The NHSmail user policy functionality provides Local Administrators with the ability to manage Microsoft Online Services application access and settings for their users. The target audience for this guidance is Local Administrators. If you are a user with questions about user policies, please contact your Local Administrator.
This article is intended to provide an overview of user policies, as well as cover the following:
- Procuring Add-On or Top-Up Licenses
- How to Manage User Policies
- Additional User Policy Information
Introduction to User Policy Management
User Policies enable organisations to assign Microsoft licences to their users, providing them with access to Microsoft Online Services applications. There are two main types of user policies: National and Custom.
As part of the NHSmail Refresh, one National User Policy was created for each Organisation Data Service (ODS) code on the NHSmail platform. This policy represents the default M365 configuration available under the national licence provisions. Under the current agreement with Microsoft, there are two nationally provisioned licence types:
- Microsoft 365 F3 – for NHSmail Standard Service organisations
- Microsoft 365 E3 – for NHSmail Enhanced Service organisations
For further information relating to the current, nationally provisioned licence offering, please see the Licence Migration Overview guidance.
Local Administrators can add users as members to their organisation’s national policy, providing them with access to applications as determined by the NHSmail Service.
In addition to a national policy, LAs can create and manage custom user policies for their respective organisation. In this way, LAs can control application access and settings for their users. Whilst the national policy assigns one of the two nationally provisioned licenses to users, custom policies allow LAs to choose which base licence they assign to their users. The base licence can either be one of the nationally provisioned licences or a locally procured top up licence. For further information on top up licenses, please see the Onboarding Guide for Local Administrators.
If the nationally provisioned licence is applied to a custom policy, the following applications are available for configuration by LAs:
- Microsoft Bookings
- Microsoft Exchange Online
- Microsoft Forms
- Microsoft OneDrive
- Microsoft Planner
- Microsoft Power Apps
- Microsoft Power Automate (Flow)
- Microsoft SharePoint Online
- Microsoft Staff Hub/Shifts
- Microsoft Stream
- Microsoft Sway
- Microsoft Teams
- Microsoft To Do
- Microsoft Whiteboard
- Microsoft Yammer
It is the responsibility of local organisations to enable or disable M365 functionality for their users subject to local risk appetite and Data Protection policies on offshoring. Information on data residency for M365 applications can be found here.
User Policy Management for your organisation
An organisation can have multiple user policies, alongside their National User Policy, with different settings applied to each. This allows organisations to create different user policies based on a variety of user needs. For example, a Local Administrator can create a policy for users who need access to Microsoft Teams, OneDrive and SharePoint only, and a different policy for users who only need access to Microsoft Shifts. All custom policies will utilise the nationally provisioned M365 allocation for that organisation and its associated users. Organisations that have procured a top up licence can use those as well as or instead of these to enable any additional capabilities.
Procuring add-on or top-up licences
Organisations can procure add-on or top-up licences and onboard them to the NHSmail tenant, should they wish to access additional features or higher Microsoft Online Services licence types. Please visit the Onboarding Guide for Local Administrators for detailed step by step instructions of how to do so.
Add-on or top-up licences procured and onboarded by an organisation, can be managed in the same way through user policies in the NHSmail Portal. These licences will appear automatically in the User Policy Management page once onboarded.
How to Manage User Policies
Visit the following start guides which aim to provide instructions on how to perform key tasks in user policy management:
Additional User Policy Information
There are some additional user policy features to be aware of, please find these detailed below:
1. Default Policies: Organisations can update their default policy via a service request to the NHSmail helpdesk. To check what your default policy is, go to Admin, Organisations, Manage Organisations. Choose your organisation and select Policies. Your default policy will be shown as per the image below.
Please note, once users are created, the system will automatically migrate the new account in most cases within an hour to Exchange Online, where they will be automatically added into the Default User Policy for their organisation.
2. Newly Created Users: Once users are created, the system will automatically migrate the new account within an hour to Exchange Online in most cases. At this point, they will be automatically added into their organisation’s default user policy.
Please note, if a new account has not migrated for an extended period of time (e.g. more than 24 hours), LAs can raise a ticket with the NHSmail National Helpdesk to resolve.
Please visit the O365: Platform Sync Timings guidance for further information. Please note, some features are only available once a mailbox has been migrated to Exchange Online (Office 365).
3. Joiners, Movers and Leavers:
- Joiners:When an NHSmail user is marked as a new joiner, they will automatically be added to your organisation’s Default User Policy. Following this, LAs will be able to move this user to an alternative, custom user policy associated to the organisation
- Movers: All users must be part of a user policy. Therefore, once a transfer has been initiated, the NHSmail mover will be removed as a member from the user policy associated with their old organisation. At the same time, they will be added as a member to their new organisation’s default policy. Following this transfer, it will be the responsibility of the LAs from the new organisation to add this user as a member to an alternative custom user policy if required. There are two mechanisms to transfer users between user policies;
- i. Via User Policy Management on the portal: adding a user to a new policy will automatically remove them from their old one.
- ii. Via the user’s User Management Page: Search for an individual user, select edit user policy property and hit transfer. This will take you to the page shown below where you can select a new user policy.
- Leavers: When marking a user as a leaver there are a few additional considerations to make – such as whether the user needs to retain their OneDrive content. From a user policy perspective, the user will initially retain their membership to their previously assigned user policy during the 30-day retention period. The retention period starts from the moment that the user is marked as a leaver. Once their account has passed through this period, it will be deleted and thus during this process, the user will be removed from the user policy they were assigned to. For further information on the leaver process, please see the User Policy Management: Marking an NHSmail Office 365 user as a Leaver guidance.
4. Teams Recording: Will be enabled as default on all newly created user policies, in line with current settings on the platform. This can be manually disabled by Local Admins if required. Please see further guidance on Teams Call Recording, including instructions on how to setup, access and manage call recordings.
5. Policy Status: Users can only be assigned to one policy. To check a specific user’s policy: navigate to Admin, User Management, search for the user in question, you will see the user policy detail within the directory properties. This will show what policy the user is part of (if any).
Creating Microsoft Teams & SharePoint Collections
LAs can also create new Teams and SharePoint Collections through the NHSmail Portal. Specific guidance on how to perform these actions can be found via the links below:
|Last Reviewed Date