Executive Summary
The NHSmail service enables over 1.5 million health and care professionals to access and use secure email, instant messaging and collaboration services. The platform also offers advanced Office 365 (O365) services and Azure Business-to-Business (B2B) capabilities via the NHSmail O365 platform.
Azure B2B collaboration allows you to securely share your company’s applications and services with guest users from other organisations, while maintaining control over your own corporate data. This is achieved via a simple invitation and redemption process which allows guests to use their own credentials to access your company’s resources. In the context of the NHS, Azure B2B will allow NHSmail users to collaborate with external partners through the O365 suite of applications.
For B2B guest access for external users (up to ten), access will be granted via ad-hoc requests. Where access is required for more than ten users the Azure Federated Group Import solution will be implemented, to improve efficiency and security.
The Azure Federated Group Import solution is designed to replicate an external Azure Active Directory (AD) group into the NHSmail tenant, the membership of which is managed by the external organisation. This means you would simply require a one-time import of a group from an external organisation’s Azure AD tenant. As people join or leave the group in the external organisation their accounts would automatically be added and removed as guests in the NHSmail O365 tenant.
NHSmail Local Administrators can request for an Azure Federated Group Import on behalf of an external organisation via the NHSmail Portal. Once the group import has been configured, the NHSmail Portal will automate the process of sending guest invitations and revoking access (where required). This is illustrated in the diagram below.
Figure 1: Manage Guest Accounts Based on Azure AD Federated Group Import
Target audience
This document is intended for NHSmail Local Administrators that want to co-ordinate the configuration of an Azure Federated Group Import with the NHSmail O365 tenant on behalf of an external organisation.
Objectives
The objective of this document is to provide NHSmail Local Administrators with the steps to coordinate the setup of an Azure Federated Group Import on behalf of an external organisation.
Scope
There are five phases to the Azure Federated Group Import set up process as illustrated in the diagram below. This document only details the steps an external organisation is required to perform and the information that must be supplied to NHSmail before the members of the selected group can be provisioned with guest accounts.
Figure 2: Azure AD Federated Group Import set up workflow
Out of scope
This document does not include the steps an NHSmail Local Administrator needs to perform within the NHSmail Portal to request and set up an Azure Federated Group Import as they are documented within the NHSmail Office 365 Local Administrator
B2B Azure Federated Group Import set up details
Task overview
The NHSmail Portal service account needs to be invited as a guest user of the external organisation Azure tenant and assigned the necessary permissions so that members can be identified, and guest invitations can be sent.
Note: Azure AD Global Administrator privileges are required within the external Azure AD tenant to execute the tasks outlined in the below table.
Task details
The external organisation administrator will need to execute the following tasks.
| # Task Description Task Justification | ||
| 1.01 | Invite the NHSmail Portal B2B service account
“[email protected]” as a guest user of the external organisation’s Azure AD tenant. |
A service account is required to read the users that are members of the Azure group within the external organisation’s tenant and send guest invitations to these users, so they can collaborate with NHSmail users. |
| 1.02 | Assign the NHSmail Portal B2B service account the Security / Reporter Reader permissions within the external organisation’s Azure AD tenant. | The service account requires the Security / Reporter Reader permissions to capture the user details from the group within the external organisation’s Azure tenant. |
| 1.03 | Identify the external organisation’s Azure AD tenant name. | Azure AD tenant details are required for the service account to communicate with the external organisation’s Azure tenant. |
| 1.04 | Create a new Azure AD group within the external organisation’s Azure AD tenant and add users as members (optional). | Members of this group will be invited as guest users of the NHSmail O365 tenant.
If an existing group is being used, this step can be skipped. |
| 1.05 | Identify the external organisation’s Azure AD group name and ID. | An Azure AD group name and ID is required so that the service account can identify users and send them guest invitations. |
| 1.06 | Share the following information with the NHSmail Local Administrator:
• Azure AD tenant name • Azure AD group name • Azure AD group ID |
These details need to be sent to the NHSmail Local Administrator so they can complete the Azure Federated Group Import set up via the NHSmail Portal before the user identification and guest invitation task can be executed. |
The above pre-requisite tasks can be met by either executing a PowerShell script or using the Azure AD Portal.
Task 1: Using PowerShell
Execute the following PowerShell script and send the output to the NHSmail Local Administrator.
Connect-AzureAD #Invite B2BSVC account as Guest [email protected] New-AzureADMSInvitation -InvitedUserEmailAddress [email protected] - InviteRedirectURL https://myapps.microsoft.com -SendInvitationMessage $false #Assign Security/Report Reader Roles $roleMember=Get-AzureADUser -Filter "mail eq ' [email protected]'" $SecurityRole = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Security Reader'} Add-AzureADDirectoryRoleMember -ObjectId $SecurityRole.ObjectId -RefObjectId $roleMember.ObjectId $ReporterRole = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Reports Reader'} Add-AzureADDirectoryRoleMember -ObjectId $ReporterRole.ObjectId -RefObjectId $roleMember.ObjectId #Get the Azure Domain Tenanat Name,ID,Group Name and ID $Tenant=Get-AzureADTenantDetail Write-Host "+++++++++++++++++++++++++++++++++++++++++++++++++++++" Write-Host "+ USER INPUT REQUIRED +" Write-Host "+++++++++++++++++++++++++++++++++++++++++++++++++++++" $AzureADGroupName=Read-Host "Enter Azure AD Group Name,which contains Users who need access to NHSMail Data" $AAdGroup=Get-AzureADGroup -SearchString "$AzureADGroupName" Write-Host "`n`n Send following Details to NHSMail Administrator " Write-Host "+++++++++++++++++++++++++++++++++++++++++++++++++++++" $AADName=$Tenant.VerifiedDomains |Where-Object {$_.name -like "*.onmicrosoft.com"}| select name|Where-Object {$_.name -inotlike "*.mail.*"} Write-Host "Azure AD Tenant Name :" $AADName.Name Write-Host "Azure AD Group Name :" $AAdGroup.DisplayName Write-Host "Azure AD Group ID :" $AAdGroup.ObjectId
Task 2: Using the Azure AD Portal
Alternatively, the pre-requisite tasks can be met by completing the following steps within the external organisation’s Azure AD portal.
| # | Screen Shot | Task Description | ||
| 1.01 | Enter your Azure AD Global Administrator credentials | |||
| 1.02 |
|
Enter the Azure AD group name | ||
| 1.03 | Send the output to the NHSmail Local Administrator | |||
| # | Screen Shot | Task Description |
| 1.01 | Login to https://portal.azure.com using your Azure AD Global Administrator credentials |
| 1.02 |
|
Select Azure Active Directory > Users |
| 1.03 | Select + New guest user |
| 1.04 | Input the NHSmail Portal B2B service account name: |
| 1.05 | Select Azure Active Directory > Roles and administrators >Security reader | |
| 1.06 | Select + Add member |
| 1.07 | Select [email protected] and confirm the selection by selecting Select | |
| 1.08 | Select Azure Active Directory > Roles and administrators >Reports reader |
| 1.09 | Select + Add member | |
| 1.10 | Select [email protected] and confirm by selecting Select |
| 1.11 | Select Azure Active Directory > Custom domain names
Select the domain name which ends with onmicrosoft.com
Copy the domain name and paste on any document editor (e.g. notepad) This will need to be sent to the NHSmail Local Administrator |
|
| 1.12 | Select Azure Active Directory > Groups – All groups and search for the Azure AD Group, which contains the users which require the guest accounts in order to access NHSmail data.
Select the group name to open the properties. |
|
| 1.13 | Copy the Group name and Object ID and paste on any document editor (e.g. notepad). This will need to be sent to the NHSmail Local Administrator. | |
| 1.14 | Send the following information to the NHSmail Local Administrator:
• Azure AD tenant name • Azure AD group name • Azure AD group ID |
