NHSmail Office 365 Hybrid Service Configuration Guide - May 2019 Version 1 - Amazon S3
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
NHSmail Office 365 Hybrid Service Configuration Guide May 2019 Version 1 Copyright © 2019 NHS Digital
NHSmail Office 365 Hybrid Service Configuration Guide
Contents
1 Introduction 5
1.1 Target audience 5
1.2 Service background 5
2 Scope 5
2.1 Licences and applications 5
2.2 Service support 6
3 Onboarding 7
3.1 Joining the service 7
3.2 Leaver / joiner process 8
3.3 Licensing procurement 9
3.4 Transferring existing licences 9
3.5 Data migration from an existing O365 tenant 9
3.6 Microsoft FastTrack services 10
3.7 Ending NHSmail O365 Hybrid services 10
3.8 Technical pre-requisites 11
4 Application service information 12
4.1 Supported application summary 12
4.2 Azure Active Directory 13
4.3 SharePoint Online 15
4.4 OneDrive for Business 20
4.5 Microsoft Teams 21
4.6 Yammer enterprise 24
4.7 StaffHub 26
4.8 PowerBI 27
4.9 Delve 28
4.10 Planner 29
4.11 Office Online 29
4.12 Microsoft Forms 30
4.13 Sway 30
4.14 Office 365 Groups 31
4.15 Microsoft PowerApps 32
4.16 Microsoft Flow 32
4.17 Microsoft Stream 33
Copyright © 2019 NHS Digital
2
NHSmail Office 365 Hybrid Service Configuration Guide
4.18 Microsoft Project Online 34
4.19 Microsoft Visio Online 34
4.20 Mobile applications 35
5 Azure B2B Guest Access 36
5.1 Domain Name Whitelisting 36
5.2 Guest User Invites 37
5.3 Azure Federated Group Import 38
5.4 Lifecycle Management 38
5.5 External sharing breakdown by application 40
6 Tenant Policy 41
6.1 Vanity domains 41
6.2 Office 365 release cycle policy 41
6.3 Third party applications 41
6.4 Tenant branding 41
6.5 Office 365 desktop applications 42
7 Compliance 43
7.1 Data Residency 43
7.2 Data retention and recovery 43
7.3 Label Policy 52
7.4 Data Loss Prevention 52
7.5 eDiscovery 55
7.6 General Data Protection Regulation (GDPR) 55
8 Reporting 56
8.1 Licence reports 56
8.2 Storage reports 56
8.3 Azure B2B reports 56
8.4 Other reports 56
8.5 Service health 56
9 Local organisation responsibilities 57
9.1 Local software and hardware 57
9.2 Local network and infrastructure 57
9.3 Adoption and training 57
9.4 Licence procurement 57
10 Un-supported services 58
Copyright © 2019 NHS Digital
3
NHSmail Office 365 Hybrid Service Configuration Guide
11 Clinical Safety and Acceptable Use Policy 59
11.1 Clinical safety 59
11.2 Acceptable Use Policy 59
11.3 More information 59
12 NHSmail helpdesk 60
Copyright © 2019 NHS Digital
4
NHSmail Office 365 Hybrid Service Configuration Guide
1 Introduction
1.1 Target audience
This document provides an outline for IT Managers and Local Administrators (LAs) of the
NHSmail Office 365 Hybrid Service configuration for NHSmail.
Service configuration guides for other services will be available at the point of release.
1.2 Service background
The NHSmail service is the national secure collaboration service for health and care in
England and Scotland and is currently used by over 1.5 million users and continues to grow.
To enable greater access to collaboration applications, the NHSmail service is now
integrated with Microsoft Azure Active Directory (Azure AD) and Microsoft Office 365 (O365).
Azure AD is a cloud-based directory that enables secure, cloud-based identity management
for the NHSmail service. O365 is a subscription-based cloud productivity suite that includes
services such as OneDrive for Business, SharePoint Online and Yammer.
The NHSmail service has been integrated with a dedicated Office 365 tenant for users
across England. NHS organisations will be able to access the O365 services in a ‘bring your
own licence’ model. Users provisioned with licences will access the NHSmail Office 365
Hybrid Service using their existing NHSmail username and password.
The NHSmail Portal has been developed to enable organisations to subscribe and manage
their Office 365 licences. This includes, but is not limited to, the ability to assign licences,
enable applications and create SharePoint sites.
Organisations consuming Office 365 services via the NHSmail Office 365 Hybrid Service will
need to use NHSmail as their primary email service.
This document outlines the key functional and configuration details for each of the new
services for NHS organisation administrators and IT managers.
Note: The NHSmail Office 365 Hybrid Service is currently not available for users in
Scotland.
2 Scope
2.1 Licences and applications
Office 365 licences must be procured by NHS organisations directly from Microsoft or their
Licence Reseller and will not be available to procure nationally through the NHSmail service.
Organisations are not required to procure Azure AD licences to consume the O365 service.
The following enterprise and standalone licence types are supported on the NHSmail Office
365 Hybrid Service:
Office 365 Enterprise F1
Office 365 Enterprise E1
Office 365 Enterprise E3
Office 365 Enterprise E5
Copyright © 2019 NHS Digital
5NHSmail Office 365 Hybrid Service Configuration Guide
Microsoft PowerApps Plan 1
Microsoft PowerApps Plan 2
Microsoft Flow Plan 1
Microsoft Flow Plan 2
Microsoft Stream Plan 1
Microsoft Stream Plan 2
Microsoft Visio Plan 1
Microsoft Visio Plan 2
Power BI (Free)
Power BI Pro
Power BI Premium
Microsoft Project Online Essential
Microsoft Project Online Professional
Microsoft Project Online Premium
Details of the applications supported within these licence types can be found in the
Application Service Information section of this document.
Organisations will be required to raise a service request with the NHSmail helpdesk to
onboard their licences to the NHSmail Office 365 Hybrid Service. Further information is
available on onboarding within this document.
The commercial relationship for provision of O365 services is between the NHS
organisations and Microsoft via their licence agreement. The NHSmail service is providing
access and integration management of the NHSmail O365 tenant. The NHSmail service is
not responsible for the Microsoft cloud infrastructure and Office 365 application service
levels.
2.2 Service support
Helpdesk support for the NHSmail O365 Hybrid Service will be provided by the existing
NHSmail helpdesk. Local organisations are expected to provide initial triage and
troubleshooting support to their end users as per the existing NHSmail service. LAs will be
able to raise tickets with the NHSmail helpdesk for faults relating to configuration within the
NHSmail Office 365 tenant. Faults relating to Microsoft infrastructure and product issues will
be raised directly with Microsoft.
Organisations wishing to use their Microsoft Premier Support should raise cases directly with
Microsoft via the standard Premier Support channels. Where these cases require support
from the NHSmail service, a ticket should be raised with the NHSmail helpdesk by the local
organisation. The NHSmail service does not support submission of Microsoft Premier
Support cases centrally on behalf of NHS organisations.
Further information is available in this document on local organisation responsibilities.
Copyright © 2019 NHS Digital
6NHSmail Office 365 Hybrid Service Configuration Guide
3 Onboarding
3.1 Joining the service
To join the NHSmail Office 365 Hybrid Service, users must have an existing NHSmail
account and be using NHSmail as their primary email service. The process for joining the
NHSmail Office 365 Hybrid Service can be broken down into four stages.
1. Procure Office 365 licences
2. Submit licences to NHSmail via the NHSmail helpdesk
3. Allocate licences to users within the NHSmail Portal
4. Enable users as guest inviters (optional)
Step 1: Procure O365 licences
Local organisations should procure Office 365 licences directly from Microsoft or their
Licence Reseller who will issue the organisation with an email confirmation of their purchase.
Licensing is not available centrally via the NHSmail service.
More information is available in this document on licensing procurement.
Step 2: Submit licences to NHSmail
Once your organisation has procured O365 licences you will receive an email from your
Licence Reseller confirming the purchase. At this point your organisation’s LA should raise a
service request with the NHSmail helpdesk where details of your subscription can be shared
and the process for tenant allocation started. Details required in this request can be found in
the Onboarding Guide for Local Administrators.
Once an onboarding service request has been raised, the NHSmail team will allocate your
licences to the O365 tenant and make them visible in the self-service NHSmail Portal. Once
this process is complete, licences will be available to manage and allocate by LAs through
the NHSmail Portal. Your licences will be securely held and managed in the central NHSmail
O365 tenant until their expiry.
Note: Licences and their submission will be managed and serviced on a per organisation
basis and cannot be split across multiple organisations.
Step 3: Allocate licences to users by creating user policies
Once step 2 is completed, the organisation LAs will be able to log into the NHSmail Portal
and navigate to the administration area for enabling services. Detailed guidance on how to
create licence profiles and enable O365 services for users is available in the Hybrid Local
Administrator guide.
Step 4: Enable users as guest inviters (optional)
Organisation LAs will be able to decide whether they would like to enable their NHSmail
users as guest inviters so that they can collaborate with users from external organisations.
They can configure NHSmail users as eligible guest inviters via the NHSmail Portal. Detailed
guidance on this is available in the Hybrid Local Administrator guide.
Copyright © 2019 NHS Digital
7NHSmail Office 365 Hybrid Service Configuration Guide
3.2 Leaver / joiner process
The NHSmail service has a defined process for account leavers / joiners.
NHSmail accounts marked as ‘leavers’, that have an NHSmail O365 Hybrid licence
assigned, require some additional steps to remove the O365 licence and define retention
actions for organisation-owned content stored in the account’s OneDrive.
These additional steps are described below and should be owned by the licence-owning
organisation’s LA:
1. Marking an O365 enabled account as a leaver will remove that account’s O365 licence
straight away. The licence is returned to the organisation’s pool of available O365
licences and available for re-assignment.
2. Immediately following point 1 above, the LA will be prompted to decide whether the
account’s OneDrive for Business data should be retained. This will be a binary Yes/No.
YES – All data will be deleted from the account’s OneDrive and the account’s recycle bin,
ensuring it cannot be accessed by the account should it be joined and enabled with
NHSmail O365 Hybrid at another organisation on NHSmail. Once data is deleted, it
cannot be accessed by the user. However, data under retention can be recovered from
the preservation hold library. Details on the OneDrive data retention policy is available
within this document.
NO – No action taken, and the account’s OneDrive data remains in place should the
account be re-licensed at a later date. While users are in a leaver state, permissions to
OneDrive data can be delegated by the service team - this includes if the account is re-
licensed for NHSmail O365 Hybrid services at a new organisation on NHSmail. If the
account is not joined to a new organisation it will progress through the standard NHSmail
account deletion process. Standard data retention policies will apply and are detailed in
this document.
LAs can request leavers to delegate OneDrive access before they are marked as a
leaver to avoid making a service request.
LAs can request leavers to delegate Microsoft Flows, PowerApps and Stream content
ownership because content from these apps cannot be deleted automatically.
Leaver group memberships
Leaver accounts will not automatically be removed from O365 related groups. LAs can view
an account’s O365 group and SharePoint site membership within the NHSmail Portal and
remove as required. This process allows local control of group membership and enables
users, where required, to maintain membership of collaborative groups / services where
appropriate. For example, a user moving to a new organisation continues to require
collaboration access in a regional Yammer group or Teams site. Instructions on how to do
this can be found in the Hybrid Local Administrator guide.
Copyright © 2019 NHS Digital
8NHSmail Office 365 Hybrid Service Configuration Guide
3.3 Licensing procurement
There are two ways an organisation can procure Office 365 licences ahead of allocating to
the NHSmail O365 Hybrid Service.
1. Microsoft Volume Licensing programmes are commonly used by large organisations
and allow bespoke bulk purchasing of licences. These licences are purchased
through a Microsoft Partner and can then be managed through Microsoft’s Volume
Licensing Service Centre.
2. Directly from Microsoft via their enterprise subscription pages.
Following procurement, Microsoft will issue a subscription activation email confirming your
purchase. See the onboarding section within this document for information on how to
progress an onboarding request once you have reached this point.
3.4 Transferring existing licences
Organisations transferring licences already allocated to an existing O365 tenant should raise
a service request with the NHSmail helpdesk. The NHSmail team will then raise a case with
Microsoft to progress this transfer. The local organisation will also need to raise a case to
Microsoft from their existing tenant requesting the transfer as this is required by Microsoft as
authority to transfer.
3.5 Data migration from an existing O365 tenant
Organisations with an existing O365 tenant that require data migration from that tenant to the
NHSmail O365 Hybrid tenant should first consider the feasibility of a locally managed
manual migration following their onboarding to the NHSmail O365 Hybrid Service. Feasibility
will be dependent on several factors including volume of data, complexity and availability of
local resource to support it.
Should an organisation already own O365 licences and have their own tenant, the process in
the below diagram can be followed to migrate to the NHSmail Hybrid tenant. It is important
for an organisation to fully understand the necessary pre-requisites (as highlighted in the
Tenant to Tenant Migration guide) and the Functional Comparison guide, before starting the
migration process.
Copyright © 2019 NHS Digital
9NHSmail Office 365 Hybrid Service Configuration Guide
• Read Tenant to Tenant Migration Approach to
Understand migration understand requirements
approach & necessary pre- • Understand the functional comparison between
native Microsoft O365 tenants & the NHSmail
requisites Hybrid Platform
Determine local migration • Develop approach – including what data needs
approach using Tenant to to be migrated, from which applications & how
• Create a deployment plan & timeline
Tenant document as a guide
• Engage any third parties needed for the
Engage third-party supplier if migration
• Raise a ticket to the NHSmail helpdesk detailing
required administrator access requirements (as detailed
in section 2.4.1)
• Formally raise a request with your Microsoft
Follow licence onboarding License Reseller & the NHSmail helpdesk to
transfer your O365 licences
transfer process • This process is documented here
• Complete migration process & necessary testing
Migrate on an app by app to ensure data is accessible on the new tenant
basis • Phase out and eventually decommission the
legacy tenant
Organisations who decide a locally managed manual migration is not appropriate should
consider the use of Microsoft FastTrack services where applicable to support such a
migration.
For some organisations, FastTrack may be available as part of their O365 licences. More
information on the Microsoft FastTrack service and it’s use with the NHSmail O365 Hybrid
Service is available in this document.
3.6 Microsoft FastTrack services
The NHSmail Hybrid Service supports and encourages the use of Microsoft FastTrack
services where it is included in an organisation’s licence agreement with Microsoft. To
progress a request to use FastTrack services to onboard to the NHSmail Hybrid Service
please raise a request to the NHSmail helpdesk.
3.7 Ending NHSmail O365 Hybrid services
Ceasing NHSmail O365 Hybrid services for your organisation can occur via a request from
your Local Administrator, with approval confirmation from the local organisation’s Chief
Information Officer (CIO) to the NHSmail helpdesk or through the expiry of your
organisation’s Office 365 licences.
Copyright © 2019 NHS Digital
10NHSmail Office 365 Hybrid Service Configuration Guide
A request to the NHSmail helpdesk to remove hybrid services will trigger a licence transfer
process. This process will require an organisation to submit details of their new tenant to the
NHSmail helpdesk, so a licence transfer request can be submitted to Microsoft. The
NHSmail service team will raise this request with Microsoft.
Expiry of O365 licences in the NHSmail O365 Hybrid Service will trigger an automatic
removal of those licences. The NHSmail Portal tracks licence expiry dates so will issue an
expiry notice to an organisation’s LA 30 days ahead of expiring.
Information on data retention policies is available in this document.
3.8 Technical pre-requisites
Network planning and performance
Using any Office 365 service is likely to increase the utilisation of an organisation’s internet
links. It is key to determine that the amount of bandwidth available is enough to handle the
estimated increase when Office 365 is live and in use by end users.
Microsoft provides guidance and tools for organisations on effective network planning and
testing ahead of rolling out Office 365 services. These are available on Microsoft’s website
and should be referred to by LAs ahead of enabling NHSmail O365 Hybrid services.
Office 365 URLs and IP address ranges
Office 365 requires connectivity to the internet. Microsoft define a list of end points that need
to be reachable to ensure O365 service connectivity. This is a living list which Microsoft
update monthly and publish via RSS feed and is detailed on their website.
Copyright © 2019 NHS Digital
11NHSmail Office 365 Hybrid Service Configuration Guide
4 Application service information
4.1 Supported application summary
The table below provides a summary of the available applications on the NHSmail Hybrid
Service for each type of supported O365 licence.
Service Name E5 SKU E3 SKU E1 SKU F1 SKU
Microsoft Teams Yes Yes Yes Yes
Yammer Enterprise Yes Yes Yes Yes
Microsoft Forms Yes Yes Yes Yes
Microsoft StaffHub Yes Yes Yes Yes
Microsoft Sway Yes Yes Yes Yes
SharePoint Online (includes
Yes Yes Yes Yes
OneDrive for Business)
Office Online – create and edit
rights
Yes Yes Yes Yes
(cannot be assigned without
SharePoint Online)
Microsoft Planner Yes Yes Yes No
Microsoft Delve Yes Yes Yes Yes
Access to Office Applications from
Yes Yes Yes Yes
all major smart phones and iPads
Office Mobile Apps – Create/edit
rights for online versions of core Yes Yes Yes Yes
office apps
Office Pro Plus Yes Yes No No
Microsoft To Do No No No No
Power BI Pro Yes No No No
Flow for Office 365 Yes Yes Yes Yes
PowerApps for Office 365 Yes Yes Yes Yes
Microsoft Bookings No No No No
Microsoft Stream Yes Yes Yes Yes
In addition to the above licences, the following standalone licences are available and can be
used individually or with any other SKU (E1, E3, E5 or F1).
Service Name Supported
Microsoft PowerApps Plan 1 Yes
Microsoft PowerApps Plan 2 Yes
Copyright © 2019 NHS Digital
12NHSmail Office 365 Hybrid Service Configuration Guide
Microsoft Flow Plan 1 Yes
Microsoft Flow Plan 2 Yes
Microsoft Stream Plan 1 Yes
Microsoft Stream Plan 2 Yes
Microsoft Power BI Free Yes
Microsoft Power BI Pro Yes
Microsoft Power BI Premium Yes
Microsoft Project Online Essential Yes
Microsoft Project Online Professional Yes
Microsoft Project Online Premium Yes
Microsoft Visio Plan 1 Yes
Microsoft Visio Plan 2 Yes
Please note that Exchange email services and Skype for Business instant messages and
presence (IM&P) and audio and video conferencing (A&VC) services are provided as
standard to organisations using the NHSmail O365 Hybrid Service.
For more information on the above and to express interest in the NHSmail service offering
additional Office 365 services please contact the NHSmail helpdesk.
4.2 Azure Active Directory
4.2.1 Application description
Azure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud-based directory and
identity management service. Every Office 365 tenant provides an Azure AD tenant that is
used to manage cloud identities and enable access to cloud applications integrated with
Azure AD, including Office 365 applications.
4.2.2 Features configuration
Azure AD supports Single Sign-On (SSO) through the NHSmail Portal to portal.office.com
(not local device SSO).
• SSO enables access to NHSmail Office 365 Hybrid services following SSO to the
NHSmail Portal.
Note: SSO will not allow user authentication against cloud-based services not integrated
with NHSmail Azure AD (for example, local applications owned and managed by a local
organisation).
Copyright © 2019 NHS Digital
13NHSmail Office 365 Hybrid Service Configuration Guide
Key Azure AD configuration items are given for information in the below table highlighting the
default NHSmail setting.
AAD Config Details Setting Comment
User Setting
Users can add gallery apps to their Access No Users can add any app which supports password
Panel single sign on to appear in their access panel,
without an administrator needing to pre-integrate
that application.
Users can only see Office 365 apps in the Office Yes Users will only see Office 365 apps in their Office
365 portal 365 portal.
Guest user’s permissions are limited Yes Guests do not have permission for certain
directory tasks, such as enumerate users,
groups or other directory resources and cannot
be assigned to administrative roles.
Restrict access to Azure AD administration Yes Restricts all non-administrators from accessing
portal any Azure AD data in the administration portal.
Groups
Users can create security groups
No
Users who can manage security groups
Users can create Office 365 groups
Available for LAs to manage via the NHSmail Portal
Users who can manage Office 365 groups
User Setting
Users can consent to apps accessing No Users are not able to consent to allow third party multi-
company data on their behalf tenant applications to access their user profile data in the
NHS Directory.
Users can register applications No Users are not able to register custom-developed
applications for use within the NHS Directory.
Members can invite No Only NHSmail service administrators can invite guests to
the NHS Directory.
Guest can invite No Guests cannot invite other guests to collaborate with the
NHSmail Hybrid tenant.
Groups
Self-service group management No Self-service group management for users through the
enabled Access Panel is not enabled.
Enable "All Users" Group No The all users group in Azure Active Directory is disabled
External Users Setting
Guest users’ permissions are limited Yes Yes - means that guests do not have permission for certain
directory tasks such as enumerate users, groups or other
directory resources.
Admins and Users in guest inviter Yes Yes - means that admins and users with the ‘Guest Inviter’
role can invite role will be able to invite guests to the tenant. No means
they will not.
Members can invite No No - means that only administrators can invite guests to the
NHS Directory.
Copyright © 2019 NHS Digital
14NHSmail Office 365 Hybrid Service Configuration Guide
Guest can invite No No - means that guests cannot invite other guests to
collaborate
Allow invitations only to specified Yes Guest invitations can only be sent to whitelisted domains.
domains (most restrictive)
4.3 SharePoint Online
4.3.1 Application description
SharePoint Online is a cloud-based collaboration platform that can be used for document
management, storage and collaboration.
SharePoint can enable sharing and collaboration across NHS organisations using the
NHSmail O365 Hybrid Service, giving people a place to organise and collaborate on content
and data in real time.
4.3.2 Configuration overview
The NHSmail Hybrid SharePoint Online application has been configured to allow LAs to
create isolated parent site collections for use within their organisation.
LAs are able to use the NHSmail Portal to provision a new site collection, assign it a name,
an administrator and storage quota. The NHSmail Portal will then configure this parent site
collection for the given administrator to login to and configure for further use. Once
provisioned, the standard site collection administration features are available for the site
administrator to configure and customise directly within SharePoint. It is the responsibility of
the site collection administrator to manage the site collection, including user access
permissions, storage usage and any sub sites created (child sites).
The below table gives an overview of the tenant wide configurations set for SharePoint
Online in the NHSmail tenant.
Config
Setting Comment
Details
Sharing
Direct sharing outside the NHSmail Hybrid tenant is allowed for only
Allow users to invite and whitelisted domains.
Enable
share with authenticated Invite and sharing to authenticated users using anonymous access
users links is disabled
Prevent external users
from sharing files, folders
Enable
and sites that they don’t
own
Direct links Enable Shared links are only valid for the specific person it was sent to
Default link permissions:
View
view or Edit
Copyright © 2019 NHS Digital
15NHSmail Office 365 Hybrid Service Configuration Guide
External users must
accept sharing invitations
using the same account Enable
that the invitations were
sent to
Site Pages
Managed
Let users create site via Available for LAs to create and manage via the NHSmail Portal
collections NHSmail
Portal
Let site collection
administrators create sub Enable
sites
Site Pages Enable Users can create responsive Site pages
Hide the subsite menu Enable Hide the subsite create menu for basic users. Only Site Collection
command (Hide) administrators can see this.
Custom Scripts
Prevent users from
This has been disabled on the NHSmail O365 Hybrid for security
running custom script on Prevent reasons.
personal sites
Prevent users from
This has been disabled on the NHSmail O365 Hybrid for security
running custom script on Prevent
reasons.
self-service created sites
Preview Features
This setting has been disabled so users do not view SharePoint
Enable Preview Features Disable Online preview features. Preview features have limited support in
SharePoint Online and do not yet meet all service requirements.
Connected Services
Block SharePoint 2013
Enable
workflows
Mobile Push
Notifications
Allow notifications This feature allows users to get mobile push notifications for changes
Allow
to their SharePoint content.
Comments on Site
Pages
Enabled comments on Site Enabling this feature adds a comment section to all site pages. Users
Disable
Pages who have access to the pages can leave comments.
Access Control
Control access based on
network location and only There is no restriction based on IP addresses configured.
Disabled
allow access from specific
IP address locations
Copyright © 2019 NHS Digital
16NHSmail Office 365 Hybrid Service Configuration Guide
4.3.3 Support features
The following sections highlight key supported features for the SharePoint Online service
within the NHSmail O365 Hybrid Service.
4.3.3.1 Team Sites
A SharePoint Team Site is the default SharePoint template used when creating a site
collection from the NHSmail Portal and other features.
4.3.3.2 Data Loss Prevention
Data Loss Prevention (DLP) is a feature used to discover and restrict sensitive data leaving
the NHSmail tenant. DLP policies are set to review tenant data against specific criteria such
as national insurance numbers or national health numbers and identify it.
Standardised industry template DLP policies have been implemented on the NHSmail O365
Hybrid Service and are detailed in the DLP section of this document. SharePoint Online has
been configured to respect these DLP policies.
4.3.3.3 Large file support
SharePoint Online allows you to upload or download large files. The NHSmail O365 Hybrid
Service allows a single maximum file-size limit of up to 15 GB per file. Files attached to list
items can be up to 250 MB in size.
4.3.3.4 File name and path lengths
The maximum path limit in SharePoint Online has increased from 256 characters to 400
characters. The entire path, including the file name, can contain up to 400 characters.
4.3.3.5 Special character support in files names
Additional support for special characters such as &, ~, {, and} in file names that include a
GUID, leading dots or are longer than 128 characters.
Note: Characters such as % and # can't be used in file names yet.
4.3.3.6 Durable links
The durable links feature is enabled on the NHSmail O365 Hybrid Service. This feature
allows users to rename a SharePoint document and move it to a different location within the
site collection, and the links remain valid. This feature works with Office documents (Word,
Excel, OneNote and PowerPoint) as well as PDF files. The below diagram shows how the
process works.
Copyright © 2019 NHS Digital
17NHSmail Office 365 Hybrid Service Configuration Guide
4.3.4 Service limits
The below list highlights the service limits applicable on the NHSmail O365 Hybrid
SharePoint Online service.
• Items and files - A list can have up to 30 million items and a library can have up to 30
million files and folders. Views can have up to 12 lookup columns. To learn more about
other restrictions for viewing large lists, see Manage large lists and libraries in
SharePoint. For information about characters that can't be used in file names, see Invalid
file names and file types in OneDrive, OneDrive for Business and SharePoint.
• Subsites - Up to 2,000 per site collection.
• File path length - The total length of the URL, including the file name, can't exceed 400
characters. For example, the following is a typical URL path to a file stored in SharePoint:
http://www.contoso.com/sites/marketing/documents/Shared%20Documents/Promotion/H
oliday%202018.xlsx
• File size - Less than 15 GB per file. Files attached to list items can be up to 250 MB in
size.
• Sync - For optimum performance, we recommend storing no more than 100,000 files in a
single OneDrive or team site library. If you use the previous OneDrive for Business sync
client (Groove.exe), the sync limit per library is 5,000 items.
• Versions - 50,000 major versions and 511 minor versions.
• SharePoint groups - A user can belong to 5,000 groups and each group can have up to
5,000 users. You can have up to 10,000 groups per site collection.
• Users - 2 million per site collection.
4.3.5 SharePoint third party applications
SharePoint Online supports third party application integration. The NHSmail O365 Hybrid
Service manages a review process for these integrations to assess suitability of
implementing on a nationally managed service. Some applications are not appropriate to
integrate due to required permissions or licence requirements.
The below graphic provides some guidance on the principles used to assess third party
application integration suitability. To request an application integration for SharePoint Online,
please contact the NHSmail helpdesk. .
Copyright © 2019 NHS Digital
18NHSmail Office 365 Hybrid Service Configuration Guide
4.3.6 Portal self-service capability
The NHSmail Portal provides self-service capability for LAs to manage the provisioning of
SharePoint services. This includes the following:
➔ Create and edit capability for SharePoint Parent Site Collection
o Assigning a Site Collection name
o Assigning / updating a Site Collection administrator
o Assigning / updating a storage quota for the site collection
➔ Enable / disable SharePoint Online services for users / policies
➔ Downloadable SharePoint storage report
Guidance instructions on how to use the NHSmail Portal for NHSmail O365 Hybrid services
are available in the NHSmail O365 Hybrid Local Administrator guide.
4.3.7 SharePoint storage
The available quota from which an LA can allocate data to SharePoint Site Collections they
create will be calculated based on the number of SharePoint user licences they have. This
quota can be increased or decreased based on the number of user licences an organisation
has purchased. For each licensed user (E3, E5, F1, E1 and Project Online) the organisation
is given an additional 10 GB of storage to allocate to their SharePoint Online site collections.
SharePoint Site Collection quotas cannot be exceeded once set. The available storage to an
organisation can only become insufficient should their number of available user licences
reduce through non-renewal. In this scenario, LAs will be issued with appropriate
communications and given 5 days’ notice to reduce their storage or purchase additional
licences. If after 5 days, the quota is still insufficient then all the organisation’s sites are set to
read-only mode.
When creating a SharePoint Site Collection an LA will be able to see the amount of storage
available to the organisation., This will give an indication of what quota can be given to a
SharePoint Site Collection. Full guidance on allocating storage can be found in the
SharePoint Collection Management section of the NHSmail O365 Hybrid Local Administrator
guide.
Copyright © 2019 NHS Digital
19NHSmail Office 365 Hybrid Service Configuration Guide
4.4 OneDrive for Business
4.4.1 Application description
OneDrive for Business is personal online storage space in the cloud available from Office
365. Use it to store and protect your work files while accessing them across multiple devices.
Share your files with business colleagues as needed and collaborate on Office documents
together in real time with the latest Office desktop, web and mobile apps. Sync files to your
local computer using the OneDrive for Business sync client.
OneDrive for Business is included in SharePoint Online and the Enterprise Office 365 plans.
The OneDrive for Business application can be enabled for users through the NHSmail Portal.
4.4.2 Configuration overview
The OneDrive for Business application has been configured with standard policies and
settings as follows:
Config Details Setting Comment
Sharing
Direct link sharing with specific Enabled The shared document will be accessible only by the
people people specified when the user creates the link.
File and folder default permission View Set to view as default however can be changed by
user at the point of sharing.
Sharing with existing external users Enabled Sharing only available with users already in the
NHS Directory.
File view information Enabled Display to owners the names of people who viewed
their files.
Sync
Show the Sync button on the Enabled The Sync button helps users install and set up the
OneDrive website new OneDrive sync client.
Storage
Default storage in GB Enabled The default storage space for each user's OneDrive
user is 1 TB.
Days to retain files in OneDrive after Enabled Default retention period in the NHSmail O365
a user account is marked for deletion Hybrid Tenant is 180 days. Please see more
information on OneDrive OneDrive data retention
policies in this document.
Device Access
Allow access only from specific IP Disabled Specific IP addresses or IP address ranges will
address locations restrict users’ access to their OneDrive files. This
policy has not been enabled on the NHSmail O365
Tenant.
Mobile application management Disabled These settings are disabled as they require use of
settings the Intune service which is not currently enabled on
the NHSmail O365 Hybrid Service.
Notifications
Display device notification to users Enabled Display device notification to users when OneDrive
when OneDrive files are shared with files are shared with them.
them
4.4.3 Limits and un-supported features
• To learn more about restrictions and limitations that apply to files and folders when
using OneDrive for Business to sync SharePoint Online OneDrive for Business
Copyright © 2019 NHS Digital
20NHSmail Office 365 Hybrid Service Configuration Guide
libraries to a device, please see links below. OneDrive for Business is included in
SharePoint Online. To learn about limitations such as file upload limits and site
collection quotas see SharePoint Online limits and Restrictions and limitations when
you sync files and folders.
• Microsoft do not support storage of data other than an individual’s personal work files.
System back-ups and departmental and organisational level data is not supported,
nor is the assignment of a per user licence to a bot, department or other non-human
entity. SharePoint Online is recommended for these scenarios.
• External sharing is disabled for OneDrive for Business in the NHSmail tenant.
• OneDrive for Business sync app will need to be supported by local trusts.
4.5 Microsoft Teams
4.5.1 Application description
Microsoft Teams provides a modern collaboration hub experience for today’s work-based
teams. Microsoft Teams supports persistent and threaded chats to keep everyone engaged.
Microsoft Teams allows integration with other O365 applications creating a single workspace
for collaboration.
Microsoft Teams is included in the E1, E3 and E5 O365 enterprise licence plans.
LAs can create Team groups and enable the application through the NHSmail Portal.
4.5.2 Configuration overview
The Microsoft Teams application has been configured with standard policies and settings as
follows:
Config Setting Comment
Details
General
Show Disabled It shows the organisational chart icon in the user’s contact card and
organisational when clicked can display the detailed organisational chart.
chart in This feature is not currently supported by Microsoft in a Hybrid
personal deployment and therefore has been disabled.
profile
Use Skype Disabled Teams conversations automatically show up in Skype for Business for
for Business users that are not enabled for Teams. However, this interoperability is
for recipients not supported due to Hybrid deployment.
who don't
have
Microsoft
Teams
Allow T-bot Enabled T-bot will initiate a private chat session with users to help them use
proactive help Teams.
messages
Allow users to Disabled This feature has been disabled as domain restriction is not currently
send email to supported.
channels
Application Connections
Forms Enabled Office 365 Forms application allow to create surveys, quizzes and
polls.
OneNote Enabled OneNote notebooks can be used to collaborate on digital content and
share it within team.
Copyright © 2019 NHS Digital
21NHSmail Office 365 Hybrid Service Configuration Guide
Planner Enabled Planner allows teams to stay organised, assign tasks and keep track
of progress.
Yammer Enabled The Yammer connector sends notifications about posts,
announcements in Yammer groups, posts made by Yammer users.
Stream Enabled Microsoft Stream app (to upload / view videos) is the default app in
Teams and seems to be appearing from Microsoft Store. There is no
setting to disable it. To add Stream tab into a channel to access /
share videos, users are required to add a valid Stream URL (direct
video or channel).
Bing News Enabled Get the most relevant news on topics you care about.
Flow Enabled Automate time-consuming and repetitive tasks by integrating favourite
apps and services with Microsoft Flow.
Images Enabled Search Bing for the image you need and share it directly in a channel
or chat.
News Enabled Stay up to date on current events courtesy of Bing News. Find coverage
of local, national and worldwide news, then share it in a channel.
Places Enabled Places lets you look up detailed info about different businesses,
restaurants, venues and more. Find out the address, hours of operation
or reviews for a business, then share them in a conversation.
PowerApps Enabled Help your team work smarter by creating apps that connect to the
services and data they use most. Add those apps to your channel so
your team can quickly find them.
PowerBI Enabled Add a Power BI report to your channel. You can even add multiple
reports to the same tab. (Requires Power BI Pro)
SharePoint Enabled Add a SharePoint page from your associated team site by selecting a
page from the list and clicking save. Your team will be able to view the
page, but not edit.
SharePoint Enabled The SharePoint News connector sends notifications about new News
News posts in your site.
Stocks Enabled Get real-time stock quotes and share them in a conversation. Search
by company name or stock symbol.
Team Enabled The Team Foundation Server connector sends notifications about
Foundation activities in your projects.
Server
VSTS Enabled Plan better, code together and ship faster using Visual Studio Team
Services (VSTS). Find work and collaborate better with your team.
Weather Enabled Find current weather reports for any city, zip code or location, then
share them in a channel or chat.
Wikipedia Enabled Leverage the power of the services your organisation uses directly
Search within Teams. Do a quick search for a Wikipedia article and share it in
a conversation.
Wunderlist Enabled The Wunderlist connector sends notifications about activities on your
lists and tasks.
Allow Enabled If an organisation wishes to utilise a third-party application that is not
External enabled by default, they will be able to follow a defined process to
Applications request this. This will involve raising a ticket to the helpdesk, which will
be fed through to the NHS Digital Technical Design Authority (TDA)
who will ultimately determine if the application request is suitable.
Team Calls
Allow ad-hoc Enabled
channel
meetup
Allow screen Enabled Specifies whether screen sharing is allowed in Teams calls.
sharing in
calls
Allow videos Enabled Specifies whether the use of video is allowed in Teams calls.
in calls
Allow private Enabled Users can make private calls.
calling
Messaging
Copyright © 2019 NHS Digital
22NHSmail Office 365 Hybrid Service Configuration Guide
Enable Enabled Users can use animated pictures within the conversations.
Gimpy so
users can
add GIFS to
conversation
Enable Disabled Users cannot use internet memes to make humorous posts.
memes that
users can edit
and add to
conversations
Enable Enabled Users can post images with editable text to get channel members
stickers that attention.
users can edit
and add to
conversation
Allow owners Disabled Channel owners cannot remove all messages in a channel.
to delete all
messages
Allow users to Enabled Users can edit their own messages.
edit their own
messages
Allow users to Enabled Users can delete their own messages.
delete their
own message
Allow Users Enabled Users can engage in private chats that are visible only to the people in
to Chat the chat, instead of everyone on the team.
Privately
Guest Enabled External guests accounts added into NHSmail Hybrid Azure Active
Access Directory can also be added as guests in Teams.
4.5.2.1 Teams Private Chat features
• Teams 1:1 Chat (private chat) can be used by users enabled with Teams licence.
• Teams 1:1 Calls (private audio / video calls) can be used by users enabled with
Teams licence.
• Teams 1:1 private chat sessions can be extended to group chat by adding more
users.
• Teams 1:1 private chat sessions can be extended to group audio / video call by
adding more users.
• Desktop sharing can be used for 1:1 sessions and grouped sessions.
• 1:1 sessions are persistent across both Web client and desktop thin client.
4.5.2.2 Teams and Channels features
• Team owners and members (if allowed by owners) can create new channels within
Teams client.
• Channels can be created and allowed apps (as listed below) can be added into the
channels
o Microsoft Forms
o OneNote
o Planner
o SharePoint
o Yammer
o Document, Excel, PowerPoint, Wiki, PDF, Power BI and Stream (These apps
are available as default by Microsoft)
• Internal and External Connectors can be created for enabled applications.
• Ad-hoc meetings can be used within Channels for a group audio / video call.
Copyright © 2019 NHS Digital
23NHSmail Office 365 Hybrid Service Configuration Guide
• Teams recording can be used for ad-hoc group calls (LA enables recording per user
through a policy, also requires Stream licence).
4.5.2.3 Teams with OneDrive and SharePoint Online
• SharePoint Online is required to share and store files in team conversations.
• OneDrive for Business is required to share and store files in private chats.
• If users are not assigned and enabled with SharePoint Online licences, they don't
have OneDrive for Business storage in Office 365. File sharing will continue to work in
Channels, but users are unable to share files in Chats without OneDrive for Business
storage in Office 365.
4.5.3 Unsupported features
• The scheduling of Teams meetings on the NHSmail O365 Hybrid Service is not
currently supported due to the hybrid deployment model in place.
• Organising meetings and viewing is not available in web client or desktop thin client
due to the hybrid deployment model in place.
• Currently, there is no option to change the profile picture in Teams. Teams profile
pictures are populated from the Exchange Online profile picture, therefore not
accessible in Teams.
• In Teams client, the organisation chart feature is integrated with the Exchange Online
mailbox. As all the mailboxes are hosted on on-premises Exchange 2013
environment, organisation chart feature will not work.
• Teams Interoperability with On-Premises Skype for Business is not fully available
from Microsoft at the current time due to the hybrid deployment model in place.
• Email integration to Channels is disabled, therefore emails to Channel’s email
address is not available.
• Sideloading and outgoing webhooks are disabled.
4.6 Yammer enterprise
4.6.1 Application description
Yammer is a private enterprise social network application. Yammer enables collaboration
and provides the ideal platform for health care professionals to share ideas, experiences,
resources and insights with each other across all NHS organisations. Ideal for regional
collaboration and insights to all areas and specialist groups within the NHS.
4.6.2 Configuration overview
Yammer has been configured with standard policies and settings as follows:
Config Details Setting Comment
General
Network name nhs.onmicrosoft Email: nhs@yammer.com
.com URL: https://www.yammer.com/nhs
Primary domain nhs.net
Other domains nhs.mail.onmicr
osoft.com
nhs.onmicrosoft
.com
Configuration
Copyright © 2019 NHS Digital
24NHSmail Office 365 Hybrid Service Configuration Guide
Require all users in your Disabled
network to confirm their
messages posted via email
before posting.
Allow people to upload and Enabled Any number of files, images or both can be attached to
attach files in any format any message or reply, with each file size limited to 5
GB. The maximum dimensions for images in Yammer
are 7680 pixels wide and 4320 pixels high. You'll get
an error if you try to upload an image that is wider or
taller.
Third-party Applications Disabled Disabled the ability for users to add or access third-
party applications created using Yammer API.
Organisation Chart Disabled The Yammer Organisation Chart is built from the
reporting relationships that users add to their user
profiles. This helps other users understand the
management structure and company relationships of
their co-workers
Message Translation Disabled This feature gives users the option to translate
messages from 33 available languages into the
network’s default language.
Connected Groups Enabled Local Administrators can create Yammer connected
groups via the NHSmail Portal
Usage Policy
Require users to accept Enabled Yammer acceptance user policy (AUP) prompt on
policy during sign up and Yammer first login will prompt users to reference and
after any changes are made agree to the AUP for NHSmail. More information can
to the policy. be found on
https://portal.nhs.net/Home/AcceptablePolicy
External Networks
External Networks creation Only Admins
Require admin approval for Enable Requires users to request approval before they join
tenant members to join other external networks created by other organisations
companies' external
networks.
Security Setting
Enforced Office 365 identity. Enabled This setting means unlicensed users are unable to use
Block Office 365 users their nhs.net work account to access Yammer Groups,
without Yammer licence including third-party Yammer groups.
Data Retention
Soft / Hard Delete policy Soft Delete Soft delete option set in NHSmail O365 tenant. Deleted
data is not visible to users but can be accessed via
NHSmail Service Request.
Design
Network logo, header, colour NHS logo and Logos are placed against a white background on all
scheme and logo for colour scheme email notifications sent to your network.
Yammer emails
Office 365 identity will be enforced in Yammer to allow single sign-on capability and
authenticate first in Office 365 before users can log onto the Yammer network. This means
users must be licensed on the NHSmail Hybrid platform to login to Yammer.
All Yammer features are supported in the NHSmail O365 Hybrid Service apart from the ones
listed in the unsupported features section below.
4.6.3 Unsupported features
• Free Yammer is disabled. Users must be assigned an O365 licence to use the
Yammer network.
Copyright © 2019 NHS Digital
25NHSmail Office 365 Hybrid Service Configuration Guide
• Creation or joining external groups is disabled.
• Existing Office 365 groups cannot be used as Connected Yammer groups.
• Third party applications are disabled.
4.7 StaffHub
4.7.1 Application description
StaffHub is an online application that provides schedule and task management capability for
first-line workers. StaffHub enables easy to create, publish and access schedules on the go
and allows workers to view and amend easily through a simple mobile application.
4.7.2 Configuration overview
StaffHub has been configured with standard policies and settings as follows:
Config Details Setting Comment
General
Apply licence check Enabled Enforce that everyone has an Office 365
licence before using it.
Only users with an assigned Office 365
Enterprise licence (F1, E1, E3, E5 or EDU)
will be able to access Microsoft StaffHub.
Allow Microsoft StaffHub to create Office 365 Disabled
accounts for my first-line workers
Fields included in StaffHub teams; they will Required When a manager creates a new team, they
show during onboarding, team settings and are prompted to enter information about
usage reports that team.
• All users must have a valid licence to access StaffHub (access without licence is
disabled).
• All users can create Teams in StaffHub via web client. There is no desktop client for
StaffHub.
• Existing Office 365 groups cannot be used as StaffHub Teams.
• Web app can be used to create StaffHub Teams, add / remove members, assign
administration roles to team members, schedule shifts and assign to group members
and share files.
StaffHub mobile app:
• Users are required to have an invitation (once added into StaffHub Team) to complete
sign-in on mobile devices. Invitation can be sent via email or mobile number via the
StaffHub portal managed by the StaffHub Team owner.
• Users can have 1:1 chat with group (team) members only.
• Users can have 1:n chat with all members of the StaffHub Team.
4.7.3 Unsupported features
• Members of a Team in StaffHub will not be able to share files.
• Users cannot create StaffHub Teams via mobile app (iOS and Android).
• There is no option to change 1:1 chat with StaffHub Teams members.
• eDiscovery of StaffHub chat data is not available on the NHSmail O365 Hybrid
Service.
• StaffHub on Windows Mobile is unsupported.
Copyright © 2019 NHS Digital
26NHSmail Office 365 Hybrid Service Configuration Guide
4.8 PowerBI
4.8.1 Application description
Power BI is a suite of business analytics tools that deliver insights throughout your
organisation. Connect to hundreds of data sources, simplify data using dashboard and drive
ad-hoc analysis. PowerBI can be used to produce reports and publish them for people in
your organisation to consume either via the web or across mobile devices.
The NHSmail O365 Hybrid Service supports the PowerBI free application and PowerBI Pro
application.
4.8.2 Configuration Overview
PowerBI has been configured with standard policies and settings as follows.
Config Details Setting Comment
Export & Sharing
Users can share PowerBI dashboards
Sharing content with external users Enabled with users outside of the NHSmail O365
Hybrid Tenant.
Users can publish reports for viewing by
Publish to web for the entire organisation Enabled anyone on the web by request to
helpdesk.
All users can export data from a tile or
Export data policy Enabled
visualisation.
Content Pack and App Setting
Users are not able to publish content
Publish content packs and apps to the
Disabled packs and apps to the entire NHSmail
entire organisation unapplied changes
O365 Hybrid Tenant.
Integration Settings
Users can ask questions about their data
Ask questions about data using Cortana Enabled
using Cortana.
Use Analyse in Excel with on-premises Users can use Excel to view and interact
Enabled
datasets with on-premises Power BI datasets.
Use ArcGIS Maps for Power BI - for the Users can use the ArcGIS Maps for
Enabled
entire organisation PowerBI visualisation provided by Esri.
Use global search for Power BI (Preview) Users can use Azure Search External
Disabled
for the entire organisation Search index.
Customer Visual Settings
Users can add, view, share and interact
Custom visuals Enabled
with custom visual.
Users can interact with and share visuals
Interact with and share R visuals Enabled
created with R scripts.
Audit & Usage Settings
Copyright © 2019 NHS Digital
27NHSmail Office 365 Hybrid Service Configuration Guide
Create audit logs for internal activity
Users can use auditing to monitor actions
auditing and compliance for the entire Enabled
taken in Power BI by other users.
organisation
Users can see usage metrics for
Usage Metrics for Content Creators Enabled
dashboards and reports they created.
Usage metrics for content creators will
Per-User data in usage metrics for expose display names and email
Disabled
content creators addresses of users who are accessing
content.
Users can tag dashboard with
classifications indicating security levels.
Data classification for dashboards Disabled
If enabled, custom polices will be required
to allow users to tag.
Users can embed Power BI dashboards
Embed content in apps Disabled
and reports in SaaS reports.
4.8.3 Additional notes:
• Power BI Pro content can only be shared with Power BI Pro licensed users.
• Power BI free version is available to all NHSmail organisations.
4.8.4 Unsupported features
• Power BI embedded nodes Type A (Azure) are based on Azure Virtual Machines (VM
– A1 – A6), therefore Type A nodes are not in scope of NHSmail Office 365 Hybrid
tenant. NHSmail organisations with embedded nodes (VMs configured in Azure)
cannot migrate / integrate their subscription to the NHSmail Office 365 Hybrid tenant.
4.9 Delve
4.9.1 Application description
Delve is a web-based collaboration tool which helps employees find and discover information
relevant to them across all Microsoft Office 365 products by pulling content from applications
such as OneDrive for Business, SharePoint and Yammer and presenting it in one place.
All users enabled for SharePoint Online will have access to Delve (delve.office.com) where
they can see their delve profile, profiles of others and content from SharePoint and
OneDrive. Only content that a user has permissions to see will be visible to them in Delve.
Delve never changes any permissions. Only the user can see their private documents.
By default, Delve profiles only present content that is available in the NHS Directory, unless
the user adds additional profile information.
4.9.2 Supported features
• Files stored in OneDrive and SharePoint can be viewed and accessed via Delve
board if a user already has access to them.
• Updates to profile, including profile picture, which then replicates to One Drive and
SharePoint profiles.
4.9.3 Unsupported features
• Delve boards will not show email attachment content.
Copyright © 2019 NHS Digital
28You can also read
