-on section when attempting to create user policies.
The commercial relationship for provision of O365 services is between the NHS organisation and Microsoft via their licence agreement. The NHSmail service is providing access and management of the O365 tenant but not support of the underlying infrastructure or its service levels. Licences and their submission will be managed and serviced on a per organisation basis and cannot be split across multiple organisations.
Step 2: Submit licences to NHSmail
Once licences have been procured by an NHS organisation, the Online Services Manager (OSM) allocated on your Enterprise Agreement (EA) will receive an introductory activation email.
This email will come from msonlineservicesteam@email.microsoftonline.com with the subject ‘ACTION REQUIRED: Complete your profile to setup your services’. The email will look similar to the images below – with two options, to either ‘Sign In’ or ‘Sign Up.’
Note: The OSM MUST NOT click either link within the email, as this may allocate the licences to the organisation’s individual tenant and not the NHS tenant – this will incur delays.
If the link in the activation email is accidentally clicked, the licence will have to be transferred from the individual tenant to the NHSmail Shared Tenant. To do this, the steps in the Transfer existing licences section of this guide will need to be followed.
The OSM should then fill out to the NHSmail Helpdesk Self-Service licence onboarding request to onboard the licences. Please see the screenshot below on how to locate the form in the NHSmail Helpdesk Self-Service page:
You will need the information below ready for the request:
-
- Organisation name
- Organisation Data Services (ODS) code
- Enterprise agreement number or volume licensing agreement number
- Enterprise ID if the new subscription is replacing one that is expiring
- Licence expiry date
- Licence type and quantity
- If onboarding the below licences, specify which Power Platform environment they should be assigned to. If the environment has not been created yet, type “N/A”:
- Power Apps Per App Plan (add-on)
- Power Automate Per Flow (add-on)
- If onboarding a Microsoft Teams Room (add-on) licence, specify the Resource Mailbox
- Attach copies of the activation and/or confirmation email for all licences being onboarded
Once an onboarding service request has been raised, the NHSmail team will allocate licences to the NHSmail Shared Tenant service, making them visible in the NHSmail Portal.
When the process is complete, licences will be available to manage and allocate by LAs through the NHSmail Portal.
These licences will be securely held and managed in the central NHSmail Shared Tenant service until their expiry date. At which point the licences will either need to be renewed or a new subscription will need to be procured and onboarded through this process.
Note: Onboarding service requests may take up to a week to process. Transfer requests (outlined below)can take longer than this as they require action from Microsoft Volume Licence services which is outside the control of the NHSmail service.
If you have any issues with the process above, please raise an incident ticket via NHSmail Helpdesk Self-Service page, or email the NHSmail helpdesk (helpdesk@nhs.net) with the subject: ‘Onboarding Request Issue’.
Important Note: The process for onboarding Microsoft 365 Apps for Enterprise (Device Based) licences differs from the above. For guidance to support onboarding and management of Microsoft 365 Apps for Enterprise (Device Based) licences please navigate here.
Step 3: Allocate licences to users
Once the licences are active the allocated LA(s) will be able to assign specific O365 subscriptions (based on the type of licence procured) to groups of users, via the NHSmail Portal.
Detailed guidance on how to create licence profiles and enable O365 services is available within the Local Administrator O365 Portal Guide on the NHSmail support site.
Important Note: The process for assigning Microsoft 365 Apps for Enterprise (Device Based) licences differs from the above. For guidance to support onboarding and management of Microsoft 365 Apps for Enterprise (Device Based) licences please navigate here.
O365 Licence True Ups and Anniversaries
Should the need to amend any current active subscriptions arise (e.g. anniversary true-ups/downs), this can be done via a top-up request by contacting Microsoft or their licence re-seller. Unlike standard onboarding requests, once the top-up request has been made, the change should automatically apply to the existing subscription and will reflect in the NHS Portal within 48 hours.
If a top-up request has been made and it does not appear to have been applied within this timeframe, please raise a ticket with the NHSmail helpdesk (helpdesk@nhs.net) with the subject: ‘O365 Top-up Request’, including the information below.
-
- Organisation name
- Organisation Data Services (ODS) code
- Enterprise agreement number
- Licence type and quantity
- Licence expiry date
- Local Administrator(s) contact details (name and email)
This request will be received by the NHSmail O365 Shared Tenant provisioning team who will investigate. The service desk will then provide an update once the issue has been investigated.
These steps should only be taken if your Organisation has onboarded subscriptions previously and wish to use the same Enterprise Agreement Number. If a new subscription has been purchased or a different Agreement Number has been used to procure the licences, please follow the ‘O365 Licence Onboarding’ steps listed above.
O365 Licence Transfers (into the tenant)
This is relevant where your organisation has M365 licences in an existing local O365 tenant that you wish to transfer to the NHSmail Shared Tenant service.
There are two ways the licences can be transferred depending on how they are purchased:
-
- Volume Licensing Centre
- Microsoft Business Centre
If you are not sure where your licences are currently held, please contact your Microsoft licence reseller to confirm which process you need to follow.
Volume Licensing Centre Transfer
Step 1: Raising the request to transfer
To transfer licences, a request will need to be raised with Microsoft Volume Licensing
Services. This can be done by completing a request via the Microsoft website or by calling 0800 9179016 (Option 4, Option 1). When contacting by the web form, select ‘Open Licence’ on the drop-down options.
The Microsoft Volume Licensing team should respond to your request, asking for additional details about the transfer as follows:
-
- Agreement number: [available via your Microsoft Volume Licence Portal]
- All subscriptions moving to the new tenant: [licence type and quantity]
- Incorrect / current tenant domain: [current tenant domain licences reside in]
- Correct / destination tenant domain: [nhs.onmicrosoft.com]
- Reason the move is being requested: [mapped to incorrect tenant]
All information requested should be available through the Microsoft volume licensing portal. Ask your OSM to login to confirm any missing details.
Step 2: Approving the transfer
The Microsoft Volume Licensing team will request you provide administrator details for both the current and destination tenants, so a security check can be undertaken.
To complete this, please raise a ticket with the NHSmail helpdesk via helpdesk@nhs.net informing them of the transfer request, providing the below information and attaching the authorisation request from Microsoft Volume Licensing and using the email subject: O365 Shared Tenant Licence Transfer Request.
-
- Organisation name
- Organisation Data Services (ODS) code
- Enterprise agreement number
- Licence type and quantity
- Licence expiry date
- Local Administrator(s) contact details (name and email)
This request will be received by the NHSmail O365 Shared Tenant provisioning team who will provide administrator details to Microsoft Volume Licensing and approve the transfer.
Once both teams have approved the transfer, you should receive a confirmation email from the Microsoft Volume Licensing team confirming the transfer has completed. Please attach this to the email chain of your existing ticket and send to the NHSmail helpdesk who will set up your LA and ensure your licence allocation is ready and available for use in the NHSmail Portal.
Step 3: Allocate licences to users
Once the licences are active the allocated LA(s) will be able to assign specific O365 subscriptions (based on the type of licence procured) to groups of users, via the NHSmail Portal.
Detailed guidance on how to create licence profiles and enable O365 services is available within the Local Administrator O365 Portal Guide on the NHSmail support site.
Microsoft Business Centre Transfer
Step 1: Prerequisites to raise the transfer
When licences require a transfer through the Microsoft business centre, several steps need to be carried out before a ticket is raised with the NHSmail helpdesk.
The first step should be to ensure that the organisation’s purchasing account and all licences are disassociated with any domains they may be assigned to. This will have to be requested through Microsoft.
Once Microsoft have confirmed the disassociation of the licences, please invite the Office 365 Admin account (o365.admin@nhs.net) and provide the following admin roles for your purchasing account:
-
- Account Admin
- Agreement Admin
This can be done through the Business Centre Dashboard: go to the Account tab > Manage Access and invite the O365 Admin account.
Step 2: Requesting the transfer
Once the prerequisite steps have been completed, please raise a ticket with the NHSmail helpdesk via helpdesk@nhs.net informing them of the transfer request, providing the below information and attaching the confirmation request from Microsoft of the licence domain disassociation:
-
- Organisation name
- Organisation Data Services (ODS) code
- Enterprise agreement number
- Licence type and quantity
- Licence expiry date
This request will be received by the NHSmail O365 provisioning team who will be able to log into the o365.admin@nhs.net account and access the organisation’s purchasing account through the previously sent invite.
Here, the NHSmail O365 provisioning team will be able to associate the purchasing account to the NHSmail tenant domain, hence moving all licences under the purchasing account onto the NHSmail platform.
Step 3: Allocate licences to users
Once the licences are active the allocated LA(s) will be able to assign specific O365 subscriptions (based on the type of licence procured) to groups of users, via the NHSmail Portal.
Detailed guidance on how to create licence profiles and enable O365 services is available within the Local Administrator O365 Portal Guide on the NHSmail support site.
Transferring Licences (out of the tenant)
Should the situation arise where licences need to be transferred out of the NHSmail tenant and into and organisation’s own tenant, the LA should raise a ticket with the service desk with the following information:
-
- Enterprise agreement number
- Licence type and quantity
- Licence expiry date
- Destination tenant name (example.onmicrosoft.com)
- Destination tenant contact details (name and email)
Once raised with the service desk, the service team will raise a ticket with Microsoft to begin the process of moving the licences into the destination tenant. Microsoft may contact the destination tenant contact to authorise the transfer.
This process may take up to a week to fully complete.
| Last Reviewed Date | 10/03/2025 |
