1. Home
  2. Guidance
  3. Compromised Accounts
  4. Remediating Compromised Accounts

Remediating Compromised Accounts

Remediating a compromised account is the reverse process, by which an account is no longer marked as compromised and reverted to its prior state.

The remediation/re-enabling of an NHSmail account that has been or believed to have been compromised should only occur on the basis the following activities have been performed:

  • At least one password reset has been performed on the account from the point the account was identified as compromised

Note: Due to a password reset taking place automatically during the mark as compromised process, this pre-requisite step should have already been completed.

  • A malware scan of the user’s desktop/laptop computer and any mobile devices used to access the NHSmail account around the point in time that the account was identified as compromised.

Once the above two actions have been completed, the remediation process for the account can proceed, allowing the user to regain access to their account.

Importance of Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) provides an additional layer of security to your NHSmail account when signing in to NHSmail via a web browser. It achieves this by requiring you to provide two different forms of identity on sign-in: your NHSmail password and a contact method.

MFA will automatically be enabled if your account is marked as compromised. For security reasons, once it has been enabled, MFA can never be permanently disabled. This means MFA will remain enabled on your account, regardless of whether the account has been remediated. When MFA is enabled, users are added in the MFA Conditional Access Standard policy. The Named Location Conditional Access policy will not bypass MFA for accounts that have been compromised.

Once your account has been remediated, you will regain the ability to sign in to NHSmail with your username and new password. In addition to this, you will be required to authenticate your sign-on via a secondary method (for example, a security code will be sent to your mobile phone). This two-step verification will help keep your NHSmail account secure. As outlined in the Compromised Accounts guidance, users will have their Mobile Phone number as authentication method (MFA) associated with the account. This will require setting up again after the account has been remediated.

Use of Office Phones for Authentication

Verification of your sign-in can be completed via the Microsoft authenticator app on your mobile device, a security code sent to your mobile device or a telephone call. The use of the office phone option is not recommended or supported by NHSmail. This option is available to users as Multi-factor Authentication is an off-the-shelf feature that cannot be customised. The limitations observed of using this option are outlined here. The recommended option for verification is to use the Microsoft authenticator app. Mobile phone numbers are stored for the sole purpose of supporting verification and will not be used for other purposes.

For further information relating to setting up MFA on your devices, please refer to: Multi-Factor Authentication (MFA) – NHSmail Support

How to Remediate a Compromised Account

1. On the ‘User Details’ page for the Compromised Account, click on the ‘Remediate Compromised Account’ button.



2. Once the dialog box has appeared, select ‘Confirm’ to proceed. If you do not wish for the account to be remediated, select ‘Cancel’. This will close the dialog box and the user account will remain compromised.


3. After selecting ‘Confirm’ on the dialog box, you will be directed to the ‘Reset Password’ page. On creating a new password for the user account, select ‘Update’. Please note, it will be your responsibility to share this password with the user.


4. After resetting the password for the account, if the remediate process has been successful, the following success notification will be displayed

Remediated Account View

A remediated account can be identified from the following updates on the User Details page:



  • Addition of the following note within the Notes field:
    “Account had been identified as compromised but now remediated after local checks have been carried out on the DD-MM-YYYY.”
  • Presence of the “Mark as Compromised” button

Additionally, as part of the remediation process, the account will be re-enabled and reverted to its original status.

e.g. If an account had been in an ‘Active (Leaver)’ state before it was marked as compromised, following the remediation process, it will be reset to its prior status of ‘Active (Leaver)’.

Additionally, as part of the remediation process, the account will be re-enabled and reverted to its original status. However, please also be aware that all mailbox rules will have been disabled when the account was marked as compromised; it is the user’s responsibility to validate any mailbox rules which are needed and re-enable them. This could include rebuilding Out of Office rules alongside the Out of Office message. If any previous Junk rules were configured, for example on a specific sender, then these would have to be manually reinstated via Outlook or Outlook On The Web. Additionally, if the user previously gave delegate access to their Calendar, this would also need to be reinstated after remediation of the account.

Multi-Factor Authentication on a Remediated Account

For security reasons, following the remediation process, Multi-Factor Authentication will remain enabled on your account indefinitely.

Related Links:

Last Reviewed Date 22/02/2024
Updated on 22/02/2024

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top