MFA helps protect you by making it more difficult for someone else to sign in to your NHSmail account.
This uses two different forms of identity: something you know (your password), and something you have (like a mobile device or phone number).
There is important information in this guide so please don't rely on the images alone.
If you aren't already logged in, log in to the NHSmail portal (https://portal.nhs.net/) using the 'Login' link or click here and log in.
1. Select 'Profile' from the navigation bar and then 'My Profile' from the menu that appears.
2. Select the 'Self-Service' tab and then 'Self-enroll for Azure MFA'.
3. Select 'Confirm'.
You may see a success notification near the top right of the page briefly.
4. Select 'Logout'.
5. Select 'Click Here' to go back to the portal and log in again.
You will now be able to enrol a method for multi-factor authentication.
1. Select 'Click me to enrol Multi-Factor Authentication' to proceed.
2. Once redirected to this page, select 'Next' to start.
3. This page allows you to choose a preferred authentication method.
The easiest and most secure option to use is the Microsoft Authenticator app if you have a phone or tablet that you can install it on as once it is set up, you can use it to generate a verification code even when your device isn't receiving mobile network signal.
If you do not have access to a device that you can install the mobile app on, the phone option allows you to receive a text message containing a verification code to enter in to the sign-on screen or receive a phone call to verify your sign-in attempt. The time taken to receive a text message or phone call may vary based on your phone network or mobile signal.
1. On your mobile device, install and open the “Microsoft Authenticator” app.
You will find this in the App Store on Apple devices or the Play Store on Android devices.
The app is free and it is not listed with 'In-App Purchases'.
2. Review and agree to the privacy statement.
3. Select “Scan a QR code”.
4. Allow the app to access your camera. This prompt varies depending on whether you're using an Apple or Android device.
On an Apple device, also allow the app to send you notifications when prompted.
5. Back on your computer, select 'Next'.
6. Select 'Next' again.
7. Scan your QR code with the authenticator app on your mobile device.
8. Once the app recognises the QR code, select 'Next' on your computer.
A test notification will be sent to the authenticator app on your mobile device.
9. Back on your mobile device, enter the number displayed from your computer and select 'Yes' to complete enrolling the authenticator app.
Back on your computer, confirmation of successful verification will be displayed.
10. Select 'Next'.
11. Select 'Done'.
A notification will be sent to the authenticator app on your mobile device.
12. Back on your mobile device, enter the number displayed from your computer and select 'Yes' to complete logging in.
13. Back on your computer, select 'Yes' to reduce the number of times you are asked to sign in if you are logged in to the computer using an account that only you can access.
If you are using a publicly accessible computer or not logged in with your own account, select 'No'.
This page shows the methods set up on your account for multi-factor authentication.
If you delete all methods, you will be prompted to set up multi-factor authentication again when you next log in.
If you have access to another device you can install the authenticator app on or a phone that you can receive a text message to or direct phone call on, we recommend adding it as a backup method.
1. Select '+ Add sign-in method'
2. To add a phone number, select 'Phone' from the drop-down list of methods and then select 'Add'.
3. Select 'United Kingdom (+44)' from the drop-down list of countries and enter your phone number.
You may find it more convenient to use a mobile phone number as this will allow you to receive a text message with a verification code instead of a phone call.
If you can't receive text messages on your phone, select 'Call me' instead of 'R a code'.
4. Select Next.
There is more information about SIM swapping here:
https://www.europol.europa.eu/cms/sites/default/files/documents/sim_swapping.pdf
You can use a personal mobile phone number if you expect to have access to it when signing in to NHSmail on new devices, this is only used for account security.
It is not expected that you will be charged as no outgoing calls are made and no messages are sent from the phone during multi-factor authentication.
Standard call and SMS charges may apply if you try to access your account from outside the UK (incurring roaming charges).
These charges may also apply if your telecommunications provider has set charges for incoming calls or messages.
5. Enter the 6 digit code you receive by text message and select 'Next'.
The code is valid for 3 minutes. If you do not receive the code or if it expires before you are able to enter it, check the phone number displayed is correct and select 'Resend code'.
If you selected 'Call me', answer your phone and press the hash (#) key on your phone's keypad when prompted.
6. When you receive confirmation your phone was registered successfully, select 'Done'. You can now close this window and log back in to NHSmail to access your email.
There is more information about SIM swapping here:
https://www.europol.europa.eu/cms/sites/default/files/documents/sim_swapping.pdf
1. Select 'I want to set up a different method'.
2. Select 'Phone' from the drop-down list of methods and then select 'Confirm'.
3. Select 'United Kingdom (+44)' from the drop-down list of countries and enter your phone number.
You may find it more convenient to use a mobile phone number as this will allow you to receive a text message with a verification code instead of a phone call.
If you can't receive text messages on your phone, select 'Call me' instead of 'Text me a code'.
4. Select Next.
You can use a personal mobile phone number if you expect to have access to it when signing in to NHSmail on new devices, this is only used for account security.
It is not expected that you will be charged as no outgoing calls are made and no messages are sent from the phone during multi-factor authentication.
Standard call and SMS charges may apply if you try to access your account from outside the UK (incurring roaming charges).
These charges may also apply if your telecommunications provider has set charges for incoming calls or messages.
5. Enter the 6 digit code you receive by text message and select 'Next'.
The code is valid for 3 minutes. If you do not receive the code or if it expires before you are able to enter it, check the phone number displayed is correct and select 'Resend code'.
If you selected 'Call me', answer your phone and press the hash (#) key on your phone's keypad when prompted.
6. When you receive confirmation your phone was registered successfully, select 'Next'.
If you are prompted to create an App password, you can name it anything between 8 and 16 characters and select 'Next'.
Select 'Done'.
You do not need to make a note of the app password if displayed as you should not need to use it for anything.
7. Select 'Done'.
8. Select whether you would prefer to to receive a text message or a phone call.
9. Enter the 6 digit code you receive by text message and select 'Verify'.
If you selected 'Call me', answer your phone and press the hash (#) key on your phone's keypad when prompted.
10. Select 'Yes' to reduce the number of times you are asked to sign in if you are logged in to the computer using an account that only you can access.
If you are using a publicly accessible computer or not logged in with your own account, select 'No'.
This page shows the methods set up on your account for multi-factor authentication.
If you were prompted to create an app password before, you can delete it now.
If you delete all methods, you will be prompted to set up multi-factor authentication again when you next log in.
Once multi-factor authentication is set up, you will be prompted to approve sign in attempts on new devices.
If you set up the authenticator app as your preferred method, on your mobile device, enter the number from the login page and select 'Yes'.
If you don't use the authenticator app, answer your phone and press the hash (#) key on your phone's keypad when prompted.
If your prefer to use a verification code generated through the app or sent to your phone by text message, enter the verification code when prompted.
Each text message code is only valid for 3 minutes.
If you don't receive the approval notification, don't have access to the mobile device your authenticator app is installed on or aren't able to answer the phone number set as your preferred method, select “Use a different verification option” and select another option.
If the mobile device you set up the authenticator app on doesn't have internet access, open the app and select your NHSmail account to display a verification code.
Enter your verification code on the login page and select 'Sign in'.
If you can't use any of the authentication methods on your account, you will need to raise a request through our IT Servicedesk to reset multi-factor authentication.
Do not use the same password on multiple systems.
If you have a number in your password, do not increment the number by 1 when you change your password.
To add additional methods for or make changes to multi-factor authentication visit https://mysignins.microsoft.com/security-info.
If you are not already signed in to your account, the page will prompt you to login.
If you were prompted to create an app password before, you can delete it now.
If you delete all methods, you will be prompted to set up multi-factor authentication again when you next log in.
There is more information about SIM swapping here:
https://www.europol.europa.eu/cms/sites/default/files/documents/sim_swapping.pdf
It is not possible to disable multi-factor authentication on accounts that have previously been detected as compromised.
If you require further assistance, please raise a request through our IT Servicedesk.