NHSmail Office 365 Hybrid Service Configuration Guide...3.7 Ending NHSmail O365 Hybrid services 10...

Copyright © 2019 NHS Digital

NHSmail Office 365 Hybrid Service Configuration Guide May 2019

Version 1

NHSmail Office 365 Hybrid Service Configuration Guide

Copyright © 2019 NHS Digital 2

Contents

1 Introduction 5

1.1 Target audience 5

1.2 Service background 5

2 Scope 5

2.1 Licences and applications 5

2.2 Service support 6

3 Onboarding 7

3.1 Joining the service 7

3.2 Leaver / joiner process 8

3.3 Licensing procurement 9

3.4 Transferring existing licences 9

3.5 Data migration from an existing O365 tenant 9

3.6 Microsoft FastTrack services 10

3.7 Ending NHSmail O365 Hybrid services 10

3.8 Technical pre-requisites 11

4 Application service information 12

4.1 Supported application summary 12

4.2 Azure Active Directory 13

4.3 SharePoint Online 15

4.4 OneDrive for Business 20

4.5 Microsoft Teams 21

4.6 Yammer enterprise 24

4.7 StaffHub 26

4.8 PowerBI 27

4.9 Delve 28

4.10 Planner 29

4.11 Office Online 29

4.12 Microsoft Forms 30

4.13 Sway 30

4.14 Office 365 Groups 31

4.15 Microsoft PowerApps 32

4.16 Microsoft Flow 32

4.17 Microsoft Stream 33



4.18 Microsoft Project Online 34

4.19 Microsoft Visio Online 34

4.20 Mobile applications 35

5 Azure B2B Guest Access 36

5.1 Domain Name Whitelisting 36

5.2 Guest User Invites 37

5.3 Azure Federated Group Import 38

5.4 Lifecycle Management 38

5.5 External sharing breakdown by application 40

6 Tenant Policy 41

6.1 Vanity domains 41

6.2 Office 365 release cycle policy 41

6.3 Third party applications 41

6.4 Tenant branding 41

6.5 Office 365 desktop applications 42

7 Compliance 43

7.1 Data Residency 43

7.2 Data retention and recovery 43

7.3 Label Policy 52

7.4 Data Loss Prevention 52

7.5 eDiscovery 55

7.6 General Data Protection Regulation (GDPR) 55

8 Reporting 56

8.1 Licence reports 56

8.2 Storage reports 56

8.3 Azure B2B reports 56

8.4 Other reports 56

8.5 Service health 56

9 Local organisation responsibilities 57

9.1 Local software and hardware 57

9.2 Local network and infrastructure 57

9.3 Adoption and training 57

9.4 Licence procurement 57

10 Un-supported services 58



11 Clinical Safety and Acceptable Use Policy 59

11.1 Clinical safety 59

11.2 Acceptable Use Policy 59

11.3 More information 59

12 NHSmail helpdesk 60



1 Introduction

1.1 Target audience

This document provides an outline for IT Managers and Local Administrators (LAs) of the NHSmail Office 365 Hybrid Service configuration for NHSmail.

Service configuration guides for other services will be available at the point of release.

1.2 Service background

The NHSmail service is the national secure collaboration service for health and care in England and Scotland and is currently used by over 1.5 million users and continues to grow.

To enable greater access to collaboration applications, the NHSmail service is now integrated with Microsoft Azure Active Directory (Azure AD) and Microsoft Office 365 (O365). Azure AD is a cloud-based directory that enables secure, cloud-based identity management for the NHSmail service. O365 is a subscription-based cloud productivity suite that includes services such as OneDrive for Business, SharePoint Online and Yammer.

The NHSmail service has been integrated with a dedicated Office 365 tenant for users across England. NHS organisations will be able to access the O365 services in a ‘bring your own licence’ model. Users provisioned with licences will access the NHSmail Office 365 Hybrid Service using their existing NHSmail username and password.

The NHSmail Portal has been developed to enable organisations to subscribe and manage their Office 365 licences. This includes, but is not limited to, the ability to assign licences, enable applications and create SharePoint sites.

Organisations consuming Office 365 services via the NHSmail Office 365 Hybrid Service will need to use NHSmail as their primary email service.

This document outlines the key functional and configuration details for each of the new services for NHS organisation administrators and IT managers.

Note: The NHSmail Office 365 Hybrid Service is currently not available for users in Scotland.

2 Scope

2.1 Licences and applications

Office 365 licences must be procured by NHS organisations directly from Microsoft or their Licence Reseller and will not be available to procure nationally through the NHSmail service.

Organisations are not required to procure Azure AD licences to consume the O365 service.

The following enterprise and standalone licence types are supported on the NHSmail Office 365 Hybrid Service:

Office 365 Enterprise F1

Office 365 Enterprise E1



https://products.office.com/en-gb/business/office-365-f1

https://products.office.com/en-gb/business/office-365-enterprise-e1-business-software





Microsoft PowerApps Plan 1

Microsoft PowerApps Plan 2

Microsoft Flow Plan 1

Microsoft Flow Plan 2

Microsoft Stream Plan 1

Microsoft Stream Plan 2

Microsoft Visio Plan 1

Microsoft Visio Plan 2

Power BI (Free)

Power BI Pro

Power BI Premium

Microsoft Project Online Essential

Microsoft Project Online Professional

Microsoft Project Online Premium

Details of the applications supported within these licence types can be found in the Application Service Information section of this document.

Organisations will be required to raise a service request with the NHSmail helpdesk to onboard their licences to the NHSmail Office 365 Hybrid Service. Further information is available on onboarding within this document.

The commercial relationship for provision of O365 services is between the NHS organisations and Microsoft via their licence agreement. The NHSmail service is providing access and integration management of the NHSmail O365 tenant. The NHSmail service is not responsible for the Microsoft cloud infrastructure and Office 365 application service levels.

2.2 Service support

Helpdesk support for the NHSmail O365 Hybrid Service will be provided by the existing NHSmail helpdesk. Local organisations are expected to provide initial triage and troubleshooting support to their end users as per the existing NHSmail service. LAs will be able to raise tickets with the NHSmail helpdesk for faults relating to configuration within the NHSmail Office 365 tenant. Faults relating to Microsoft infrastructure and product issues will be raised directly with Microsoft.

Organisations wishing to use their Microsoft Premier Support should raise cases directly with Microsoft via the standard Premier Support channels. Where these cases require support from the NHSmail service, a ticket should be raised with the NHSmail helpdesk by the local organisation. The NHSmail service does not support submission of Microsoft Premier Support cases centrally on behalf of NHS organisations.

Further information is available in this document on local organisation responsibilities.



3 Onboarding

3.1 Joining the service

To join the NHSmail Office 365 Hybrid Service, users must have an existing NHSmail

account and be using NHSmail as their primary email service. The process for joining the

NHSmail Office 365 Hybrid Service can be broken down into four stages.

1. Procure Office 365 licences

2. Submit licences to NHSmail via the NHSmail helpdesk

3. Allocate licences to users within the NHSmail Portal

4. Enable users as guest inviters (optional)

Step 1: Procure O365 licences

Local organisations should procure Office 365 licences directly from Microsoft or their Licence Reseller who will issue the organisation with an email confirmation of their purchase. Licensing is not available centrally via the NHSmail service.

More information is available in this document on licensing procurement.

Step 2: Submit licences to NHSmail

Once your organisation has procured O365 licences you will receive an email from your

Licence Reseller confirming the purchase. At this point your organisation’s LA should raise a

service request with the NHSmail helpdesk where details of your subscription can be shared

and the process for tenant allocation started. Details required in this request can be found in

the Onboarding Guide for Local Administrators.

Once an onboarding service request has been raised, the NHSmail team will allocate your

licences to the O365 tenant and make them visible in the self-service NHSmail Portal. Once

this process is complete, licences will be available to manage and allocate by LAs through

the NHSmail Portal. Your licences will be securely held and managed in the central NHSmail

O365 tenant until their expiry.

Note: Licences and their submission will be managed and serviced on a per organisation

basis and cannot be split across multiple organisations.

Step 3: Allocate licences to users by creating user policies

Once step 2 is completed, the organisation LAs will be able to log into the NHSmail Portal

and navigate to the administration area for enabling services. Detailed guidance on how to

create licence profiles and enable O365 services for users is available in the Hybrid Local

Administrator guide.

Step 4: Enable users as guest inviters (optional)

Organisation LAs will be able to decide whether they would like to enable their NHSmail

users as guest inviters so that they can collaborate with users from external organisations.

They can configure NHSmail users as eligible guest inviters via the NHSmail Portal. Detailed

guidance on this is available in the Hybrid Local Administrator guide.

https://s3-eu-west-1.amazonaws.com/comms-mat/Comms-Archive/NHSmail_O365+Hybrid+Onboarding+Guidance+Document.pdf

https://s3-eu-west-1.amazonaws.com/comms-mat/Comms-Archive/NHSmail+O365+Hybrid+Local+Administrator+Guide.pdf




3.2 Leaver / joiner process

The NHSmail service has a defined process for account leavers / joiners.

NHSmail accounts marked as ‘leavers’, that have an NHSmail O365 Hybrid licence assigned, require some additional steps to remove the O365 licence and define retention actions for organisation-owned content stored in the account’s OneDrive.

These additional steps are described below and should be owned by the licence-owning organisation’s LA:

1. Marking an O365 enabled account as a leaver will remove that account’s O365 licence straight away. The licence is returned to the organisation’s pool of available O365 licences and available for re-assignment.

2. Immediately following point 1 above, the LA will be prompted to decide whether the account’s OneDrive for Business data should be retained. This will be a binary Yes/No.

YES – All data will be deleted from the account’s OneDrive and the account’s recycle bin, ensuring it cannot be accessed by the account should it be joined and enabled with NHSmail O365 Hybrid at another organisation on NHSmail. Once data is deleted, it cannot be accessed by the user. However, data under retention can be recovered from the preservation hold library. Details on the OneDrive data retention policy is available within this document.

NO – No action taken, and the account’s OneDrive data remains in place should the account be re-licensed at a later date. While users are in a leaver state, permissions to OneDrive data can be delegated by the service team - this includes if the account is re-licensed for NHSmail O365 Hybrid services at a new organisation on NHSmail. If the account is not joined to a new organisation it will progress through the standard NHSmail account deletion process. Standard data retention policies will apply and are detailed in this document.

LAs can request leavers to delegate OneDrive access before they are marked as a leaver to avoid making a service request.

LAs can request leavers to delegate Microsoft Flows, PowerApps and Stream content ownership because content from these apps cannot be deleted automatically.

Leaver group memberships

Leaver accounts will not automatically be removed from O365 related groups. LAs can view an account’s O365 group and SharePoint site membership within the NHSmail Portal and remove as required. This process allows local control of group membership and enables users, where required, to maintain membership of collaborative groups / services where appropriate. For example, a user moving to a new organisation continues to require collaboration access in a regional Yammer group or Teams site. Instructions on how to do this can be found in the Hybrid Local Administrator guide.

https://s3-eu-west-1.amazonaws.com/comms-mat/Comms-Archive/Leavers+and+Joiners+Guidance+v1.pdf




3.3 Licensing procurement

There are two ways an organisation can procure Office 365 licences ahead of allocating to the NHSmail O365 Hybrid Service.

1. Microsoft Volume Licensing programmes are commonly used by large organisations and allow bespoke bulk purchasing of licences. These licences are purchased through a Microsoft Partner and can then be managed through Microsoft’s Volume Licensing Service Centre.

2. Directly from Microsoft via their enterprise subscription pages.

Following procurement, Microsoft will issue a subscription activation email confirming your purchase. See the onboarding section within this document for information on how to progress an onboarding request once you have reached this point.

3.4 Transferring existing licences

Organisations transferring licences already allocated to an existing O365 tenant should raise

a service request with the NHSmail helpdesk. The NHSmail team will then raise a case with

Microsoft to progress this transfer. The local organisation will also need to raise a case to

Microsoft from their existing tenant requesting the transfer as this is required by Microsoft as

authority to transfer.

3.5 Data migration from an existing O365 tenant

Organisations with an existing O365 tenant that require data migration from that tenant to the NHSmail O365 Hybrid tenant should first consider the feasibility of a locally managed manual migration following their onboarding to the NHSmail O365 Hybrid Service. Feasibility will be dependent on several factors including volume of data, complexity and availability of local resource to support it.

Should an organisation already own O365 licences and have their own tenant, the process in the below diagram can be followed to migrate to the NHSmail Hybrid tenant. It is important for an organisation to fully understand the necessary pre-requisites (as highlighted in the Tenant to Tenant Migration guide) and the Functional Comparison guide, before starting the migration process.

https://products.office.com/

https://s3-eu-west-1.amazonaws.com/comms-mat/Comms-Archive/NHSmail+O365+Hybrid+2+Tenant+to+Tenant+Migration.pdf

https://s3-eu-west-1.amazonaws.com/comms-mat/Comms-Archive/NHSmail_O365_Functional+Comparison.pdf



Organisations who decide a locally managed manual migration is not appropriate should consider the use of Microsoft FastTrack services where applicable to support such a migration.

For some organisations, FastTrack may be available as part of their O365 licences. More information on the Microsoft FastTrack service and it’s use with the NHSmail O365 Hybrid Service is available in this document.

3.6 Microsoft FastTrack services

The NHSmail Hybrid Service supports and encourages the use of Microsoft FastTrack services where it is included in an organisation’s licence agreement with Microsoft. To progress a request to use FastTrack services to onboard to the NHSmail Hybrid Service please raise a request to the NHSmail helpdesk.

3.7 Ending NHSmail O365 Hybrid services

Ceasing NHSmail O365 Hybrid services for your organisation can occur via a request from your Local Administrator, with approval confirmation from the local organisation’s Chief Information Officer (CIO) to the NHSmail helpdesk or through the expiry of your organisation’s Office 365 licences.

Understand migration approach & necessary pre-

requisites

Determine local migration approach using Tenant to

Tenant document as a guide

Engage third-party supplier if required

Follow licence onboarding transfer process

• Read Tenant to Tenant Migration Approach to understand requirements

• Understand the functional comparison between native Microsoft O365 tenants & the NHSmail Hybrid Platform

Migrate on an app by app basis

• Develop approach – including what data needs to be migrated, from which applications & how

• Create a deployment plan & timeline

• Engage any third parties needed for the migration

• Raise a ticket to the NHSmail helpdesk detailing administrator access requirements (as detailed in section 2.4.1)

• Formally raise a request with your Microsoft License Reseller & the NHSmail helpdesk to transfer your O365 licences

• This process is documented here

• Complete migration process & necessary testing to ensure data is accessible on the new tenant

• Phase out and eventually decommission the legacy tenant

https://support.nhs.net/knowledge-base/tenant-to-tenant-migration-overview/

https://support.nhs.net/knowledge-base/tenant-to-tenant-migration-overview/

https://s3-eu-west-1.amazonaws.com/comms-mat/Comms-Archive/NHSmail_O365+Hybrid+Onboarding+Guidance+Document.pdf



A request to the NHSmail helpdesk to remove hybrid services will trigger a licence transfer process. This process will require an organisation to submit details of their new tenant to the NHSmail helpdesk, so a licence transfer request can be submitted to Microsoft. The NHSmail service team will raise this request with Microsoft.

Expiry of O365 licences in the NHSmail O365 Hybrid Service will trigger an automatic removal of those licences. The NHSmail Portal tracks licence expiry dates so will issue an expiry notice to an organisation’s LA 30 days ahead of expiring.

Information on data retention policies is available in this document.

3.8 Technical pre-requisites

Network planning and performance

Using any Office 365 service is likely to increase the utilisation of an organisation’s internet links. It is key to determine that the amount of bandwidth available is enough to handle the estimated increase when Office 365 is live and in use by end users.

Microsoft provides guidance and tools for organisations on effective network planning and testing ahead of rolling out Office 365 services. These are available on Microsoft’s website and should be referred to by LAs ahead of enabling NHSmail O365 Hybrid services.

Office 365 URLs and IP address ranges

Office 365 requires connectivity to the internet. Microsoft define a list of end points that need to be reachable to ensure O365 service connectivity. This is a living list which Microsoft update monthly and publish via RSS feed and is detailed on their website.

https://docs.microsoft.com/en-gb/office365/enterprise/network-and-migration-planning?redirectSourcePath=%252fen-us%252farticle%252fnetwork-and-migration-planning-for-office-365-f5ee6c33-bcd7-4b0b-b0f8-dc1d9fb8d132

https://support.office.com/en-us/o365ip/rss

https://docs.microsoft.com/en-gb/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252foffice-365-urls-and-ip-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2



4 Application service information

4.1 Supported application summary

The table below provides a summary of the available applications on the NHSmail Hybrid Service for each type of supported O365 licence.

In addition to the above licences, the following standalone licences are available and can be used individually or with any other SKU (E1, E3, E5 or F1).

Service Name E5 SKU E3 SKU E1 SKU F1 SKU

Microsoft Teams Yes Yes Yes Yes

Yammer Enterprise Yes Yes Yes Yes

Microsoft Forms Yes Yes Yes Yes

Microsoft StaffHub Yes Yes Yes Yes

Microsoft Sway Yes Yes Yes Yes

SharePoint Online (includes OneDrive for Business)

Yes Yes Yes Yes

Office Online – create and edit rights (cannot be assigned without SharePoint Online)

Yes Yes Yes Yes

Microsoft Planner Yes Yes Yes No

Microsoft Delve Yes Yes Yes Yes

Access to Office Applications from all major smart phones and iPads

Yes Yes Yes Yes

Office Mobile Apps – Create/edit rights for online versions of core office apps

Yes Yes Yes Yes

Office Pro Plus Yes Yes No No

Microsoft To Do No No No No

Power BI Pro Yes No No No

Flow for Office 365 Yes Yes Yes Yes

PowerApps for Office 365 Yes Yes Yes Yes

Microsoft Bookings No No No No

Microsoft Stream Yes Yes Yes Yes

Service Name Supported

Microsoft PowerApps Plan 1 Yes

Microsoft PowerApps Plan 2 Yes



Please note that Exchange email services and Skype for Business instant messages and presence (IM&P) and audio and video conferencing (A&VC) services are provided as standard to organisations using the NHSmail O365 Hybrid Service.

For more information on the above and to express interest in the NHSmail service offering additional Office 365 services please contact the NHSmail helpdesk.

4.2 Azure Active Directory

4.2.1 Application description

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud-based directory and identity management service. Every Office 365 tenant provides an Azure AD tenant that is used to manage cloud identities and enable access to cloud applications integrated with Azure AD, including Office 365 applications.

4.2.2 Features configuration

Azure AD supports Single Sign-On (SSO) through the NHSmail Portal to portal.office.com (not local device SSO).

• SSO enables access to NHSmail Office 365 Hybrid services following SSO to the NHSmail Portal.

Note: SSO will not allow user authentication against cloud-based services not integrated with NHSmail Azure AD (for example, local applications owned and managed by a local organisation).

Microsoft Flow Plan 1 Yes

Microsoft Flow Plan 2 Yes

Microsoft Stream Plan 1 Yes

Microsoft Stream Plan 2 Yes

Microsoft Power BI Free Yes

Microsoft Power BI Pro Yes

Microsoft Power BI Premium Yes

Microsoft Project Online Essential Yes

Microsoft Project Online Professional Yes

Microsoft Project Online Premium Yes

Microsoft Visio Plan 1 Yes

Microsoft Visio Plan 2 Yes



Key Azure AD configuration items are given for information in the below table highlighting the default NHSmail setting.

AAD Config Details Setting Comment

User Setting

Users can add gallery apps to their Access Panel

No Users can add any app which supports password single sign on to appear in their access panel, without an administrator needing to pre-integrate that application.

Users can only see Office 365 apps in the Office 365 portal

Yes Users will only see Office 365 apps in their Office 365 portal.

Guest user’s permissions are limited Yes Guests do not have permission for certain directory tasks, such as enumerate users, groups or other directory resources and cannot be assigned to administrative roles.

Restrict access to Azure AD administration portal

Yes Restricts all non-administrators from accessing any Azure AD data in the administration portal.

Groups

Users can create security groups No

Users who can manage security groups

Users can create Office 365 groups Available for LAs to manage via the NHSmail Portal

Users who can manage Office 365 groups

User Setting

Users can consent to apps accessing company data on their behalf

No Users are not able to consent to allow third party multi-tenant applications to access their user profile data in the NHS Directory.

Users can register applications No Users are not able to register custom-developed applications for use within the NHS Directory.

Members can invite No Only NHSmail service administrators can invite guests to the NHS Directory.

Guest can invite No Guests cannot invite other guests to collaborate with the NHSmail Hybrid tenant.

Groups

Self-service group management enabled

No Self-service group management for users through the Access Panel is not enabled.

Enable "All Users" Group No The all users group in Azure Active Directory is disabled

External Users Setting

Guest users’ permissions are limited Yes Yes - means that guests do not have permission for certain directory tasks such as enumerate users, groups or other directory resources.

Admins and Users in guest inviter

role can invite Yes Yes - means that admins and users with the ‘Guest Inviter’

role will be able to invite guests to the tenant. No means they will not.

Members can invite No No - means that only administrators can invite guests to the NHS Directory.



Guest can invite No No - means that guests cannot invite other guests to collaborate

Allow invitations only to specified

domains (most restrictive)

Yes Guest invitations can only be sent to whitelisted domains.

4.3 SharePoint Online


SharePoint Online is a cloud-based collaboration platform that can be used for document management, storage and collaboration.

SharePoint can enable sharing and collaboration across NHS organisations using the NHSmail O365 Hybrid Service, giving people a place to organise and collaborate on content and data in real time.

4.3.2 Configuration overview

The NHSmail Hybrid SharePoint Online application has been configured to allow LAs to create isolated parent site collections for use within their organisation.

LAs are able to use the NHSmail Portal to provision a new site collection, assign it a name, an administrator and storage quota. The NHSmail Portal will then configure this parent site collection for the given administrator to login to and configure for further use. Once provisioned, the standard site collection administration features are available for the site administrator to configure and customise directly within SharePoint. It is the responsibility of the site collection administrator to manage the site collection, including user access permissions, storage usage and any sub sites created (child sites).

The below table gives an overview of the tenant wide configurations set for SharePoint Online in the NHSmail tenant.

Config Details

Setting Comment

Sharing

Allow users to invite and share with authenticated users

Enable

Direct sharing outside the NHSmail Hybrid tenant is allowed for only whitelisted domains. Invite and sharing to authenticated users using anonymous access links is disabled

Prevent external users from sharing files, folders and sites that they don’t own

Enable

Direct links Enable Shared links are only valid for the specific person it was sent to

Default link permissions: view or Edit

View



External users must accept sharing invitations using the same account that the invitations were sent to

Enable

Site Pages

Let users create site collections

Managed via

NHSmail Portal

Available for LAs to create and manage via the NHSmail Portal

Let site collection administrators create sub sites

Enable

Site Pages Enable Users can create responsive Site pages

Hide the subsite menu command

Enable (Hide)

Hide the subsite create menu for basic users. Only Site Collection administrators can see this.

Custom Scripts

Prevent users from running custom script on personal sites

Prevent This has been disabled on the NHSmail O365 Hybrid for security reasons.

Prevent users from running custom script on self-service created sites

Prevent This has been disabled on the NHSmail O365 Hybrid for security reasons.

Preview Features

Enable Preview Features Disable This setting has been disabled so users do not view SharePoint Online preview features. Preview features have limited support in SharePoint Online and do not yet meet all service requirements.

Connected Services

Block SharePoint 2013 workflows

Enable

Mobile Push Notifications

Allow notifications Allow This feature allows users to get mobile push notifications for changes to their SharePoint content.

Comments on Site Pages

Enabled comments on Site Pages

Disable Enabling this feature adds a comment section to all site pages. Users who have access to the pages can leave comments.

Access Control

Control access based on network location and only allow access from specific IP address locations

Disabled There is no restriction based on IP addresses configured.



4.3.3 Support features

The following sections highlight key supported features for the SharePoint Online service within the NHSmail O365 Hybrid Service.

4.3.3.1 Team Sites

A SharePoint Team Site is the default SharePoint template used when creating a site collection from the NHSmail Portal and other features.

4.3.3.2 Data Loss Prevention

Data Loss Prevention (DLP) is a feature used to discover and restrict sensitive data leaving the NHSmail tenant. DLP policies are set to review tenant data against specific criteria such as national insurance numbers or national health numbers and identify it. Standardised industry template DLP policies have been implemented on the NHSmail O365 Hybrid Service and are detailed in the DLP section of this document. SharePoint Online has been configured to respect these DLP policies.

4.3.3.3 Large file support

SharePoint Online allows you to upload or download large files. The NHSmail O365 Hybrid Service allows a single maximum file-size limit of up to 15 GB per file. Files attached to list items can be up to 250 MB in size.

4.3.3.4 File name and path lengths

The maximum path limit in SharePoint Online has increased from 256 characters to 400 characters. The entire path, including the file name, can contain up to 400 characters.

4.3.3.5 Special character support in files names

Additional support for special characters such as &, ~, {, and} in file names that include a GUID, leading dots or are longer than 128 characters. Note: Characters such as % and # can't be used in file names yet.

4.3.3.6 Durable links

The durable links feature is enabled on the NHSmail O365 Hybrid Service. This feature allows users to rename a SharePoint document and move it to a different location within the site collection, and the links remain valid. This feature works with Office documents (Word, Excel, OneNote and PowerPoint) as well as PDF files. The below diagram shows how the process works.



4.3.4 Service limits

The below list highlights the service limits applicable on the NHSmail O365 Hybrid SharePoint Online service.

• Items and files - A list can have up to 30 million items and a library can have up to 30 million files and folders. Views can have up to 12 lookup columns. To learn more about other restrictions for viewing large lists, see Manage large lists and libraries in SharePoint. For information about characters that can't be used in file names, see Invalid file names and file types in OneDrive, OneDrive for Business and SharePoint.

• Subsites - Up to 2,000 per site collection.

• File path length - The total length of the URL, including the file name, can't exceed 400 characters. For example, the following is a typical URL path to a file stored in SharePoint: http://www.contoso.com/sites/marketing/documents/Shared%20Documents/Promotion/Holiday%202018.xlsx

• File size - Less than 15 GB per file. Files attached to list items can be up to 250 MB in size.

• Sync - For optimum performance, we recommend storing no more than 100,000 files in a single OneDrive or team site library. If you use the previous OneDrive for Business sync client (Groove.exe), the sync limit per library is 5,000 items.

• Versions - 50,000 major versions and 511 minor versions.

• SharePoint groups - A user can belong to 5,000 groups and each group can have up to 5,000 users. You can have up to 10,000 groups per site collection.

• Users - 2 million per site collection.

4.3.5 SharePoint third party applications

SharePoint Online supports third party application integration. The NHSmail O365 Hybrid Service manages a review process for these integrations to assess suitability of implementing on a nationally managed service. Some applications are not appropriate to integrate due to required permissions or licence requirements.

The below graphic provides some guidance on the principles used to assess third party application integration suitability. To request an application integration for SharePoint Online, please contact the NHSmail helpdesk. .

https://support.office.com/en-us/article/manage-large-lists-and-libraries-in-office-365-b4038448-ec0e-49b7-b853-679d3d8fb784

https://support.office.com/en-us/article/manage-large-lists-and-libraries-in-office-365-b4038448-ec0e-49b7-b853-679d3d8fb784

https://support.office.com/en-us/article/invalid-file-names-and-file-types-in-onedrive-onedrive-for-business-and-sharepoint-64883a5d-228e-48f5-b3d2-eb39e07630fa?ui=en-US&rs=en-US&ad=US

https://support.office.com/en-us/article/invalid-file-names-and-file-types-in-onedrive-onedrive-for-business-and-sharepoint-64883a5d-228e-48f5-b3d2-eb39e07630fa?ui=en-US&rs=en-US&ad=US

http://www.contoso.com/sites/marketing/documents/Shared%20Documents/Promotion/Holiday%202018.xlsx

http://www.contoso.com/sites/marketing/documents/Shared%20Documents/Promotion/Holiday%202018.xlsx



4.3.6 Portal self-service capability

The NHSmail Portal provides self-service capability for LAs to manage the provisioning of SharePoint services. This includes the following: ➔ Create and edit capability for SharePoint Parent Site Collection

o Assigning a Site Collection name o Assigning / updating a Site Collection administrator o Assigning / updating a storage quota for the site collection

➔ Enable / disable SharePoint Online services for users / policies ➔ Downloadable SharePoint storage report

Guidance instructions on how to use the NHSmail Portal for NHSmail O365 Hybrid services are available in the NHSmail O365 Hybrid Local Administrator guide.

4.3.7 SharePoint storage

The available quota from which an LA can allocate data to SharePoint Site Collections they create will be calculated based on the number of SharePoint user licences they have. This quota can be increased or decreased based on the number of user licences an organisation has purchased. For each licensed user (E3, E5, F1, E1 and Project Online) the organisation is given an additional 10 GB of storage to allocate to their SharePoint Online site collections.

SharePoint Site Collection quotas cannot be exceeded once set. The available storage to an organisation can only become insufficient should their number of available user licences reduce through non-renewal. In this scenario, LAs will be issued with appropriate communications and given 5 days’ notice to reduce their storage or purchase additional licences. If after 5 days, the quota is still insufficient then all the organisation’s sites are set to read-only mode.

When creating a SharePoint Site Collection an LA will be able to see the amount of storage available to the organisation., This will give an indication of what quota can be given to a SharePoint Site Collection. Full guidance on allocating storage can be found in the SharePoint Collection Management section of the NHSmail O365 Hybrid Local Administrator guide.





4.4 OneDrive for Business


OneDrive for Business is personal online storage space in the cloud available from Office 365. Use it to store and protect your work files while accessing them across multiple devices.

Share your files with business colleagues as needed and collaborate on Office documents together in real time with the latest Office desktop, web and mobile apps. Sync files to your local computer using the OneDrive for Business sync client.

OneDrive for Business is included in SharePoint Online and the Enterprise Office 365 plans.

The OneDrive for Business application can be enabled for users through the NHSmail Portal.


The OneDrive for Business application has been configured with standard policies and settings as follows:

Config Details Setting Comment

Sharing

Direct link sharing with specific people

Enabled The shared document will be accessible only by the people specified when the user creates the link.

File and folder default permission View Set to view as default however can be changed by user at the point of sharing.

Sharing with existing external users Enabled Sharing only available with users already in the NHS Directory.

File view information Enabled Display to owners the names of people who viewed their files.

Sync

Show the Sync button on the OneDrive website

Enabled The Sync button helps users install and set up the new OneDrive sync client.

Storage

Default storage in GB Enabled The default storage space for each user's OneDrive user is 1 TB.

Days to retain files in OneDrive after a user account is marked for deletion

Enabled Default retention period in the NHSmail O365 Hybrid Tenant is 180 days. Please see more information on OneDrive OneDrive data retention policies in this document.

Device Access

Allow access only from specific IP address locations

Disabled Specific IP addresses or IP address ranges will restrict users’ access to their OneDrive files. This policy has not been enabled on the NHSmail O365 Tenant.

Mobile application management settings

Disabled These settings are disabled as they require use of the Intune service which is not currently enabled on the NHSmail O365 Hybrid Service.

Notifications

Display device notification to users when OneDrive files are shared with them

Enabled Display device notification to users when OneDrive files are shared with them.

4.4.3 Limits and un-supported features

• To learn more about restrictions and limitations that apply to files and folders when using OneDrive for Business to sync SharePoint Online OneDrive for Business



libraries to a device, please see links below. OneDrive for Business is included in SharePoint Online. To learn about limitations such as file upload limits and site collection quotas see SharePoint Online limits and Restrictions and limitations when you sync files and folders.

• Microsoft do not support storage of data other than an individual’s personal work files. System back-ups and departmental and organisational level data is not supported, nor is the assignment of a per user licence to a bot, department or other non-human entity. SharePoint Online is recommended for these scenarios.

• External sharing is disabled for OneDrive for Business in the NHSmail tenant.

• OneDrive for Business sync app will need to be supported by local trusts.

4.5 Microsoft Teams


Microsoft Teams provides a modern collaboration hub experience for today’s work-based teams. Microsoft Teams supports persistent and threaded chats to keep everyone engaged. Microsoft Teams allows integration with other O365 applications creating a single workspace for collaboration.

Microsoft Teams is included in the E1, E3 and E5 O365 enterprise licence plans.

LAs can create Team groups and enable the application through the NHSmail Portal.


The Microsoft Teams application has been configured with standard policies and settings as follows:

Config Details

Setting Comment

General

Show organisational chart in personal profile

Disabled It shows the organisational chart icon in the user’s contact card and when clicked can display the detailed organisational chart. This feature is not currently supported by Microsoft in a Hybrid deployment and therefore has been disabled.

Use Skype for Business for recipients who don't have Microsoft Teams

Disabled Teams conversations automatically show up in Skype for Business for users that are not enabled for Teams. However, this interoperability is not supported due to Hybrid deployment.

Allow T-bot proactive help messages

Enabled T-bot will initiate a private chat session with users to help them use Teams.

Allow users to send email to channels

Disabled This feature has been disabled as domain restriction is not currently supported.

Application Connections

Forms Enabled Office 365 Forms application allow to create surveys, quizzes and polls.

OneNote Enabled OneNote notebooks can be used to collaborate on digital content and share it within team.

https://go.microsoft.com/fwlink/?linkid=829156

https://support.microsoft.com/en-us/help/3125202/restrictions-and-limitations-when-you-sync-files-and-folders

https://support.microsoft.com/en-us/help/3125202/restrictions-and-limitations-when-you-sync-files-and-folders



Planner Enabled Planner allows teams to stay organised, assign tasks and keep track of progress.

Yammer Enabled The Yammer connector sends notifications about posts, announcements in Yammer groups, posts made by Yammer users.

Stream Enabled Microsoft Stream app (to upload / view videos) is the default app in Teams and seems to be appearing from Microsoft Store. There is no setting to disable it. To add Stream tab into a channel to access / share videos, users are required to add a valid Stream URL (direct video or channel).

Bing News Enabled Get the most relevant news on topics you care about.

Flow Enabled Automate time-consuming and repetitive tasks by integrating favourite apps and services with Microsoft Flow.

Images Enabled Search Bing for the image you need and share it directly in a channel or chat.

News Enabled Stay up to date on current events courtesy of Bing News. Find coverage of local, national and worldwide news, then share it in a channel.

Places Enabled Places lets you look up detailed info about different businesses, restaurants, venues and more. Find out the address, hours of operation or reviews for a business, then share them in a conversation.

PowerApps Enabled Help your team work smarter by creating apps that connect to the services and data they use most. Add those apps to your channel so your team can quickly find them.

PowerBI Enabled Add a Power BI report to your channel. You can even add multiple reports to the same tab. (Requires Power BI Pro)

SharePoint Enabled Add a SharePoint page from your associated team site by selecting a page from the list and clicking save. Your team will be able to view the page, but not edit.

SharePoint News

Enabled The SharePoint News connector sends notifications about new News posts in your site.

Stocks Enabled Get real-time stock quotes and share them in a conversation. Search by company name or stock symbol.

Team Foundation Server

Enabled The Team Foundation Server connector sends notifications about activities in your projects.

VSTS Enabled Plan better, code together and ship faster using Visual Studio Team Services (VSTS). Find work and collaborate better with your team.

Weather Enabled Find current weather reports for any city, zip code or location, then share them in a channel or chat.

Wikipedia Search

Enabled Leverage the power of the services your organisation uses directly within Teams. Do a quick search for a Wikipedia article and share it in a conversation.

Wunderlist Enabled The Wunderlist connector sends notifications about activities on your lists and tasks.

Allow External Applications

Enabled If an organisation wishes to utilise a third-party application that is not enabled by default, they will be able to follow a defined process to request this. This will involve raising a ticket to the helpdesk, which will be fed through to the NHS Digital Technical Design Authority (TDA) who will ultimately determine if the application request is suitable.

Team Calls

Allow ad-hoc channel meetup

Enabled

Allow screen sharing in calls

Enabled Specifies whether screen sharing is allowed in Teams calls.

Allow videos in calls

Enabled Specifies whether the use of video is allowed in Teams calls.

Allow private calling

Enabled Users can make private calls.

Messaging



Enable Gimpy so users can add GIFS to conversation

Enabled Users can use animated pictures within the conversations.

Enable memes that users can edit and add to conversations

Disabled Users cannot use internet memes to make humorous posts.

Enable stickers that users can edit and add to conversation

Enabled Users can post images with editable text to get channel members attention.

Allow owners to delete all messages

Disabled Channel owners cannot remove all messages in a channel.

Allow users to edit their own messages

Enabled Users can edit their own messages.

Allow users to delete their own message

Enabled Users can delete their own messages.

Allow Users to Chat Privately

Enabled Users can engage in private chats that are visible only to the people in the chat, instead of everyone on the team.

Guest Access

Enabled External guests accounts added into NHSmail Hybrid Azure Active Directory can also be added as guests in Teams.

4.5.2.1 Teams Private Chat features

• Teams 1:1 Chat (private chat) can be used by users enabled with Teams licence.

• Teams 1:1 Calls (private audio / video calls) can be used by users enabled with Teams licence.

• Teams 1:1 private chat sessions can be extended to group chat by adding more users.

• Teams 1:1 private chat sessions can be extended to group audio / video call by adding more users.

• Desktop sharing can be used for 1:1 sessions and grouped sessions.

• 1:1 sessions are persistent across both Web client and desktop thin client.

4.5.2.2 Teams and Channels features

• Team owners and members (if allowed by owners) can create new channels within Teams client.

• Channels can be created and allowed apps (as listed below) can be added into the channels

o Microsoft Forms o OneNote o Planner o SharePoint o Yammer o Document, Excel, PowerPoint, Wiki, PDF, Power BI and Stream (These apps

are available as default by Microsoft)

• Internal and External Connectors can be created for enabled applications.

• Ad-hoc meetings can be used within Channels for a group audio / video call.



• Teams recording can be used for ad-hoc group calls (LA enables recording per user through a policy, also requires Stream licence).

4.5.2.3 Teams with OneDrive and SharePoint Online

• SharePoint Online is required to share and store files in team conversations.

• OneDrive for Business is required to share and store files in private chats.

• If users are not assigned and enabled with SharePoint Online licences, they don't have OneDrive for Business storage in Office 365. File sharing will continue to work in Channels, but users are unable to share files in Chats without OneDrive for Business storage in Office 365.

4.5.3 Unsupported features

• The scheduling of Teams meetings on the NHSmail O365 Hybrid Service is not currently supported due to the hybrid deployment model in place.

• Organising meetings and viewing is not available in web client or desktop thin client due to the hybrid deployment model in place.

• Currently, there is no option to change the profile picture in Teams. Teams profile pictures are populated from the Exchange Online profile picture, therefore not accessible in Teams.

• In Teams client, the organisation chart feature is integrated with the Exchange Online mailbox. As all the mailboxes are hosted on on-premises Exchange 2013 environment, organisation chart feature will not work.

• Teams Interoperability with On-Premises Skype for Business is not fully available from Microsoft at the current time due to the hybrid deployment model in place.

• Email integration to Channels is disabled, therefore emails to Channel’s email address is not available.

• Sideloading and outgoing webhooks are disabled.

4.6 Yammer enterprise


Yammer is a private enterprise social network application. Yammer enables collaboration and provides the ideal platform for health care professionals to share ideas, experiences, resources and insights with each other across all NHS organisations. Ideal for regional collaboration and insights to all areas and specialist groups within the NHS.


Yammer has been configured with standard policies and settings as follows:


General

Network name nhs.onmicrosoft.com

Email: [email protected] URL: https://www.yammer.com/nhs

Primary domain nhs.net

Other domains nhs.mail.onmicrosoft.com

nhs.onmicrosoft.com

Configuration



Require all users in your network to confirm their messages posted via email before posting.

Disabled

Allow people to upload and attach files in any format

Enabled Any number of files, images or both can be attached to any message or reply, with each file size limited to 5 GB. The maximum dimensions for images in Yammer are 7680 pixels wide and 4320 pixels high. You'll get an error if you try to upload an image that is wider or taller.

Third-party Applications Disabled Disabled the ability for users to add or access third-party applications created using Yammer API.

Organisation Chart Disabled The Yammer Organisation Chart is built from the reporting relationships that users add to their user profiles. This helps other users understand the management structure and company relationships of their co-workers

Message Translation Disabled This feature gives users the option to translate messages from 33 available languages into the network’s default language.

Connected Groups Enabled Local Administrators can create Yammer connected groups via the NHSmail Portal

Usage Policy

Require users to accept policy during sign up and after any changes are made to the policy.

Enabled Yammer acceptance user policy (AUP) prompt on Yammer first login will prompt users to reference and agree to the AUP for NHSmail. More information can be found on

https://portal.nhs.net/Home/AcceptablePolicy

External Networks

External Networks creation Only Admins

Require admin approval for tenant members to join other companies' external networks.

Enable Requires users to request approval before they join external networks created by other organisations

Security Setting

Enforced Office 365 identity. Block Office 365 users without Yammer licence

Enabled This setting means unlicensed users are unable to use their nhs.net work account to access Yammer Groups, including third-party Yammer groups.

Data Retention

Soft / Hard Delete policy Soft Delete Soft delete option set in NHSmail O365 tenant. Deleted data is not visible to users but can be accessed via NHSmail Service Request.

Design

Network logo, header, colour scheme and logo for Yammer emails

NHS logo and colour scheme

Logos are placed against a white background on all email notifications sent to your network.

Office 365 identity will be enforced in Yammer to allow single sign-on capability and authenticate first in Office 365 before users can log onto the Yammer network. This means users must be licensed on the NHSmail Hybrid platform to login to Yammer.

All Yammer features are supported in the NHSmail O365 Hybrid Service apart from the ones listed in the unsupported features section below.


• Free Yammer is disabled. Users must be assigned an O365 licence to use the Yammer network.

https://portal.nhs.net/Home/AcceptablePolicy



• Creation or joining external groups is disabled.

• Existing Office 365 groups cannot be used as Connected Yammer groups.

• Third party applications are disabled.

4.7 StaffHub


StaffHub is an online application that provides schedule and task management capability for first-line workers. StaffHub enables easy to create, publish and access schedules on the go and allows workers to view and amend easily through a simple mobile application.


StaffHub has been configured with standard policies and settings as follows:


General

Apply licence check Enabled Enforce that everyone has an Office 365 licence before using it. Only users with an assigned Office 365 Enterprise licence (F1, E1, E3, E5 or EDU) will be able to access Microsoft StaffHub.

Allow Microsoft StaffHub to create Office 365 accounts for my first-line workers

Disabled

Fields included in StaffHub teams; they will show during onboarding, team settings and usage reports

Required When a manager creates a new team, they are prompted to enter information about that team.

• All users must have a valid licence to access StaffHub (access without licence is disabled).

• All users can create Teams in StaffHub via web client. There is no desktop client for StaffHub.

• Existing Office 365 groups cannot be used as StaffHub Teams.

• Web app can be used to create StaffHub Teams, add / remove members, assign administration roles to team members, schedule shifts and assign to group members and share files.

StaffHub mobile app:

• Users are required to have an invitation (once added into StaffHub Team) to complete sign-in on mobile devices. Invitation can be sent via email or mobile number via the StaffHub portal managed by the StaffHub Team owner.

• Users can have 1:1 chat with group (team) members only.

• Users can have 1:n chat with all members of the StaffHub Team.


• Members of a Team in StaffHub will not be able to share files.

• Users cannot create StaffHub Teams via mobile app (iOS and Android).

• There is no option to change 1:1 chat with StaffHub Teams members.

• eDiscovery of StaffHub chat data is not available on the NHSmail O365 Hybrid Service.

• StaffHub on Windows Mobile is unsupported.



4.8 PowerBI


Power BI is a suite of business analytics tools that deliver insights throughout your organisation. Connect to hundreds of data sources, simplify data using dashboard and drive ad-hoc analysis. PowerBI can be used to produce reports and publish them for people in your organisation to consume either via the web or across mobile devices.

The NHSmail O365 Hybrid Service supports the PowerBI free application and PowerBI Pro application.

4.8.2 Configuration Overview

PowerBI has been configured with standard policies and settings as follows.


Export & Sharing

Sharing content with external users Enabled Users can share PowerBI dashboards with users outside of the NHSmail O365 Hybrid Tenant.

Publish to web for the entire organisation Enabled Users can publish reports for viewing by anyone on the web by request to helpdesk.

Export data policy Enabled All users can export data from a tile or visualisation.

Content Pack and App Setting

Publish content packs and apps to the entire organisation unapplied changes

Disabled Users are not able to publish content packs and apps to the entire NHSmail O365 Hybrid Tenant.

Integration Settings

Ask questions about data using Cortana Enabled Users can ask questions about their data using Cortana.

Use Analyse in Excel with on-premises datasets

Enabled Users can use Excel to view and interact with on-premises Power BI datasets.

Use ArcGIS Maps for Power BI - for the entire organisation

Enabled Users can use the ArcGIS Maps for PowerBI visualisation provided by Esri.

Use global search for Power BI (Preview) for the entire organisation

Disabled Users can use Azure Search External Search index.

Customer Visual Settings

Custom visuals Enabled Users can add, view, share and interact with custom visual.

Interact with and share R visuals Enabled Users can interact with and share visuals created with R scripts.

Audit & Usage Settings



Create audit logs for internal activity auditing and compliance for the entire organisation

Enabled Users can use auditing to monitor actions taken in Power BI by other users.

Usage Metrics for Content Creators Enabled Users can see usage metrics for dashboards and reports they created.

Per-User data in usage metrics for content creators

Disabled

Usage metrics for content creators will expose display names and email addresses of users who are accessing content.

Data classification for dashboards Disabled

Users can tag dashboard with classifications indicating security levels. If enabled, custom polices will be required to allow users to tag.

Embed content in apps Disabled Users can embed Power BI dashboards and reports in SaaS reports.

4.8.3 Additional notes:

• Power BI Pro content can only be shared with Power BI Pro licensed users.

• Power BI free version is available to all NHSmail organisations.


• Power BI embedded nodes Type A (Azure) are based on Azure Virtual Machines (VM – A1 – A6), therefore Type A nodes are not in scope of NHSmail Office 365 Hybrid tenant. NHSmail organisations with embedded nodes (VMs configured in Azure) cannot migrate / integrate their subscription to the NHSmail Office 365 Hybrid tenant.

4.9 Delve


Delve is a web-based collaboration tool which helps employees find and discover information relevant to them across all Microsoft Office 365 products by pulling content from applications such as OneDrive for Business, SharePoint and Yammer and presenting it in one place.

All users enabled for SharePoint Online will have access to Delve (delve.office.com) where they can see their delve profile, profiles of others and content from SharePoint and OneDrive. Only content that a user has permissions to see will be visible to them in Delve. Delve never changes any permissions. Only the user can see their private documents.

By default, Delve profiles only present content that is available in the NHS Directory, unless the user adds additional profile information.

4.9.2 Supported features

• Files stored in OneDrive and SharePoint can be viewed and accessed via Delve board if a user already has access to them.

• Updates to profile, including profile picture, which then replicates to One Drive and SharePoint profiles.


• Delve boards will not show email attachment content.



4.10 Planner


With Microsoft Planner you can create a plan, build a team, assign tasks and update status all in a few easy steps.

Planner is a visual online tool which can easily create plans, organise and assign tasks, share files, communicate with teams and provide insights on how everything is progressing within an easy-to-use application interface.

Once enabled, Planner access is managed through the Office 365 (Team) framework. The Planner web application will show the Office 365 Group (Team) and its members and allow tasks to be created and shared within the team. Creating Office 365 Groups (Teams) is managed via the NHSmail Portal by an organisation’s Local Administrator.


• Plans can be accessed via Planner within the Teams application.

• Files added / shared via Planner can be accessed via SharePoint.

• Plans created via an existing Team group, will not create a new Office 365 group.

• There are no notifications when members are added to a new Plan.

• There are no notifications when tasks are assigned to members or when tasks are due soon.

• There are no notifications when comments and / or files are added to tasks.


• There is no desktop application, so it can only be used via the web or mobile app via the waffle (Office 365 app launcher).

• The Members tab and Conversations tab are not supported as this directs to Exchange Online which is not available.

• Planner calendar cannot be added / integrated to Outlook calendar.

4.11 Office Online


Office Online is a browser accessed online office suite that allows users to create and edit files using Microsoft Office web apps: Word, Excel, PowerPoint and OneNote.


The Office Online suite of applications is available on the NHSmail Office 365 Hybrid Service for licensed organisations and can be enabled for users by Local Administrators via the NHSmail Portal.


There are some features within the Office Online suite which are not equivalent to the desktop application suite offered by Microsoft via Office ProPlus. More information on this can be found from Microsoft.

https://technet.microsoft.com/EN-US/library/office-online-service-description.aspx



4.12 Microsoft Forms


Create surveys, quizzes and polls and easily see results as they come in with Microsoft Forms. When a quiz or form is created users can invite others to respond to it using any web browser and mobile device. As results are submitted, users can take advantage of the built-in analytics to evaluate responses from data, such as quiz results. Data can also be easily exported to Excel for additional analysis or grading.


All features of Forms are enabled and supported. The below points should be considered when using Forms.

• The NHS logo will appear on the Forms main page however, users can add a logo for each form they create.

• While viewing survey results, all external responses will be recorded as anonymous. The ‘Record Name’ option is only available if the form is shared with internal NHSmail users.

• While viewing results in the Excel spread-sheet, users will need to download the file to open it. It cannot be opened in Office Online.

• Each user can have up to 200 forms and each form can receive up to 50,000 responses.

• There is no option to perform eDiscovery on Forms data.


• All current features are supported.

4.13 Sway


Microsoft Sway is an easy to use digital story-telling application, making it easy to create and share interactive reports, personal stories, presentations, newsletters and photo albums within minutes.


• All features, including external sharing of Sway, are enabled and supported.


• Sway currently doesn't support eDiscovery or DLP (Data Loss Prevention).

• Sway data is stored in Azure within data centres in the United States.



4.14 Office 365 Groups


Microsoft Office 365 Groups is the framework for team permissions and sharing that underpins many of the Office 365 applications.

Several Office 365 services require the ability to create Office 365 Groups for specific functions. Within the NHSmail Office 365 Hybrid Service, Office 365 Groups can be created by Local Administrators within the NHSmail Portal using the Create Team feature. More information on how to do is available in the NHSmail O365 Hybrid Local Administrator guide.

The ability to control which users can create Office 365 Groups does not impact the ability of licensed users to participate in group activities, such as creating tasks in Planner. The ability to create groups within all Office 365 services, listed below, can be restricted through security groups. Once restricted, the ability to create groups in Office 365 services will be disabled.


Config Details

Application

Users can create Office 365 Group on a standalone Tenant

Users can create Office 365 Group on NHSmail Hybrid Tenant

Comments

Microsoft Teams

Yes No To create a Team, users will request this via their LA who has the ability to create this within the NHSmail Portal. Office 365 Group owner must sign into Teams and ‘Add new Office 365 group’ using create Teams from existing groups. Once the owner is signed in, all members of the Office 365 groups will be able to see that group as a Team in their Teams client. Non-owner users will not be able to create Teams from existing Office 365 groups. Only Team owner (Office 365 group owner) can add additional users to Team. Standard users will not see option “Add more people”.

Microsoft SharePoint Online

Yes No To create a Team Site (parent site collection) users will need to request their LA to create within the NHSmail Portal. Once a SharePoint site collection is created, it will also create an Office 365 group which can be used as a

Team (by adding owner(s) and members). Microsoft Planner

Yes No To create a new Plan, a user will need to request their LA to create a Team from within the NHSmail Portal. Users will be able to see and use plans for any existing Office 365 groups they are part of.

Microsoft Yammer

Yes No Standard groups without Office 365 resources (connected group) can be created. Office 365 connected groups are not available.





• The NHSmail O365 Hybrid Service does not support viewing O365 Groups on the Outlook Web App, Outlook Desktop client or Outlook Groups Mobile App.

4.15 Microsoft PowerApps

4.15.1 Application Description

Microsoft PowerApps gives users the ability to create business apps that pull data from integrated Microsoft products and other cloud services. With a simple interface, it allows users without coding experience / knowledge to create business applications.

4.15.2 Supported Features

• PowerApps is included within all O365 licence types (E1, E3 & E5); users with the F1 licence type can consume applications, however they can’t create or publish applications (as per Microsoft standards).

• Standalone PowerApps subscriptions (Plan 1 & Plan 2) are supported on the hybrid platform. Plan 2 enables organisations to have their own local environments, access to the PowerApps Admin Portal and define their own Data Loss Prevention (DLP) policies. This level of access is not available through any other PowerApps licence type.

• The hybrid tenant DLP policy prevents PowerApps from connecting to data sources outside Office 365 and Dynamics 365. NHSmail users who wish to build applications that connect to external data sources (i.e. Salesforce) require a P2 licence type.

• Users with PowerApps through O365 licences (F1, E1, E3 & E5) will have access to one central PowerApps environment shared across the Hybrid tenant. Resources will be shared in this environment, however PowerApps developed can’t be accessed by all environment members unless specifically shared by the creator.

4.15.3 Unsupported Features

• PowerApps email integration requires Exchange Online (as per Microsoft standards). The NHSmail Exchange platform is on-premise and therefore PowerApps integration with Exchange / Outlook (email automation) is not possible.

• PowerApps cannot be shared with external users (including Guest accounts). This is a Microsoft limitation.

4.16 Microsoft Flow


Microsoft Flow is a service that helps users to create automated workflows between different apps and services to synchronise files, get notifications, collect data and more. It allows users to save time by turning repetitive tasks into multistep workflows.




• Office 365 licences (F1, E1, E3 & E5) are required to create and run Flows; two additional licence types can be procured and are supported on the hybrid tenant – Flow Plan 1 and Plan 2.

• Flow Plan 2 enables organisations to have their own local environments, access to the Flow Admin Portal and define their own Data Loss Prevention (DLP) policies. This level of access is not available through any other Flow licence type.

• The hybrid tenant DLP policy prevents Flows from connecting to data sources outside Office 365 and Dynamics 365. NHSmail users who wish to build Flows that connect to external data sources (i.e. Salesforce) require a Flow Plan 2 licence type.

• Flow storage and quota limits are determined by Microsoft on a per user basis; these are subject to change.

• A Flow can be shared by a user with individual users, cloud security groups, distribution groups, shared mailboxes or an entire organisation. Users are recommended to share with individual users, distribution groups and shared mailboxes. As security groups cannot be manged via the NHSmail Portal, users must avoid considering the use of security groups.


• Flow email integration requires Exchange Online (as per Microsoft standards). The NHSmail Exchange platform is on-premise and therefore Flow integration with Exchange / Outlook (email automation) is not possible.

• Flows cannot be shared with external users (including Guest accounts). This is a Microsoft limitation.

4.17 Microsoft Stream


Microsoft Stream is an Enterprise Video service where NHSmail users can upload, view and share videos securely. Stream allows users to share recordings of meetings, presentations, training sessions or other videos that aid collaboration.


• Microsoft Stream is available through the standard Office 365 licence plans (F1, E1, E3 & E5); there are two additional standalone Stream plans (Plan 1 & Plan 2) that can be procured and are supported on the platform.

• Stream Groups can be created and managed by Local Administrators through the NHSmail Portal; normal users can create channels within their Stream Groups.

• Teams Call Recording (for group calls only) can also be managed by Local Administrators through the standard User Policy management page on the NHSmail Portal. Recorded calls will appear in a user’s Stream page. Users with an F1 licence cannot use Teams call recording feature.

• Stream storage is allocated on a first come, first served basis. Every licence procured adds 0.5GB to the hybrid tenant quota, which can be accessed by all O365 enabled organisations.

• NHSmail users can control who they share videos with – with groups / channels / people.




• Due to the nature of the multi-organisation hybrid tenant model both Local Administrators and users are restricted from creating companywide channels.

• The Stream quotas and limitations are defined by Microsoft on a per tenant basis and cannot be managed on a per organisation level.

• There is no Stream recycle bin – deleted videos and groups cannot be restored.

4.18 Microsoft Project Online


Project Online is a flexible online solution for project portfolio management (PPM) and everyday work. Delivered through Office 365, Project Online provides powerful project management capabilities for planning, prioritising and managing projects / portfolio investments.


• Microsoft offers Project Online in three plans – Project Online Essentials, Project Online Professional and Project Online Premium; all three licence types are supported on the hybrid platform.

• Local Administrators will be able to manage Project licence allocation through the NHSmail Portal.

• Local Administrators will be able to create Project Web Applications (PWA). Microsoft have limited the number of PWAs per O365 tenant, therefore each organisation will be capped at creating 25 PWA sites each.

• Users cannot create projects directly via Project Online Web https://project.microsoft.com/ To create projects, users are required to use PWA instance (can be created by LAs via the NHSmail Portal). Once a project is created, it can be accessed via Project Online Web https://project.microsoft.com/

• There is no limit on the amount of Project Plans that can be created within each PWA.

• Each Project licence carries an additional 10GB of storage; the NHSmail Portal will automatically add this storage onto the quota available to the organisation that has procured the licences. This can also be used in SharePoint.

• Project Online Professional and Project Online Premium include the desktop client application. The option to download this will be available to appropriate users through the O365 tenant.


• All features of Project Online are enabled and supported.

4.19 Microsoft Visio Online


Visio Online is a flexible online solution for creating, editing, sharing and viewing Visio diagrams. Delivered through Office 365, Visio Online provides powerful capabilities for creating block diagrams, flowcharts, timelines, Specification and Description Language (SDL) diagrams and more.




• Delivered through Office 365, Microsoft offers Visio Online in two plans – Visio Online Plan 1 and Plan 2. Both are supported on the hybrid platform.

• Visio Online Plan 2 includes the desktop application which will be available for download through the Office 365 portal.

• Users with an Office 365 licence (F1, E1, E3 & E5) can view diagrams created and shared through Visio Online. However, to create and edit Visio diagrams either Plan 1 or Plan 2 must be in place.


• All features of Visio Online are enabled and supported.

4.20 Mobile applications

Microsoft publish several O365 applications on Windows Mobile, Android and iOS that can be installed on mobile devices, for example smart phones and tablets.

The NHSmail O365 Hybrid Service has no configuration that limits the use of mobile applications with Office 365 services but does not provide application or device support for them and has no restriction or management policies in place for mobile devices. All support issues on mobile devices will need to be supported by local organisations.

More information on supported mobile platforms and operating systems is available on Microsoft’s website.

https://technet.microsoft.com/en-us/library/office-365-mobile-devices.aspx



5 Azure B2B Guest Access

Azure business-to-business (B2B) collaboration allows organisations to securely share applications and services with guest users from other organisations, while maintaining control of their own corporate data. This is achieved via a simple invitation and redemption process which allows guests to use their own credentials to access the organisation's resources. In the context of the NHS, Azure B2B will allow NHSmail users to collaborate with external partners through the O365 suite of applications.

The NHSmail Azure B2B Guest Access Service will provide the following functionality:

• Domain Name Whitelisting o A list of whitelisted domains maintained to control guest access o Enable Local Administrators to request for new external organisations to be

whitelisted via the NHSmail Portal

• Guest User Invites o Allow Local Administrators to specify which users are eligible to invite

guests o Eligible guest inviters can invite guests from whitelisted domains via O365

applications

• Azure Federated Group Import o Allow Local Administrators to request for guests to be invited in bulk

• Lifecycle Management o Guests will require periodic access extensions from NHSmail users to

maintain their access

5.1 Domain Name Whitelisting

External organisations will be managed by maintaining a list of permitted domain names which can be invited as guest accounts. A pre-agreed list of external organisations has been whitelisted as part of the service set up. Additional external organisations can be registered via the workflow below.



Local Administrators can view the list of whitelisted external organisations via the Manage External Organisations page within the NHSmail Portal. They can also make requests for domains to be whitelisted via the same page. The NHSmail Live Service team will assess and approve or reject the request.

! Important Note

Once an external organisation domain has been whitelisted, it will be whitelisted for the entire NHS Azure AD tenant. This will allow NHSmail users from any organisation to invite a user from this whitelisted external organisation as a guest user.

! Important Note

Azure B2B guest access is only intended to work with email addresses of third parties who have a business relationship with the NHS. Free consumer email domains (such as Gmail, Hotmail, etc.) will not be whitelisted as these are normally personal rather than business addresses.

5.2 Guest User Invites

Local Administrators can control which users are eligible to invite guest users via the Manage Eligible Guest Inviter page within the NHSmail Portal. They can simply import a list of users from their organisations and these users will be given Guest Inviter permissions which will allow these users to invite external users as guests via the O365 applications.

Once the guest is invited, a guest account will be provisioned on the Azure tenant. The guest user will receive an email invitation asking them to log into Microsoft Application Platform with a URL to the requested application (e.g. SharePoint document).

! Important Note

If the partner’s (guest user) organisation does not have an Azure Tenant, then an Azure Account will be created on the NHSmail Azure Tenant and the guest user will have to go through a one-time sign-up process.

The guest account requester will be responsible for coordinating with the individual application owners so that data can be shared with the guest account.

The below diagram illustrates the process of inviting a guest user to the platform for B2B collaboration.



If guest access is revoked all access permissions are also withdrawn and the guest will need to be invited again via the process detailed above, with access permissions reassigned.

! Important Note

Microsoft’s Azure AD Terms of Use will not be enabled within the O365 Hybrid for Guest accounts, as this feature requires additional licensing.

5.3 Azure Federated Group Import

For B2B guest access for external users (up to ten), access will be granted via ad-hoc requests. Where access is required for more than ten users the Azure Federated Group Import solution will be implemented, to improve efficiency and security.

The Azure Federated Group Import solution is designed to replicate an external Azure Active Directory (AD) group into the NHSmail tenant, the membership of which is managed by the external organisation. This means you would simply require a one-time import of a group from an external organisation’s Azure AD tenant. As people join or leave the group in the external organisation their accounts would automatically be added and removed as guests in the NHSmail O365 Hybrid tenant.

NHSmail Local Administrators can request for an Azure Federated Group Import on behalf of an external organisation via the NHSmail Portal. Once the group import has been configured the NHSmail Portal will automate the process of sending guest invitations and revoking access (where required). This is illustrated by the diagram below.

5.4 Lifecycle Management

A number of lifecycle management processes have been implemented as part of the Azure B2B Guest Access Service as detailed below.



5.4.1 Guest Account Attestation

All guest accounts will have access to Azure AD / O365 for an initial period of 30 days. Following this, the guest user will be required to obtain approval from an NHSmail user to retain their access for another 180 days. The NHSmail user will have 10 days to approve the request or the access will be revoked. This process is repeated every 180 days. The diagram below illustrates the attestation process.

5.4.2 Inactive Guest Account Deletion Process

Guest account activity will be audited and if a guest has not logged into their account for more than 90 days their guest account will be removed from the NHSmail Azure tenant. An email will be sent to the guest user informing them of this.

! Important Note

Guest users will also be able to utilise the Azure AD self-service leaver process if they want to remove themselves.

5.4.3 Attestation of Azure AD Federated Group Imports

The NHSmail sponsors of each federated group will receive an email every 6 months to make them aware that the group is still active and ask them to request removal if it is no longer needed.



5.5 External sharing breakdown by application

To maintain the integrity and security of the NHSmail Azure / O365 tenant it is key for Local Administrators and service management teams to know who is accessing content within the tenant.

As detailed above, the NHSmail service approach to external sharing is to allow sharing with an external user only where they already exist in the NHSmail Azure Directory as a known external / guest user. Sharing content and anonymous access links to external addresses is disabled in the NHSmail Azure tenant.

Once an external domain and user is added into the Azure AD as per the Azure B2B Guest Access process, users can use native Office 365 application sharing as shown below.

Office 365

Application B2B Guest

Access

Possible

B2B Guest

Access

Enabled

Comments

Microsoft

SharePoint

Yes Yes SharePoint external sharing is enabled.

Microsoft

OneDrive for

Business

Yes Yes OneDrive for Business external sharing is enabled.

Microsoft

Teams

Yes Yes External users in Azure AD can be added as guest users

into Teams.

Microsoft Power

BI

Yes Yes Power BI Pro and Premium users can share their

dashboard / reports with an external user.

Microsoft

Planner

Yes Yes Planner task can be shared (assigned) with external

users.

Microsoft Sway No Yes Microsoft Sway can be shared with external users without

requiring a guest account into Azure Active Directory.

Microsoft Forms No Yes Microsoft Forms can be shared with external users

without requiring a guest account into Azure Active

Directory.

Microsoft

PowerApps No N/A PowerApps cannot be shared with external users. This is

a Microsoft limitation. Microsoft Flow No N/A Flow cannot be shared with external users. This is a

Microsoft limitation. Microsoft

Stream No N/A Stream videos cannot be shared with external users. This

is a Microsoft limitation. Microsoft Staff

Hub

No N/A Staff hub cannot be shared with external users. This is a

Microsoft limitation.

Microsoft Visio Yes Yes Visio diagrams in OneDrive can be shared as per the

OneDrive external sharing policy. Microsoft

Project Online Yes Yes Projects can be shared as per SharePoint Online

sharing policy. However, while sharing projects with

external users, they must have a Project Online licence

to access and use shared Project Online functionality. Microsoft

Yammer No No Yammer external collaboration is disabled.



6 Tenant Policy

The NHSmail Office 365 Hybrid tenant configuration has several key tenant-wide configurations that are based on centrally agreed technical decisions that consider national scalability, performance, regulatory compliance and information security of the tenant cloud environment. In the following sections, these key configurations for the tenant are highlighted and some detail provided.

6.1 Vanity domains

The NHSmail O365 Hybrid tenant domain is nhs.net only. Vanity domains are not available due to the complexity in managing multiple custom domains within a single tenant on a national service.

The NHSmail service does offer sub-domain branding for email to enable organisations to apply a level of local identity to their email addresses.

6.2 Office 365 release cycle policy

Microsoft are releasing updates to the Office 365 environment on a regular basis and the NHSmail O365 Hybrid tenant has been configured to support targeted release for selected users. With this option, individual targeted users can be first to see latest updates from Microsoft to the Office 365 environment.

To enable this feature, an organisation’s Local Administrator must submit a request to the NHSmail helpdesk on behalf of the users requiring this feature. It is recommended that organisations limit this feature enablement to users within their IT support community.

6.3 Third party applications

User and Local Administrator access to enable external integrated applications or third-party applications is not available. Currently this applies tenant-wide to mitigate the risk of users integrating an application that could introduce malicious content / behaviour that compromises the security of a national tenant.

6.4 Tenant branding

The NHSmail O365 Hybrid tenant is branded as a national tenant using the standard NHS and NHS Scotland logos at the top of users’ portal.office.com landing page. This logo is clickable and navigates to the NHSmail Portal homepage https://portal.nhs.net.

This branding is managed centrally as a tenant-wide setting that is not available for local organisations to customise.

The exception to this is a high contrast theme used for accessibility purposes. When a user switches to high contrast theme the branding mentioned above will be replaced with the standard contrast theme provided by Microsoft. There will be no logo and associated URL to access the NHSmail Portal.

https://s3-eu-west-1.amazonaws.com/comms-mat/Training-Materials/Guidance/SubdomainGuide.pdf

https://portal.nhs.net/



6.5 Office 365 desktop applications

An E3 and E5 licence includes access to the Microsoft Office ProPlus Desktop applications (e.g. Outlook, Word, Excel) on up to five devices. Ability to download this software is a binary setting at the tenant-wide level. The NHSmail O365 Hybrid Service has enabled this for all organisations with E3 or E5 licences. However, LAs can disabled ProPlus licences for individual users via the NHSmail Portal to restrict users.

6.5.1 Office 2016 Deployment Tool

Organisations can use the Office 2016 Deployment Tool to deploy Office ProPlus to their device estate. The Office 2016 Deployment Tool can be used to both download and deploy Office and allows the required install configuration and customisation typical of enterprise deployments.

The Office 2016 Deployment Tool is compatible with standard deployment software, such as System Centre Configuration Manager, for device application management. Once Office is downloaded and deployed, users must be connected to the internet to activate it (by signing-in with their licensed O365 nhs.net account).



7 Compliance

7.1 Data Residency

Data Residency: The NHS Office 365 (O365) Hybrid tenant is located in the UK and is managed by Accenture – this means that any data stored within SharePoint, OneDrive or Teams will be stored in UK data centres; Exchange and Skype for Business data is stored within the NHSmail data centres in England. Some other Microsoft services do store data outside the UK, the key ones are:

• Azure AD This stores account metadata (i.e. username, organisation, email address) for use with other Office 365 services. This data is stored within the EU and US

• Yammer

This is hosted in the US Organisations with their own O365 tenant, independent of NHSmail and hybrid will determine their own data residency principals. Specific information per application is available on Microsoft’s website and more general guidance is available on Office 365 compliance. The NHS Digital guidance on data off-shoring and cloud computing for health and social care organisations sets out the approved case for data residency in O365. NHS organisations involved in this pilot will be required to agree the updated NHSmail service Acceptable Use Policy (AUP) via the NHSmail Portal, ahead of using O365 services. Organisations should also agree any local usage policies as appropriate ahead of onboarding, to ensure local Information Governance (IG) and Clinical Risk Management (CRM) practices are followed. Access to Data Policy: Office 365 will follow the existing NHSmail data access and privacy policies which are available on the NHSmail Portal help pages, specifically the Access to Data Policy. These policies follow a principal that user content will not be accessed by support staff unless required to resolve a support case your organisation has raised with us or based on a request under the Access to Data Policy or where required for the security of the platform (i.e. anti-malware scanning).

7.2 Data retention and recovery

Retention policies in Microsoft Office 365 have been designed to manage content in two scenarios.

1. Retaining content so that it can’t be permanently deleted before the end of a set retention period.

2. Deleting content permanently at the end of the retention period.

When content is subject to a retention policy, users can continue to edit and work with the content as if nothing’s changed because the content is retained in place in its original

https://products.office.com/en-us/where-is-your-data-located?geo=UnitedKingdom

https://www.microsoft.com/en-us/trustcenter/cloudservices/office365

https://digital.nhs.uk/news-and-events/latest-news/nhs-digital-publishes-guidance-on-data-off-shoring-and-cloud-computing-for-health-and-social-care

https://s3-eu-west-1.amazonaws.com/comms-mat/Comms-Archive/AUP0217.pdf


https://s3-eu-west-1.amazonaws.com/comms-mat/Comms-Archive/NHS+Digital+Policy+Docs/NHSmail+Data+Retention+and+Information+Management+Policy.pdf




location. But if someone edits or deletes content that’s subject to the policy, a copy is saved to a secure location where it’s retained while the policy is in effect.

The NHSmail O365 Hybrid Service has a standard tenant-wide data retention policy of 180 days applied to OneDrive, SharePoint sites and Office 365 groups. This policy ensures a copy of user-deleted content is saved to a secure location for retention while the 180-day policy is in effect. Details of this policy configuration are in the table below:

Parameter Details Comments

Policy Name NHS_Standard_180_Days_Policy Standard naming convention

Description NHSmail Standard 180 Days Retention Policy NHSmail Standard 180 Days Retention Policy

Applies to content in these locations

OneDrive accounts SharePoint sites Office 365 groups

The retention policy is applied to all listed locations. However, Exchange mail and Exchange public folders can be excluded as there will be no Exchange online mailboxes and public folders.

Retention Period Keep content for 180 Days

Do you want us to delete it after this time?

No After retention period, there will be no auto deletion of content.

Retain or delete the content based on

When it was last modified Retention policy will be applied, when it was last modified (for OneDrive and SharePoint)

Key retention principles:

• Content will be retained for 180 days from the time it was created or last edited. After the retention period, a deleted item cannot be restored and / or retrieved via eDiscovery.

• The retention policy applies to individual documents in OneDrive for Business, SharePoint online site / subsite and Office 365 groups. If a OneDrive, SharePoint site or Office 356 group is deleted, this must be restored first before performing any eDiscovery.

Note: If deleted sites or groups are not restored, content within them cannot be restored (eDiscovery search, hold and export), even if the content is under the retention period of 180 days as per retention policy. In Office 365, data retention and restore varies for each of the Office 365 applications. This section provides a per application view on data retention, recovery and licensing limitations where relevant.

7.2.1 OneDrive for Business

OneDrive for Business offers the following options for restore, roll back and retention. These options exist side-by-side:

1. OneDrive for Business - Recycle Bin Restore



OneDrive for Business provides a user with a ‘site recycle bin’ (also called the first stage recycle bin) and a ‘site collection recycle bin’ (also called the second stage recycle bin). The user has access to both.

When a user deletes items from their OneDrive, they're sent to the site recycle bin (first stage recycle bin), where the user can restore them if they need to. When a user deletes items from a site recycle bin, they're sent to the site collection recycle bin (second stage recycle bin). The user can view and restore deleted items from the site collection recycle bin (second stage recycle bin) to their original locations.

Both first stage and second stage recycle bins share a default retention of 93 days which spans both recycle bins and is configured by Microsoft (i.e. content deleted from the first-stage bin after 20 days will be retained in the second-stage bin for a further 73 days). Within 93 days, deleted items can be restored by the user to its original location.

2. OneDrive for Business – Rollback

This feature allows end users to rollback changes (restore files and folders) from any point in time during the last 30 days. The 30 days duration is configured by Microsoft and cannot be changed. This restore can help users to rollback content if they suspect their files have been compromised, deleted, overwritten, corrupted or infected by malware. However, note the following while performing rollback:

• An undo operation will be performed on all actions that occurred on both files and folders from the date selected for restore. If there have been any new changes (added new files or edited existing files) since the rollback date, all of that content will be sent to the recycle bin.

• If there were any files in the recycle bin at the date and time selected for rollback and those files have been deleted from the recycle bin, OneDrive restore (rollback) will not restore those files.

Note: When a user deletes content from the site recycle bin it goes to the site collection recycle bin. Deleted OneDrive for Business files can’t be rolled back (restored) after they’ve been removed from the site collection recycle bin — either by manual delete or by emptying the recycle bin.

3. OneDrive for Business - Retention

When an account with OneDrive for Business is marked for deletion (following the NHSmail 30-day leaver process), OneDrive for Business files will be retained for 180 days.

However, if as part of the leaver and joiner process in this document, a Local Administrator decides to delete a leaver’s OneDrive for Business content, all content will be sent to the OneDrive for Business preservation hold library. Any content in the preservation hold library that was created or last edited >180 days ago will be deleted automatically. Once deleted, content cannot be restored.

Example scenario - User A creates a new item today

The below worked example shows the above policies in action.

1. User A creates a new item today. 2. As per the NHSmail Retention Policy, the new item is retained for 180 days. 3. If the newly created item is edited by User A or any other user (if shared by User A),

it’s retention will start again for 180 days.




4. If the newly created item is deleted, it will be sent to the site recycle bin (first stage) and can be restored by the user within 93 days.

5. During the 93 days, if the user purges the deleted item from the first stage recycle bin, it will be sent to the second stage recycle bin and will remain there for the remainder of the 93 days. The duration of 93 days is shared between first stage and second stage recycle bin.

6. If user A purges deleted content from both first stage and second stage recycle bin; o it can be recovered if it is covered by the retention policy of 180 days from the

day it was created or last edited o it cannot be recovered, if older than 180 days since created or last edited.



7.2.2 SharePoint Online

SharePoint Online provides multiple recovery options for different items. SharePoint Online has two roles from which to recover items.

1. As a user, from the site recycle bin. 2. As a Site Collection administrator, from the site collection recycle bin.

Microsoft SharePoint Online offers site recycle bin (also called the first stage recycle bin) and site collection recycle bin (also called the second stage recycle bin). The following table shows details of what each role can access:

Item Name Site Recycle Bin

(First Stage Recycle Bin) Site Collection Recycle Bin (Second Stage Recycle Bin)

Documents Yes Yes

Web Designer Gallery Yes Yes

Apps (lists or libraries) Yes Yes

Subsite No Yes

Content Types and Site Columns No No

Site Collection No No

Alerts No No

Permissions No No

Service Application settings No No

1. Site Collection Recovery

Recovery of site collections are managed at the tenant administrator level and therefore available via the NHSmail hybrid support team through the NHSmail helpdesk.

Note: The total retention period set by Microsoft for SharePoint sites is 93 days.

2. Subsite Recovery

A SharePoint online site owner can delete a SharePoint subsite. Once a SharePoint online subsite is deleted, it is sent to the SharePoint Online site collection recycle bin (second stage).

The default retention period to restore the SharePoint subsite from the SharePoint Online site collection recycle bin is 93 days and it cannot be changed. Subsites are retained for 93 days from the time the user deletes them from their original location. They stay in the site collection recycle bin the entire time, unless deleted or unless the second stage recycle bin is emptied or exceeds its storage quota and starts purging its oldest items.

Note:

o The site recycle bin storage counts against site collection storage quota.

o When a site or subsite are deleted, the retention and recovery policies at the site / subsite level apply to the data within them, i.e. they supersede the various retention timelines for specific data / content set out here. Therefore, once a SharePoint site / subsite has been in a deleted state for a full retention period of 93 days, its content cannot be searched and restored using Office 365 eDiscovery or retention process.



3. SharePoint Data Recovery

When a user deletes items from a SharePoint Online site, they're sent to the site recycle bin (first stage recycle bin), where the user can restore them if they need to. When a user deletes items from a site recycle bin, they're sent to the site collection recycle bin (second stage recycle bin). Only the SharePoint Online site owner can view and restore deleted items from the site collection recycle bin to their original locations.

Both first stage and second stage recycle bins share a default retention of 93 days configured by Microsoft. Within 93 days, deleted items can be restored by the user (site owner if second stage recycle bin) to its original location. After 93 days, data will no longer be available to recover unless it is within the retention period of 180 days since created or last edited.

The deleted content from both the first stage and second stage recycle bins resides in the preservation hold library (as per retention policy of 180 days since created or last edited). If the content has already passed the retention period, it cannot be recovered from the preservation hold library. A request to the NHSmail helpdesk must be submitted to restore the content.

Example scenario - User A deletes a file from the SharePoint site or subsite

The below worked example shows the above policies in action.

1. User A deletes a file from the SharePoint site or subsite. 2. The deleted file is moved from the site to the first stage recycle bin. 3. If it’s the first ever deleted file in the SharePoint site or OneDrive for Business, a

preservation hold library will be created (automatic process) to hold deleted items. Once the preservation hold library is created, eDiscovery can be performed to retrieve content from the recycle bin.

4. User A deletes the same file from the first stage recycle bin to move it to the second stage recycle bin. The preservation hold library will hold the deleted file. eDiscovery can be performed to retrieve content from the recycle bin.

5. User A deletes the same file from the second stage recycle bin. Once deleted, the user will not be able to perform any further action. The preservation hold library will hold the file and this can be retrieved by the eDiscovery process.



Licence Restrictions

See the below table for information on which licence types support the preservation hold library and eDiscovery features. More information can be found on Microsoft’s website.

Content features Office 365 Enterprise E1/F1 Office 365 Enterprise E3 Office 365 Enterprise E5

Preservation Hold Library No Yes

eDiscovery Search Yes Yes

eDiscovery Hold No Yes

eDiscovery Export No Yes

7.2.3 Microsoft Teams

When a new Team in Microsoft Teams is created, it automatically creates an Office 365 Group and is subject to security and compliance.

Teams Channels Recovery

If a user deletes a team channel, it can be recovered by the user within 21 days. The recovery of a deleted channel within 21 days will restore the entire team channel and content retained within it. After 21 days a deleted team channel cannot be restored, however its content can be retrieved using the eDiscovery process, via the NHSmail helpdesk, if it is within the retention period of 180 days.

https://products.office.com/en-gb/business/compare-more-office-365-for-business-plans



Microsoft Teams Team Recovery

Microsoft Teams relies on Office 365 Groups. If a user deletes a team, it can be recovered by the NHSmail helpdesk within 30 days. The recovery of the deleted team within 30 days allows recovery of the entire team (including all team members, team content, tabs and chat history). After 30 days a deleted team cannot be restored, however its content can be retrieved using the eDiscovery process, via the NHSmail helpdesk , if it is under the retention period of 180 days.

7.2.4 Microsoft Forms

Microsoft Forms has no recycle bin. If a user deletes a form, there is no way to recover it. When a user deletes a form, it also permanently deletes all responses to the form. Microsoft Forms doesn’t support retention, data loss prevention or eDiscovery.

7.2.5 Microsoft Sway

If a user deletes a Sway built using the Sway web application, Sway for Windows 10 or Sway for iPhone and iPad, it goes to the Sway recycle bin where it can be recovered by the user within 30 days. If during the 30 days Sway is deleted from the recycle bin it cannot be restored. The retention policy set within the O365 tenant does not apply to Microsoft Sway. Microsoft Sway doesn’t support retention, data loss prevention or eDiscovery.

7.2.6 PowerBI

If a PowerBI Pro user deletes a Power BI report or dashboard or associated Office 365 group, it can be restored by an Office 365 Global Administrator within 30 days by restoring a deleted Office 365 group. Microsoft Power BI doesn’t support retention, data loss prevention or eDiscovery.

7.2.7 StaffHub

Data residing in StaffHub can be deleted by the StaffHub team manager. The StaffHub manager can delete StaffHub Shifts, StaffHub Activities, StaffHub To-Dos, StaffHub Team Members and StaffHub Team, however it cannot be restored. Microsoft StaffHub data (schedules, to-dos and team members) once deleted cannot be recovered. Microsoft StaffHub doesn’t support retention, data loss prevention or eDiscovery (without Office 365 group).

7.2.8 Microsoft Planner

Microsoft Planner relies on Office 365 groups. If a user deletes a plan, it also deletes the group and associated data. It can be recovered through a request to the NHSmail helpdesk within 30 days. After 30 days, an Office 365 group (plan) cannot be restored.

eDiscovery of Plan

By default, plans are not enabled to generate emails, however ‘send email to the group when task is assigned or completed’ can be added and enabled by the group owner by editing the plan setting.

Note: All Planner emails (task assignment and comments) are sent to the Office 365 group mailboxes which cannot be accessed via Outlook, OWA or Mobile App. Therefore, users will not be able to receive / see notifications. These emails can be retrieved from the group mailbox through the eDiscovery process via an NHSmail helpdesk request, as per the retention policy of 180 days.



Planner Tasks and Bucket

For Microsoft Planner tasks and bucket there is no recycle bin. A planner task and bucket can be deleted by the Planner Administrator, however once deleted it cannot be recovered.

7.2.9 Yammer

The NHSmail O365 Hybrid tenant has the Yammer data retention set to soft delete. This means deleted data will be retained on Yammer servers and is available for eDiscovery requests made to the NHSmail helpdesk.

Note: Once deleted, data (posts, groups) deleted in Yammer cannot be restored to its original location. Data retention policies set for the NHSmail O365 Hybrid Service are separate to the email and Skype for Business retention policies also in place on the NHSmail service. Further details are available in the Data Retention and Information Management policy.

7.2.10 Yammer Connected Groups

As Yammer connected groups are based on Office 365 groups, they follow the same retention, recovery and eDiscovery as Office 365 groups. When a Yammer connected group is deleted, all the associated Office 365 content associated with the group is also deleted. This includes the document library, OneNote notebook and Planner plans. These resources are soft deleted and can be restored by an Office 365 Global Administrator for up to 30 days. Yammer posts are not stored to Office 365 groups therefore Yammer posts will be saved to Yammer and follow the same retention, recovery and eDiscovery as standard Yammer groups.

7.2.11 Microsoft Flow

For Microsoft Flow, there is no recycle bin. A Flow can be deleted by the Flow owner and once deleted it cannot be recovered by a user or Office 365 Global Administrator. However, a request can be raised by the Office 365 Global Administrator with Microsoft within 30 days of deletion to recover a deleted Flow. Microsoft Flow doesn’t support retention, data loss prevention or eDiscovery.

7.2.12 Microsoft PowerApps

For Microsoft PowerApps, there is no recycle bin. A PowerApps can be deleted by the PowerApps owner - once deleted it cannot be recovered by a user or Office 365 Global Administrator. However, a request can be raised by the Office 365 Global Administrator with Microsoft within 30 days of deletion to recover a deleted PowerApps. Microsoft PowerApps doesn’t support retention, data loss prevention or eDiscovery.

7.2.13 Microsoft Stream

For Microsoft Stream, there is no recycle bin. A video uploaded on Stream can be deleted by the video owner, however once deleted it cannot be recovered. Microsoft Stream doesn’t support retention, data loss prevention or eDiscovery.

7.2.14 Microsoft Project Online

For Microsoft Projects, there is no recycle bin even though Project are tightly integrated with PWA sites in SharePoint Online. A Project owner can delete a project from Project site, however once a project is deleted, it cannot be restored.




If a PWA site is deleted, it can be restored as per the SharePoint Online site recovery process.

7.2.15 Microsoft Visio

Microsoft Visio files can be saved locally or in OneDrive for Business. If the Visio files are saved in OneDrive for Business, they will follow the same retention and recovery process as any other content in OneDrive for Business.

7.3 Label Policy

O365 Labels allow users to classify data across the SharePoint and OneDrive applications to enable document governance and enforce retention rules based on that classification.

The NHSmail O365 Hybrid tenant has created three labels that organisations and their users can use to classify documents. The published labels will appear as label policy for both SharePoint Online and OneDrive for Business documents and can be used by users to tag / label their document with an appropriate label.

See the detail of these labels below:

Policy Name Description for users Applied To Associated DLP Policy

Patient Identifiable Data and Personal Data

Label your data as "Patient Identifiable Data and Personal Data", if it includes medical records or personal data.

OneDrive SharePoint Online

UK Data Protection Act

Official Data

Label your data as "Official Data", if it includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened risk profile e.g. contractual documentation, audit reports, operational documentation / procedures, project admin data.


Official and Public Data

Public Data

Label your data as "Public Data", if it is released to public domains e.g. website content, public communications, approved media releases, published research.


Official and Public Data

7.4 Data Loss Prevention

Data Loss Prevention (DLP) policies can be implemented to help identify and protect sensitive information by ensuring that information in a document isn't shared with the wrong people.

The following two DLP polices have been created within the NHSmail O365 Hybrid tenant for OneDrive for Business and SharePoint Online. They have been published to detect documents with Sensitive Information Types and applied O365 Labels.

The Sensitive Information Types used are provided by Office 365 to use in security and compliance policies. These include a large collection of types, spanning regions around the globe, as well as any custom types. As part of the Label and DLP configuration, the NHSmail Hybrid tenant will make use of the following Sensitive Information Types:

• UK National Insurance number (NINO) • US / UK passport number • SWIFT Code



• Bank credit card details • UK National Health Service number

7.4.1 DLP Policy: UK Data Protection Act

Policy Name

UK Data Protection Act

Status Enabled

Description

To detect the presence of information subject to United Kingdom Data Protection Act and UK Personal Information Online Code of Practice (PIOCP) including data like:

• UK National Insurance number (NINO)

• US / UK passport number

• SWIFT Code

• Bank credit card details

• UK National Health Service number

Locations • SharePoint Sites

• OneDrive Accounts

Policy Setting – Rule 1 – UK Data Protection Act Internal

Conditions Content Contains

UK Financial Data

• Credit card number

• SWIFT Code

• EU debit card number


UK Access to Medical Reports Act



Labels

• Patient Identifiable Data and Personal Data

Action

Content is shared with people inside the NHS Directory

No requirement to restrict users from internal sharing, therefore no action is required.

User Notification

Policy tip presented to user

NHS Digital recommends protecting this data under UK Data Protection Act and UK Personal Information Online Code of Practice (PIOCP) because it contains confidential data.

Policy Setting – Rule 2 - UK Data Protection Act External

Conditions Content Contains

UK Financial Data

• Credit card number

• SWIFT Code

• EU debit card number




UK Access to Medical Reports Act



Labels

• Patient Identifiable Data and Personal Data

Action

Content is shared with people outside the NHS Directory.

Access is restricted to the content for external users.

User Notification

Policy Tip


7.4.2 DLP Policy: Official & Public Data

Policy Name

Official & Public Data

Status Enabled

Description Any content labelled as containing either Official or Public data

Locations • SharePoint Sites

• OneDrive Accounts

Policy Setting – Rule 1 – Official & Public Data Internal

Conditions Content Contains Labels

• Official Data

• Public Data

Actions Content is shared with people within the NHS Directory.

No requirement to restrict users from internal sharing, therefore no action is required.

User Notification Policy Tip NHS Digital recommends protecting this data under UK Data Protection Act and UK Personal Information Online Code of Practice (PIOCP) because it contains confidential data.

Policy Setting – Rule 1 – Official & Public Data External

Conditions

Content Contains

Labels

• Official Data

• Public Data

Content is shared with people outside the NHS Directory.

Access is restricted to the content for external users.



User Notification

Policy Tip


7.5 eDiscovery

The NHSmail Office 365 Hybrid Service will follow the existing NHSmail Access to Data Policy with regards to eDiscovery requests.

These policies follow a principal that user content will not be accessed by NHSmail support staff unless required to resolve a support case an NHS organisation has raised or based on a request under the Access to Data Policy or where required for the security of the platform (i.e. anti-malware scanning).

7.6 General Data Protection Regulation (GDPR)

Information on the GDPR for the NHSmail Live Service in England is available on the Portal help pages.

https://s3-eu-west-1.amazonaws.com/comms-mat/Comms-Archive/Access+to+Data+Policy+2017.pdf



https://support.nhs.net/article-categories/policy/

https://support.nhs.net/article-categories/policy/



8 Reporting

The NHSmail O365 Hybrid Service provides some reports for Local Administrators to download or request that support them in their local administration role.

8.1 Licence reports

Local Administrators enabled with the NHSmail O365 Hybrid management role in the NHSmail Portal will have access to both an O365 licence summary page and a download report detailing allocated licences by type and user. The report will be downloaded as a .csv file and will show all users allocated a licence along with their associated active applications and release track.

Guidance on how to download this report is available in the O365 Hybrid Local Administrator guide.

8.2 Storage reports

Local Administrators enabled with the NHSmail O365 Hybrid management role in the NHSmail Portal will have access to download storage reports for OneDrive and SharePoint Online. The report will be downloaded as a .csv file and will show total storage used against quota per user OneDrive and SharePoint Site collection.

For guidance on how to download this report please see the O365 Hybrid Local Administrator guide.

8.2.1 DLP and Label Classification

Local Administrators enabled with the NHSmail O365 Hybrid management role in the NHSmail Portal will have access to download DLP and Label Classification reports for documents stored in OneDrive and SharePoint Online. The report will be download as a .csv file and will show user ID, file name, location for files tagged as per DLP and label classification policies.

For guidance on how to download this report please see the O365 Hybrid Local Administrator guide.

8.3 Azure B2B reports

An Azure B2B report detailing whitelisted external organisations will be available to Local Administers via the NHSmail Portal.

8.4 Other reports

Local organisation reports for Yammer Posts, Teams Activity, DLP and Label Classification are not yet available through the NHSmail Portal. To request these for your organisation please raise a request with the NHSmail helpdesk.

8.5 Service health

Microsoft O365 service health status information is surfaced from the NHSmail O365 tenant to the NHSmail Portal pages for Local Administrators to review.




https://portal.nhs.net/help/servicestatus



9 Local organisation responsibilities

9.1 Local software and hardware

Local organisations are responsible for client-side device software rollout and configuration, including Office suite applications made available as part of an organisation’s licence used with the NHSmail O365 Hybrid Service. Where required, updates to web browsers to support Office Online products or other client software is the responsibility of local organisations.

9.2 Local network and infrastructure

Configuration of local network and infrastructure to connect and support O365 services is the responsibility of local organisations. Any Health and Social Care Network (HSCN) / Transition Network (TN – formerly known as N3) readiness assessment required to support an organisation’s NHSmail O365 Hybrid implementation is to be completed by the local organisation. It is important organisations joining the O365 service ensure their existing HSCN / TN architecture, design and capacity will be fit for purpose to support the steady state run of their expected O365 workloads.

9.3 Adoption and training

Training of end users will be the responsibility of NHS organisations.

9.4 Licence procurement

The NHSmail O365 Hybrid Service operates a ‘bring your own licence’ model. Local organisations are responsible for the procurement of their O365 licences ahead of joining the NHSmail O365 Hybrid Service. More information on this is available in the licensing procurement section of this document.



10 Un-supported services

The NHSmail O365 Hybrid Service doesn’t currently support use or integration with the below subscriptions or services. These include, but are not limited to:

• Azure Information Protection

• Enterprise Mobility & Security

• Microsoft InTune

• Office Store

• Dynamics 365

• Microsoft Bookings

For more information on the above and to express interest in the NHSmail service offering additional Office 365 services please contact the NHSmail helpdesk.



11 Clinical Safety and Acceptable Use Policy

11.1 Clinical safety

The NHSmail clinical safety case has been uplifted to include assurance of the integration between Microsoft O365 services and the NHSmail service through a ‘hybrid’ deployment.

NHSmail supported Azure Active Directory services and enhancements to the NHSmail Portal are included in this uplift which has been approved in line with DCB0129 Clinical Risk Management: Its Application in the Manufacture of Health IT Systems.

Whilst Accenture manage the NHSmail O365 tenant, including setting the global configuration and Azure AD synchronisation tools, the O365 services are managed directly between each organisation and Microsoft and as such, they remain outside of the scope of the NHSmail clinical safety case.

Further information on obtaining a copy of the National NHSmail Clinical Safety Case can be found on the NHSmail Portal help pages, in section ‘Policy’.

11.2 Acceptable Use Policy

The NHSmail Acceptable Use Policy has been uplifted to include some additional policies for the use of the NHSmail O365 Hybrid Service.

11.3 More information

Further information on the NHSmail O365 Hybrid Service is available from NHS Digital by contacting the NHSmail helpdesk.

https://digital.nhs.uk/data-and-information/information-standards/information-standards-and-data-collections-including-extractions/publications-and-notifications/standards-and-collections/dcb0129-clinical-risk-management-its-application-in-the-manufacture-of-health-it-systems

https://portal.nhs.net/help/policyandguidance




12 NHSmail helpdesk

The NHSmail helpdesk can be contacted on 0333 200 1133 or [email protected].

mailto:[email protected]

NHSmail Office 365 Hybrid Service Configuration Guide...3.7 Ending NHSmail O365 Hybrid services 10...

Documents

Transcript of NHSmail Office 365 Hybrid Service Configuration Guide...3.7 Ending NHSmail O365 Hybrid services 10...