nhsmail office 365 hybrid local administrator guide · office 365 hybrid service, the local...

NHSmail Office 365 Hybrid Local Administrator Guide

1

NHSmail Office 365 Hybrid Local Administrator Guide

Document Version ControlDocument Information

File Name: NHSmail Office 365 Hybrid Local Administrator Guide

Author(s): Accenture

Version: 2.0

Date Published 19/11/2019

2

Table of Contents

User Policy Management

............................................................................................................................................................................................. 3

Introduction to user policy

............................................................................................................................................................................................. 3

Creating a user policy

............................................................................................................................................................................................. 3

Adding members

............................................................................................................................................................................................. 8

Adding members via Import

............................................................................................................................................................................................. 10

Editing a user policy

............................................................................................................................................................................................. 14

Add-On Licence Types

............................................................................................................................................................................................. 16

Removing a user

............................................................................................................................................................................................. 17

Deleting a user policy

............................................................................................................................................................................................. 18

Microsoft Teams Management

............................................................................................................................................................................................. 20

Creating a team

............................................................................................................................................................................................. 20

Adding owners and members to the team

............................................................................................................................................................................................. 22

Permission levels in Teams

............................................................................................................................................................................................. 24

Editing teams

............................................................................................................................................................................................. 25

Removing a user

............................................................................................................................................................................................. 27

Microsoft Stream Management

............................................................................................................................................................................................. 28

Creating a Stream group

............................................................................................................................................................................................. 28

SharePoint Collection Management

............................................................................................................................................................................................. 29

Creating a SharePoint collection

............................................................................................................................................................................................. 29

Editing a SharePoint collection

............................................................................................................................................................................................. 32

Project Web App (PWA) Management

............................................................................................................................................................................................. 34

Creating a PWA

............................................................................................................................................................................................. 34

3

Yammer Management

............................................................................................................................................................................................. 37

Creating a Yammer Connected Group

............................................................................................................................................................................................. 37

Adding owners and members to the Yammer Connected Group

............................................................................................................................................................................................. 39

Eligible Guest Inviters Management

............................................................................................................................................................................................. 41

Introduction To Guest Inviter Management

............................................................................................................................................................................................. 41

Creating an Eligible Guest Inviters Group

............................................................................................................................................................................................. 41

Adding members

............................................................................................................................................................................................. 42

Editing an Eligible Guest Inviters Group

............................................................................................................................................................................................. 44

Adding members

............................................................................................................................................................................................. 45

Removing a user

............................................................................................................................................................................................. 45

Deleting Eligible Guest Inviter Group

............................................................................................................................................................................................. 46

External Organisations Access Management

............................................................................................................................................................................................. 47

Introduction To External Organisation Access Management

............................................................................................................................................................................................. 47

Creating a request to whitelist an External Organisation

............................................................................................................................................................................................. 47

Editing details of an External Organisation

............................................................................................................................................................................................. 50

External User Guest Access Management

............................................................................................................................................................................................. 52

Introduction to external user’s guest access

............................................................................................................................................................................................. 52

Approving or rejecting extension of guest access for external users

............................................................................................................................................................................................. 52

External Federated Groups Management

............................................................................................................................................................................................. 54

Introduction to federated groups for external organisations

............................................................................................................................................................................................. 54

Creating a request for an External Federated Group

............................................................................................................................................................................................. 54

Completing the External Federated Group Setup

............................................................................................................................................................................................. 56

4

User management

............................................................................................................................................................................................. 59

Marking an NHSmail Office 365 Hybrid user as a Leaver

............................................................................................................................................................................................. 59

Deleting a user’s data from OneDrive

............................................................................................................................................................................................. 60

5

User policies allow Local Administrators to apply groups of settings to defined groups

of users. An organisation can have multiple user policies with different settings

applied to each policy (and subsequently to users who are members of that policy).

Once the organisation has procured Microsoft Office 365 licences for the NHSmail

Office 365 Hybrid Service, the Local Administrator can set up different user policies

based on a variety of user needs. For example, a Local Administrator can define a user

policy for users who need access to Microsoft Teams and OneDrive and a different

user policy for users who need access to Microsoft Delve and StaffHub.

If you are a Local Administrator, you will be able to manage user policies via the

NHSmail Portal.

Office 365 Hybrid

FunctionsUser Policy Management

Introduction to user policy

Click Add in the top left of the screen and select Create User Policy. 2

To create a user policy:

Creating a user policy

Click Admin in the navigation bar at the top of the screen and select User Policy

Management from the drop down menu. 1

6

User Policy Management Office 365 Hybrid

Functions

Select the Owning Organisation to which the new policy will apply, from the drop

down menu. 3

Type in the Name of your new policy and a brief Description. 4

Handy Hint

User policy names are automatically prefixed with the Organisational Data Service

(ODS) code of the organisation the user policy belongs to.

• Duplicate names: A single organisation cannot have 2 user policies with the same name.

However, 2 or more different organisations can use the same name for their policies.

• The Name must not be more than 35 characters and may contain letters, numbers and

spaces. Special characters are not allowed.

• The Description must not be more than 250 characters and may contain letters, numbers

and any special characters.

Additional information

7

User Policy ManagementOffice 365 Hybrid

Functions

Adding members

Select Add. 1

Once you have selected the Owning Organisation, you can add members to the user

policy. Users can be added by using the Add or Import option.

To add users by using Add :

Warning

Users can only be assigned to one policy. A user will not appear in user search

results if they belong to another policy. To check a specific user’s policy; navigate to

Admin, User Management, search for the user in question, select Permissions and

finally User Policy. Here will show what policy the user is part of (if any).

8


Functions

Use the search box or Column Picker to search for the user you would like to add to

the policy.2

Tick the box to the left of the user’s name and click Select. 3

Handy Hint

To add members, you can use the same search criteria that is used throughout the

NHSmail Portal to look up users. This includes their name or nhs.net email address.

9


Functions

First download the MembersListSample.csv file and add the email address of the users

in the Email address column before uploading the new CSV file.

To download the CSV file:

Click on Import. 1

Click on MembersListSample.csv to download the sample file. 2

Adding members via Import

10


Functions

Note: The format of the CSV file is a single column with ‘Email Address’ as the header

row.

When you have found the CSV file, select the file and click Open. 5

Click on Browse. 4

Add the email address for each user to the MembersListSample.csv and save the

file to your computer.3

Click on Upload. 6

11


Functions

A message will be displayed to notify successful upload

Select a License Type from the drop-down menu.7

Select the Applications these users will have access to. Note Office Online can only

be enabled when SharePoint online is enabled. 8

Warning

Bulk upload of users will fail if one of the users in the CSV file belongs to another

policy.

12


• Users can only be assigned to one policy.

• If you need to add a user who is part of an existing user policy to a new one, you must first

remove them from the existing policy.

• A user will not appear in user search results if they belong to another policy.

• Users can only be added to a policy if they belong to the parent organisation (selected

from the drop-down list).

• Bulk upload of users will fail if one of the users in the CSV file belongs to another policy.

• If an organisation is already enabled on Office 365, with a licence assigned to an existing

user policy, adding new users to this policy automatically assigns the same applied licence

settings to users.

• If your user policy contains settings for Office 365, you will only be able to add members to

it if there are enough licences to assign to them. For example, if there are 20 licences you

will only be able to add 20 users.

• User policy names are automatically prefixed with the Organisational Data Service (ODS)

code of the organisation the user policy belongs to.


Functions

Once complete, select Create to finish setting up your new user policy. It will then be

added to the User Policy List. 9

Note: For any queries about licence allocation etc. please contact [email protected]

13

mailto:[email protected]

2Use the search box to find a user policy. The results of the search will be displayed on

the screen.


Functions

To edit a user policy:

Editing a user policy

The system will return results for any user policy which contains the text entered in the

search box.

Handy Hint

If you select the magnifying glass in the search box instead of typing in search

criteria, you will be shown all the user policies that are available to you as a Local

Administrator.

Click Admin in the navigation bar at the top of the screen and select User Policy

Management from the drop down menu. 1

14

Click on the name of the user policy you want to edit in the list.3


Functions

On the Edit User Policy screen, you can edit the specific settings associated with that

user policy such as Name, Description and Application Subscriptions the users will

have access to.

Note: You can turn on/turn off Teams Call Recording function using the toggle button

15


Functions

Additional standalone licence types are supported on the Hybrid platform and will be

available to allocate to users. If your organisation has procured additional standalone

licences, these will appear in the Office 365 Add-ons section of the same screen.

Add-On Licence Types

• User policies can include both O365 licences (F1, E1, E3 & E5) as well as additional

standalone licences as shown in the image above.

• Alternatively, user policies can be created with just standalone licence types.

• Another toggle option Teams Call Recording is available to configure from this page.

Users must have an O365 licence and both Teams/Stream enabled to turn this feature on.

• Users must accept Stream Acceptable Use Policy (AUP) to use the Team Call Recording

feature. Each user can do this by opening the Stream application (from portal.office.com),

clicking Upload a Video and then accepting the pop up message which will appear.

Additional Information

4Select the licences you would like to allocate e.g. Visio, Project, PowerApps Plan 2

etc. by turning on the toggles.

Note: You will be able to edit a user policy at any time. However, it will take 24 hours for

any changes you make to be applied.

16


Functions

Local Administrators can bulk import to add or remove members into a user policy. The

list imported will replace the current list of members. This can be done by using the

Import function. Refer to the steps in Adding members via import section for more

information.

Note: When a user policy list is imported, the members list is replaced exactly with the

contents of the uploaded file. So, to avoid losing the existing members of the user

policy, first export the members list and then add all the new members to the bottom of

the exported list. This process can also be followed to remove existing members of the

policy.

Click on red X to the left of the email address in the list of Members. 5

Click on Update. 6

To remove a user:

Removing a user

Follow the steps 1-3 in the Edit user policy section and select the users to be removed

under the Members box.

17


the screen.


Functions

1Click Admin in the navigation bar at the top of the screen and select User Policy

Management from the drop down menu.

To delete a user policy:

Deleting a user policy

The system will return results for any user policy which contains the text entered in the

search box.

Handy Hint


criteria, you will be shown all the user policies that are available to you as a Local

Administrator.

18

Click the User Policy Name to open the Edit User Policy page. 3


Functions

Scroll down to the Actions section and click the Delete button. 4

This will permanently remove the user policy including all its settings.

Note: Users will be signed out of all the applications which were part of the deleted user

policy. It may take an hour for the users to lose access to the applications.

19

Click Add.2


Click Admin in the navigation bar at the top of the screen and select Teams from the

drop down menu. 1

Office 365 Hybrid

Functions

Microsoft Teams is an effective way to collaborate with other team members by

communicating and sharing information, data, files etc.

Local Administrators will be able to create a Microsoft Team via the NHSmail Portal.

To create Teams:

Creating a team

20

Microsoft Teams ManagementOffice 365 Hybrid

Functions


• The Private setting means that only team owners can add members to the team.

• The Public setting allows anyone on NHSmail to join the team.

• The Name must not be more than 100 characters and may contain letters and numbers.

Special characters are not allowed.

• The Description must not be more than 250 characters and may contain letters and

numbers. Only () are allowed as special characters in the description field.

Type in the Name and select the Organisation from the drop down menu. 3

Select the Privacy settings (i.e. Private or Public) from the drop-down and add a

brief Description. 4

21


Adding owners and members to the team

Office 365 Hybrid

Functions

Click Add. 1

Type the user’s name into the search box. 2

Note: Add yourself as an owner or member by checking the box next to Add Myself.

To add owners and members:

After following the steps 1-4 in the Creating a team section, you can add owners and

members to the team.

Warning

A total of 100 owners can be added to a team (Public or Private) and a total of 999

members can be added by the owner to a team (Public or Private).

22


Functions


• A team must have at least one owner.

• Owners from different organisations can be added as an owner.

• A maximum of 2500 members can join a Public team.

Select the tick box to the left of the user’s name. 3

Click on Select. 4

Handy Hint

Multiple owners and users can be added by selecting the tick box to the left of the

user’s name.

Handy Hint

Use the Column Picker to narrow the results by, for example, status or organisation.

23


• Owners are able to join the team once a Local Administrator has created it.

• Once they have joined the team, owners can edit the name or description of the team and

remove members.

• The table below shows the difference in permissions between an owner and a member,

which you should use when adding users to a team via the NHSmail Portal.


Functions

*The owner has to add the team to the (client) MS Teams app once the team has been

created by the Local Administrator in the NHSmail Portal.

** These items can be turned off by an owner at a team level, in which case members

would not have access to that.

***After adding a member to a team, an owner can also promote a member to owner

status. It is also possible for an owner to demote their own status to a member.

Refer to MS Office Support for more information on teams and channels.

Permission levels in Teams

Team Owner Team Member

Add a team to the Teams app Yes* No

Leave team Yes Yes

Edit team name/description Yes No

Delete team Yes No

Add channel Yes Yes**

Edit channel name/description Yes Yes**

Delete channel Yes Yes**

Add members Yes*** No

Add tabs Yes Yes**

24

https://support.office.com/en-us/article/learn-about-teams-and-channels-5e4fd702-85f5-48d7-ae14-98821a1f90d3

Use the search box to search for a team by typing Display Name, Organisation,

Organisation Unit or Status and search results will be displayed. 2

Office 365 Hybrid

Functions

Click Admin in the navigation bar at the top of the screen and select Teams from the

drop down menu. 1

To edit teams:

Click the team’s Display Name to open the Edit Team page. 3


Functions

Editing teams

The system will return results for any team which contains the text entered in the

search box.

Handy Hint


criteria, you will be shown all the teams that are available to you as a Local

Administrator.

25

Edit Name, Privacy and Description as required.4

Office 365 Hybrid

Functions

The procedure for editing a team is very similar to creating a new team. All the

information of a team can be changed from the Edit Team page.

Click Update.5

To add more members, refer to the steps in Adding members section for more

information.


26

Office 365 Hybrid

Functions

Click Update to apply your new settings to the team. 2

Click on the red X next to the email address you want to remove from the team.1

To remove users from a team:


Removing a user

Follow the steps 1-3 in Editing teams section and select the users to be removed under

the Members box.

Alternatively, a user can be removed from a team using the ‘Permissions’ button

available in the User Details page (via User Management). For more information about

this function, please refer to the Viewing and removing membership guide.

27

https://support.nhs.net/knowledge-base/viewing-and-removing-membership/

Microsoft Stream ManagementOffice 365 Hybrid

Functions

Stream is a video service made available through O365. It can be used to securely

share and interact with video content across an organisation.

Local Administrators will be able to create Stream groups via the NHSmail Portal.

To create a Stream group:

Follow the same steps that are outlined in the Creating a Team section. This process

creates an O365 group which can also be used in Stream. Once completed, ask a group

member to navigate to Stream. The group you have created for them will appear under

the Discover drop down menu. Refer to MS Office Support for more information.

Creating a Stream group

• Users of Stream will need to accept the Acceptable Use Policy when attempting to upload

a video for the first time.

• Local Administrators are responsible for the management of Stream content.

• Note: For any organisation leavers, it is important for Local Administrators to be added as

the owner of their Stream content before they leave. Further information can be found in

the Marking an NHSmail Office 365 Hybrid user as a Leaver guide.


28

https://docs.microsoft.com/en-us/stream/overview

Click Add and select Create SharePoint Collection.2

SharePoint Collection Management

Click Admin in the navigation bar at the top of the screen and select SharePoint

from the drop down menu.1

Office 365 Hybrid

Functions

To create a SharePoint collection:

Creating a SharePoint collection

A SharePoint site collection is a way to hold content such as documents for a group of

users (e.g. a team, a department or project team).

29

SharePoint Collection ManagementOffice 365 Hybrid

Functions

Type in the SharePoint Collection Name, Description, SharePoint Collection

Address and select the Owning Organisation, Owner and the Quota3

Click Create.4

Refer to the steps in Adding members section for more information on how to add an

owner.

Handy Hint

There can be only one owner per SharePoint site.

Warning

An owner whose account is Locked or Disabled will not be able to carry out any work

until their account is unlocked or enabled.

30


Functions


SharePoint owner

The owner will have full administration rights over that specific SharePoint collection site for

the owning organisation. These rights will allow the owner to manage permissions, design the

SharePoint site etc.

A user can only be added as a SharePoint owner if the following conditions are met:

- The user belongs to the owning organisation of the SharePoint collection.

- The user has been assigned an Office 365 licence.

- The user has the SharePoint application enabled.

Please note: Users whose accounts are Inactive, Disabled or Locked can still be added as a

SharePoint owner. However, they will not be able to carry out any actions on the site until

their account has been activated, enabled or unlocked

Quota

• Refer to MS Office Support for more information on Quota.

• Each organisation will have a specific amount of SharePoint storage which they can assign

to their SharePoint collections. The Max Quota will be displayed on the screen to the user.

• When the user adds the Quota into the text field they must ensure that the value entered is

less than the Max Quota value. This will be the amount of SharePoint storage that is

assigned to that collection.

31

https://docs.microsoft.com/en-us/sharepoint/manage-site-collection-storage-limits


Functions

Type the SharePoint name in the search box in the top right of the page and click the

magnifying glass2


from the drop down menu1

To edit a SharePoint collection:

Editing a SharePoint collection

The system will return results for any SharePoint collection site which contains the text

entered in the search box

Handy Hint


criteria, you will be shown all the SharePoint collection sites that are available to you

as a Local Administrator.

32


Functions

On the Edit SharePoint Collection screen, edit the site settings as needed.4

Click the SharePoint collection’s Display Name to open the Edit SharePoint

Collection page 3

Click on Update6

To add owner, refer to the steps in Adding members section for more information

Click on Add to add an owner5

33

Click Add and select Create Project WebApp2

Project Web App (PWA) Management


from the drop down menu1

Office 365 Hybrid

Functions

To create a Project Web App:

Creating a PWA

A Project Web App is an online collection that can be used to house, edit and manage

project plans.

34

Project Web App ManagementOffice 365 Hybrid

Functions

Select the Organisation, Name, Description, Owner and the Web App Quota.

Based on the information added the Web App Address will automatically populate 3

Click Create4

Refer to the steps in Adding members section for more information on how to add an

owner

Handy Hint

There can be only one owner per Project Web App.

Warning

An owner whose account is Locked or Disabled will not be able to carry out any work

until their account is unlocked or enabled.

35

Project Web App ManagementOffice 365 Hybrid

Functions


PWA owner

The owner will have full admin rights over that specific PWA for the owning organisation.

These rights will allow the owner to manage permissions, design the PWA site, etc.

A user can only be added as a PWA owner if the following conditions are met:

- The user belongs to the owning organisation of the PWA

- The user has been assigned an Office 365 licence

- The user has the SharePoint application enabled

Please note: Users whose accounts are Inactive, Disabled or Locked can still be added as a

PWA owner. However, they will not be able to carry out any actions on the site until their

account has been activated, enabled or unlocked.

Quota

• PWAs will utilise the SharePoint storage available to each organisation.

• Each organisation will have a specific amount of SharePoint storage which they can assign

to their SharePoint collections. The Max Quota will be displayed on the screen to the user.

• When the user adds the Quota into the text field they must ensure that the value entered is

less than the Max Quota value. This will be the amount of PWA storage that is assigned to

that collection.

• Each project licence adds an additional 10GB of storage. When an organisation procures

project licences, this additional storage is automatically added into the quota.

Creating Projects

• Users must be licensed with a Project Online Professional or Project Premium licence to

create projects and access a PWA.

• Users can only create projects directly in a PWA. They will not be able to create projects

directly in portal.office.com by clicking the project tile.

• Please advise users to navigate to the PWA URL in order to create new projects.

PWA Limit

• Each organisation is limited to the creation of 25 PWA instances.

36

Click Add2

Yammer Management

Click Admin in the navigation bar at the top of the screen and select Yammer

Connected Groups from the drop down menu1

Office 365 Hybrid

Functions

Yammer is an effective way to collaborate with your team, as well as members of the

wider organisation.

Local Administrators will be able to create a Yammer Connected Group via the

NHSmail Portal.

To create a Yammer Connected Group:

Creating a Yammer Connected Group

37

Yammer ManagementOffice 365 Hybrid

Functions


• The Private setting means that only team owners can add members to the team.

• The Public setting allows anyone on NHSmail to join the team.

• The Name must not be more than 100 characters and may contain letters and numbers.

Special characters are not allowed.

• The Description must not be more than 250 characters and may contain letters, numbers

and any special characters.

Type in the Name and select the Owning Organisation from the drop down menu.

Select the Privacy settings (i.e. Private or Public) from the drop-down and add a

brief Description3

Warning

Please note that Yammer Connected Groups will take up to 30 minutes to appear in

Yammer and the NHSmail Portal.

38

Yammer Management

Adding owners and members to the Yammer Connected Group

Office 365 Hybrid

Functions

Click Add1

Type the user’s name into the search box and select the tick box to the left of the

user’s name. 2

Note: Add yourself as an owner or member by checking the box next to Add Myself.

To add owners and members:

After following the steps 1-3 in the Creating a Yammer Connected Group section, you

can add owners and members to the team.

Warning

A total of 100 owners can be added to a team (Public or Private) and a total of 999

members can be added to a team (Public or Private).

39

Yammer ManagementOffice 365 Hybrid

Functions


• Only Local Administrators can create Yammer Connected Groups.

• A Yammer Connected Group must have at least one owner.

• Users from different organisations can be added as an owner.

• A maximum of 2500 members can join a Public Yammer Connected Group.

Standard Yammer Groups

• Users can still create standard Yammer groups directly in the application.

• When an organisation onboards onto the O365 platform, automatically a standard Yammer

group will be created for all licensed users from that organisation.

• A regular task will run daily to automatically update the members of this group based on

the O365 licences allocated through User Policies.

Click on Select3

Handy Hint

Use the Column Picker to narrow the results by, for example status or organisation.

Note: Multiple owners and users can be added by selecting the tick box to the left of

the user’s name

40

Eligible Guest Inviter groups allow Local Administrators to apply guest inviter

permissions to a defined group of users. An organisation can only have one group.

The users that are members of these groups will be given the permissions in Azure AD

to invite external users as guests to the O365 Hybrid tenant. These users will also have

the permissions to approve guest access extensions for external users.

If you are a Local Administrator, you will be able to manage guest inviters via the

NHSmail Portal.

Office 365 Hybrid

FunctionsEligible Guest Inviters Management

Introduction To Guest Inviter Management

Click Add in the top left of the screen and select Eligible Guest Inviters2

To create a group:

Creating an Eligible Guest Inviters Group

Click Admin in the navigation bar at the top of the screen and select Manage

Eligible Guest Inviters from the drop down menu1

41

Eligible Guest Inviters ManagementOffice 365 Hybrid

Functions

Select the owning Organisation to which the new group will apply, from the drop

down menu3

Handy Hint

Eligible Guest Inviter group names are automatically prefixed with the Organisational

Data Service (ODS) code of the organisation the group belongs to.

Adding members

Once you have selected the Organisation, you can add members to the group. Users

can only be added by using the Import option at the time of creation of this group.

Follow the steps 1-6 in the Adding members via Import section for more information on

using Import function.

Select Request to finish creating your Eligible Guest Inviters group. It will then be

added to the Eligible Guest Inviters group list.7

42


Functions

• Users can only be added to a policy if they belong to the parent organisation (selected

from the drop-down list) or a child organisation.

• Bulk upload of users will fail if the status of one of the users in the CSV file is not active,

inactive, disable or locked.

• The maximum number of users that can be added to a group is 100,000.

• Eligible Guest Inviter group names are automatically prefixed with the Organisational Data

Service (ODS) code of the organisation the user policy belongs to.

Additional information: Adding members

43


the screen


Functions

To edit a group:

Editing an Eligible Guest Inviters Group

The system will return results for any eligible guest inviter group which contains the

text entered in the search box

Handy Hint


criteria, you will be shown all the eligible guest inviter groups that are available to you

as a Local Administrator

Click the Eligible Guest Inviter Group to open the Edit Eligible Guest Inviter

Group page3


Eligible Guest Inviters from the drop down menu1

44


Functions

Adding members

You can add members to the group, either by using the Add or Import option. Follow

the steps 1-6 in the Adding members via Import section to use the Import option. To

add users individually, follow the steps 1-3 in the Adding members section.

Local Administrators can bulk import to add or remove members into / from an eligible

guest inviter group. The list imported will replace the current list of members. This can

be done by using the Import function. Refer to the steps in Adding members via Import

section for more information.

Note: When an eligible guest inviter list is imported, the members list is replaced

exactly with the contents of the uploaded file. So, to avoid losing the existing members

of the group, first export the members list and then add all the new members to the

bottom of the exported list. This process can also be followed to remove existing

members of the group.

Click on red X to the left of the email address in the list of Members1

Click on Update2

To remove a user:

Removing a user

45


Functions

Deleting Eligible Guest Inviter Group

Warning

When a group is deleted, all the users will be removed as members of the group.

This means they will lose their guest inviter permissions so they will no longer be able

to invite external users as guests or approve guest access extension requests.

Click Delete1

To delete an Eligible Guest Inviter group, follow the steps 1-3 in Editing an Eligible

Guest Inviters Group section to search the group:

46

As part of the Azure B2B Guest Access service, controls have been put in place to

mitigate the risks associated with sharing data with external organisations. One of

these controls is an external organisation domain whitelisting. Essentially only

external users that are associated to external organisations which have been

whitelisted can be invited as guest users of the O365 Hybrid tenant.

If you are a Local Administrator, you will be able to request for a new external

organisation’s domain to be whitelisted via the NHSmail Portal only if the domain has

not been whitelisted already.

Office 365 Hybrid

FunctionsExternal Organisations Access

Management

Introduction To External Organisation Access Management

Click Add and select External Organisation Access Request2

To create a request:

Creating a request to whitelist an External Organisation


External Organisation Access from the drop down menu1

47

External Organisations Access

Management

Office 365 Hybrid

Functions

3Populate the request form with the details of the External Organisation that you would

like to be whitelisted

Note: The mandatory fields are those that have an asterisk after the description, e.g.

Primary Contact Email*

Handy Hint

The NHSmail Sponsor 1 will be pre-populated with the requestor’s name, however an

additional sponsor can be added using the Add button. It's recommended to have a

second sponsor who can approve the request in the absence of the first sponsor.

48


Management

Office 365 Hybrid

Functions

4 Click Submit to send the request for approval

Once the request is submitted, an automated email will be sent to the NHSmail Live

Service team, asking them to review and approve the request. Once they have made

their decision, you’ll receive an email confirming whether the request has been

approved or rejected.

If approved, the external organisation’s domain will be whitelisted within Azure AD,

meaning NHSmail users (who are configured as eligible guest inviters) will be able to

invite users from this external organisation as guests of the O365 hybrid tenant. If

rejected, please discuss the request with the NHSmail Live Service team

49




Management

Office 365 Hybrid

Functions

Editing details of an External Organisation


the screen

1Click Admin in the navigation bar at the top of the screen and select Manage

External Organisation Access from the drop down menu

To edit details of an external organisation:

The system will return results for any external organisation that contains the text

entered in the search box

Handy Hint


criteria, you will be shown all the external organisations.

1

Click the External Organisation to open the Edit External Organisation page3

50


Management

Office 365 Hybrid

Functions

Click Update to save the changes4

Warning

Only the NHSmail Sponsor or an NHSmail Global Administrator will be able to update

the details of an external organisation.

Handy Hint

You will be able to update all of the fields except for the Organisation Domain but

remember that all the mandatory fields will need to remain populated.

51

As part of the Azure B2B Guest Access service, a number of controls have been put in

place to mitigate the risks associated with sharing data with users from external

organisations. One of these controls is a guest access attestation process, whereby an

external user with a guest account requires an NHSmail user (who is set up as an

eligible guest inviter) to approve an extension to their access. External users, will

require an approval for an extension after the first 30 days of being granted access and

every subsequent 180 days. If an approval is not provided, access will be revoked.

If you are an Eligible Guest Inviter, you will be able to action a guest access extension

request via the NHSmail Portal.

1Click the secure link within the guest access extension email that the external user

has shared with you and log into the NHSmail Portal using your nhs.net account

Office 365 Hybrid

FunctionsExternal User Guest Access

Management

Introduction to external user’s guest access

Note: If you are already logged in to the NHSmail Portal, go to step 2 after clicking on

the secure link.

To approve or reject an extension request:

Approving or rejecting extension of guest access for external users

52

Click Approve or Reject3

External User Guest Access

Management

Office 365 Hybrid

Functions

2 Select the Checkbox next to the request

Guest account access extension request

Guest User 1 (ExtOrg1) [email protected]

Warning

If the external user’s guest access request is rejected, their guest account will be

removed immediately and they will lose all their permissions, i.e. they will not be able

to access documents that they had access to previously. This action cannot be

reversed, so if they need guest access again, they will need to be re-invited and data

will need to be shared again.

• If the external user is granted an extension to their access, they will retain their

permissions for 180 days. After this period, the process will be repeated and they will

require another extension.

• If an external user is a member of an external federated group, they will be exempt from

this process.


53

External Federated Groups will allow Local Administrators to dynamically manage

guest invitations for multiple external users, mitigating the need to invite them one by

one. Once an External Federated Group is set up a monthly scheduled task will

automate the process of sending guest invitation to all new members. If the external

organisation adds or removes users from the group, then these changes will be

reflected when the scheduled task occurs.

If you are a Local Administrator, you will be able to request for a new external

federated group to be provisioned via the NHSmail Portal.

Office 365 Hybrid

FunctionsExternal Federated Groups

Management

Introduction to federated groups for external organisations

Click Add in the top left of the screen and select Add Federated Group Import for

External Users2

To create a request:


External Federated Groups from the drop down menu

Creating a request for an External Federated Group

54

External Federated Groups

Management

Office 365 Hybrid

Functions

3Select the External Domain from the drop down menu and then populate the

External Organisation and Supporting Information fields

4 Click Submit to send the request for approval

An automated email will be sent to the NHSmail Live Service team, asking them to

review and approve the request. Once they have made their decision, you’ll receive an

email confirming whether the request has been approved or rejected.

If approved you can proceed to the next steps of the set up process. If rejected, please

discuss the request with the NHSmail Live Service team.

The External Domain drop down menu will be pre-populated with a list of external domains

that have been whitelisted. If you cannot see the domain you require, then you’ll need to raise

a request for an External Organisation to be whitelisted. Follow the steps detailed within the

Create a request to whitelist an External Organisation section.


55




Management

Office 365 Hybrid

Functions

Completing the External Federated Group Setup

2Use the search box to find a group. The results of the search will be displayed on the

screen


External Federated Groups from the drop down menu

Once you have completed the steps detailed within B2B Azure AD Federated Group set

up guide you’ll be able to update the details of an external federated group.

The system will return results for any external federated group which contains the text

entered in the search box.

Handy Hint


criteria, you will be shown all the external federated groups.

1

Click the External Federated Group to open the Edit Federated Group Import for

External Users page3

56


Management

Office 365 Hybrid

Functions

1Update the Azure AD Tenant Name, Group Name and Group ID fields within the

information provided by the external organisation4

5 Select 1. Initial Azure Federated Group set up completed and select Update

Note: Refer to the Azure Federated Groups Set up Guide for External Organisations for

more information about gathering the Azure Tenant and Group details.

57


Management

Office 365 Hybrid

Functions

The NHSmail helpdesk will complete the rest of group set up activities by:

• Acknowledging the B2B Portal service account invitation guest invitation

• Testing that the B2B Portal service account has the correct permissions to fetch the

members of the group

• Initiating the first group sync

You’ll receive an email notification once this completed.

Handy Hint

The colour of the Test Connection / Activate buttons will change to green in the

User Interface (UI) and the group status will change to Active, once they have been

actioned successfully.

• A task occurring on the first day of every month will be executed to fetch any new

members of the group and / or remove guest accounts for users that have been removed

as members. Please ensure any group updates are made prior to this otherwise you’ll

either need to wait for the next group sync or you can simply invite the external users as

guests via the normal method (i.e. using the native O365 guest invitation process).

• An email notification will be sent to the requesting Local Administrator each time the

monthly task completes. The last updated field within the User Interface (UI) will also be

updated to indicate when this task has been completed.


Warning

Once the external federated group has been successfully configured, you will not be

able to edit any of the details. If the group name changes, a new request will need to

be raised.

58

Office 365 Hybrid

Functions

When a user leaves one NHS organisation to move to another NHS organisation which

is also using NHSmail, their email account can be transferred. Instructions on how to

do this can be found in the Marking a user as a leaver guide.

Where the user is also enabled for NHSmail Office 365 Hybrid services as part of an

Office 365 User Policy, additional actions will be required to remove the associated

Office 365 licences and application access permissions. This action will happen

automatically at the point the user is marked as a leaver.

Prior to marking a user as a leaver, Local Administrators will need to consider whether

the user's OneDrive data should be deleted or retained. If retained, the data will be

accessible to the user should their account be licensed for the NHSmail Office 365

Hybrid Service at their new organisation.


• Local Administrators can view a user's Office 365 memberships within the NHSmail Portal‘s permissions page.

• Office 365 memberships can be removed via the NHSmail Portal‘s permissions page.

• A leaver’s existing Stream, Flow and PowerApps content will need to be managed manually by a Local Administrator. This can be done by asking the leaver to add a Local Administrator as an owner of any Stream content they have uploaded, as well as any Flows/PowerApps they have created. This must be done before marking the user as a leaver. Once the Local Administrator is the owner, they can determine the appropriate next steps i.e. deleting the content or transferring ownership to an appropriate colleague.

• If the leaver is the sponsor of an External Organisation, then ownership will need to be transferred manually beforehand. Follow the steps detailed within the Update details of an External Organisation section.

Marking an NHSmail Office 365 Hybrid user as a Leaver

User management


Warning

Accounts marked as a leaver will not be removed from Office 365 groups, SharePoint

site collections or Yammer groups.

59

https://support.nhs.net/knowledge-base/marking-a-user-as-a-leaver/

User managementOffice 365 Hybrid

Functions

A Local Administrator can remove OneDrive content for a user if the user has an Office

365 licence assigned to them.

Note: The following steps must be followed prior to marking a user as a leaver or

transferring them to another organisation.

Type the user’s name in the search box in the top right of the page and click the

magnifying glass to show search results2

Click Admin in the navigation bar at the top of the screen and select User

Management from the drop down menu 1

Click the user’s Display Name to open the User Details Page 3

Deleting a user’s data from OneDrive

From the User Details Page, select Delete OneDrive from the Actions box4

60

User managementOffice 365 Hybrid

Functions

Click Delete OneDrive to remove the user’s data 5

For more information on how to mark a user as a leaver, please refer to the Marking a user as a leaver guide.

For information on how to transfer a user mailbox to another organisation, please refer

to the Transferring a mailbox between organisations guide.

• If a Local Administrator decides to delete a leaver’s OneDrive for Business content, all

content will be sent to the OneDrive for Business preservation hold library. Any content

in the preservation hold library that was created or last edited more than 180 days ago will

be deleted automatically. Once deleted, content cannot be restored and organisations will

not be able to access it.

• Local Administrators should ask leavers to store any files required by other users on the

organisation's SharePoint site so that the information is still accessible following their

departure from the organisation.

• It is the responsibility of Local Administrators to refer to their internal organisation's data

retention policies.

A message will be displayed to notify successful deletion.


A message will appear for confirmation of the action

61

https://support.nhs.net/knowledge-base/marking-a-user-as-a-leaver/

https://support.nhs.net/knowledge-base/transferring-a-mailbox-between-organisations-and-multiple-accounts/

nhsmail office 365 hybrid local administrator guide · office 365 hybrid service, the local...

Documents