transition pmo closedown...shoring data and the use of public cloud services. nhsmail o365 hybrid...
TRANSCRIPT
NHSmail
Office 365 Hybrid
NHSmail is provided by NHS Digital in partnership with Accenture
Functional Comparison
Version 3
Office 365 Hybrid
service
2
Overview
The NHSmail Office 365 (O365) Hybrid service enables greater collaboration by integrating the NHSmail Active Directory, Exchange and Skype forBusiness services with Microsoft O365.
This document provides an outline of the key features offered by the products and any known limitations and has been produced to support health and careorganisations to make decisions about their IT roadmap and use of the NHSmail O365 Hybrid service.
The products outlined in the pack include:
• Azure Active Directory
• O365 summary
• Exchange
• Teams
• SharePoint
• OneDrive
• Yammer
• Delve
• StaffHub
• Power BI
• Power Apps
• Flow
• Stream
• Project Online
• Visio Online
• Azure B2B (External Access)
Further comments are provided throughout the document on any additional key information and anticipated product behaviours for the NHSmail O365Hybrid service.
3
NHSmail has provisioned and configured a central O365 tenant allowing the synchronisation of the NHSmail Active Directory (AD) with
Microsoft Azure AD enabling users to sign into NHSmail, O365 and other Azure services using their NHSmail username and password.
Organisations can enrol and manage their O365 users within NHSmail via the existing NHSmail Portal. The Portal has been developed to
include O365 administration features, including the ability to assign licences, enable applications and create SharePoint sites.
There is no change to the NHSmail Exchange and Skype for
Business services which remain outside of the O365 tenant
and will continue to be hosted within the NHSmail data
centres in England.
O365 services are hosted in UK or EU data centres in
accordance with the recently published guidance on off-
shoring data and the use of public cloud services.
NHSmail O365 Hybrid service approach
4
NHSmail O365 Hybrid service key benefits
Fastest and lowest effort way to
onboard to O365 – allowing
benefits to occur more quickly and
minimising cost of local IT support
Instant regional and national
collaboration across 80% of NHS
organisations without needing to
set up individual local sharing
relationships
Access to market leading
collaboration products to improve
productivity
Nationally managed collaboration solution reducing need for local management / support.
Significantly reducing onboarding lead time from months to days, as onboarding is managed via the NHSmail Portal against identities
already established in the national Active Directory.
Identities already established in the national Active Directory, access to all O365 services is quick without requiring a costly local project
to provision a dedicated tenant.
Allows local ownership of licences whilst enabling use of a national collaboration platform.
Consistent experience for IT support teams via the existing central portal hub for support of mail or O365 collaboration services.
5
Azure Active Directory
The NHSmail Active Directory (AD) has been synchronised with Azure Active Directory (AD) in order to enable delivery of the O365
services.
This also supports:
• authentication to other Azure services
• authentication to other services that support open standards (OAuth and OpenID)
Users will see no change to how they currently access NHSmail and organisations will not incur additional licence costs from
synchronisation with Azure AD.
NHSmail to Azure AD synchronisation is part of the long-term vision to realise greater collaboration across the wider health and care
system. Synchronisation will introduce content and identity sharing between organisations and across government departments and will
support the ability to integrate with third-party applications. This will reduce the burden of managing different credentials for each system by
leveraging the NHSmail username and password.
6
The illustration below outlines the key differences between joining the NHSmail O365 Hybrid service
versus the off-the-shelf O365 offering.
Further information 1O365 Groups will be created and managed via the NHSmail Portal. 2Skype for Business Enterprise Voice is not currently available on the NHSmail service. 3Larger mailbox quotas can be purchased from the NHSmail additional services catalogue.
FeaturesNHSmail
O365
Local
O365
National Active Directory
Dedicated national, user facing service desk
Enhanced tenant service management wrapper
Instant access to NHSmail integrated platform
Advanced mail threat protection as standard
Portal management capability
O365 Groups1
Skype for Business Instant Messaging & Presence
National Skype for Business instance2
F1 licence mailbox size3
E3 licence mailbox size3
E5 licence mailbox size3
4GB
4GB
4GB
2GB
100GB
100GB
O365 and NHSmail
Key
Full functionality available
Partial functionality
Functionality not available
7
Further information1Customised development via the NHSmail Portal provides abilities to self-serve distribution group management. 2Provided as standard with NHSmail platform via Trend Micro 2. 3/4NHSmail organisations integrate with local archiving solution or purchase additional mailbox quota top-ups. 5O365 Groups will be created and managed via the NHSmail Portal.
Features
NHSmail
O365Local O365
Send/receive, group mailbox, shared calendars
Secure Outlook web mail access on any device
Self-service management of distribution groups1
and shared mailboxes
Advanced mail threat protection as standard2
Archiving Exchange Online-based Mailboxes3
Azure Information Rights Management
In-Place Hold and Litigation Hold
In-Place eDiscovery
Mailbox Size4
O365 Groups5
Data Loss Prevention
E1 E3 E5
2GB 50GB 100GB4GB
Exchange
8
Teams provides a team collaboration space including persistent chat, wiki and threaded chat capabilities.
Further information• To share and store files in a Teams conversation users will require access to SharePoint Online. To share and store files in a Teams
private chat users will require OneDrive for Business.
• If users are not assigned and enabled with SharePoint Online licences, they won't have OneDrive for Business storage in O365. In this
scenario, file sharing will continue to work in Teams Channels, but users are unable to share files in Chats without OneDrive for
Business storage in O365.
• All of the first-party apps are enabled in Teams. However, as per proposed framework an initial 15 commonly used external apps are
enabled. A process to request an additional app will be in place.
• Sideloading of apps and outgoing webhooks features are disabled due to security reasons.
• Content (including person-to-person chats) is not archived by the NHSmail service.
• Teams within the Teams application will be created within the NHSmail Portal by Local Administrators.
End users will be able to self-manage the addition and removal of team members.
• *Ad-hoc/unscheduled meetings are available on the NHSmail O365 Hybrid service.
Features
NHSmail
O365
Local
O365
Create teams
Join teams
Create channels
Create and view meetings
Modify profile picture
Add and configure external connectors
Group Chat
Person to Person Chat*
Teams Recording (requires E1, E3 or E5 Stream licence)
Teams
9
SharePoint provides document management, storage and collaboration capabilities.
Further information
• Access to SharePoint Online will be managed by Local Administrators using the NHSmail Portal. SharePoint Site Owners will be
allocated within the NHSmail Portal. Site Owners will be responsible for managing the site directly within SharePoint.
• Standard storage limits for the O365 service will apply; 10GB per licensed user of that organisation. Each site collection is capped
at 25TB of storage and there is a single file upload limit of 15GB.
• Local Administrators will be able to access reports on data usage for each site collection, however cannot manage storage quotas.
• Data Loss Prevention policies will be set nationally for the NHSmail tenant and applied to SharePoint Online.
• Storage allocation for SharePoint Online is managed separately from OneDrive for Business Site Collections created for each user.
• External SharePoint sharing outside of the NHSmail O365 Hybrid tenant is enabled using guest access.
• Integration of third-party applications will be reviewed and can be integrated subject to alignment with the appropriate standards.
• Access to Group Calendar Functions within SharePoint is not possible in the hybrid model. This functionality requires access to
Exchange Online.
Features
NHSmail
O365
Local
O365
Create a SharePoint site collection
Assign SharePoint administrators to manage
services
Create and manage document libraries
Workflow management, lists and tables
SharePoint project sites
Presence lights from Skype for Business
SharePoint site mailboxes
Site access requests via email
SharePoint
10
OneDrive is a personal document storage space allowing users to store and access content from any
device.
Further information
• Each licensed user is allocated 1 TB of storage space by default.
• Organisations must have an active SharePoint Online subscription and must enable users of OneDrive for SharePoint.
• External sharing outside of the NHSmail O365 Hybrid tenant from OneDrive is enabled globally through guest access.
• Data Loss Prevention policies have been set nationally for OneDrive.
• Synchronisation of files from a local workstation desktop will require the OneDrive for Business sync app.
Features
NHSmail
O365
Local
O365
Access documents on any device
Upload and download files
See and sync files via OneDrive Sync client
Share files with other tenant users
Expanded administrative controls for sharing
OneDrive
11
Yammer provides the ideal platform for health care professionals to share ideas, experiences,
resources and insights with each other.
Further information
• The NHSmail O365 Hybrid tenant will not enable Yammer external access, external group access or third-
party applications.
• *Yammer-connected O365 groups can be created and managed by Local Administrators through the
NHSmail Portal.
• *Email functionality is not available for connected groups.
• *Microsoft limits the availability to add Yammer connected groups into Teams; it is also not possible to add
external users to them.
Features
NHSmail
O365
Local
O365
Access tenant Yammer site pages
Create private/public groups, add/remove users
View activity streams, comments, likes
Follow contributors, view and post files
Manage Yammer profile and picture
Yammer connected groups*
Yammer
12
Delve is a web-based collaboration tool which helps users find and discover information relevant to them across all
Microsoft O365 products by pulling user content from Exchange, OneDrive for Business, SharePoint and Yammer
and presenting it in one place.
Further information
• Permissions to view a user’s document is controlled via the user’s permissions in SharePoint Online and OneDrive for
Business. Delve discovers content based on these permissions and cannot change them.
• Features dependent on the Exchange Online integration are not supported by the NHSmail O365 Hybrid service.
• Delve Boards will not show email attachment content as this is stored in the NHSmail Exchange. Only documents stored
in OneDrive and SharePoint will be visible due to the dependency on Exchange Online.
• Delve profile pictures will not appear in some parts of the Delve application due to the dependency on Exchange Online.
Features
NHSmail
O365
Local
O365
Search for people, documents or boards
View user contact card information
Follow and pin documents of interest
View recent activity and suggested content feed
View OneDrive and SharePoint documents
View mailbox attachments
Delve
13
StaffHub is an online application that provides schedule and task management capability for frontline
workers. StaffHub enables easy creation, publishing and access to schedules; enabling workers to view
their schedules on the move.
Further information
• Deployment of the mobile device application is the responsibility of local organisations.
• StaffHub in-app chat will be available. Messages sent and received via the in-app chat tools are not stored by the
NHSmail service.
Features
NHSmail
O365
Local
O365
Create Schedule
View Schedule
Mobile Device Access
Licence Required
Request Change of Schedule
Authorise Change of Schedule
Send Announcements
In App Chat
StaffHub
14
Power BI is a suite of business analytics tools that deliver insights throughout your organisation.
Connect to hundreds of data sources, simplify data prep and drive ad-hoc analysis. Produce custom
reports, then publish them for your organisation to consume on the web and across mobile devices.
Further information
• End users are able to publish content packs to individual users, but not entire organisations.
• External sharing is disabled on the national NHSmail O365 Hybrid tenant.
• Web publishing output is enabled on the national NHSmail O365 Hybrid tenant.
• SharePoint data sources is available based on permissions that the user has to access SharePoint content.
• Organisations will be able to access External AppSource Data Sources and authenticate their own private
accounts to pull data from.
• PowerBI Premium (additional capacity nodes) is available. The initial setup of the capacity is managed as a
service request; once completed each local organisation will have administrative access over their capacity.
• The PowerBI free service is available to any users of the NHSmail O365 Hybrid service regardless of their
assigned licence type. Local Administrators can enable the PowerBI free service within the NHSmail Portal. Free
users can connect to all data sources through all connectivity options such as DirectQuery, live connection and the
use of the data gateway. A full PowerBI licence / feature comparison is provided by Microsoft.
Features
NHSmail
O365
Local
O365
Build and publish custom reports
Manage report access permissions
Create content packs
Connect to local and on-premise data sources
Enable and use third-party connectors
Power BI Pro and Premium
Power BI
15
Microsoft PowerApps gives users the ability to create business apps that pull data from integrated
Microsoft products and other cloud services. With a simple interface, it allows users without coding
experience / knowledge to create business applications.
Further information
• PowerApps is included within all O365 licence types (E1, E3 & E5); users with the F1 licence type can consume
applications however, they can’t create or publish applications (as per Microsoft standards).
• Standalone PowerApps subscriptions (Plan 1 & Plan 2) are supported on the hybrid platform. Plan 2 enables
organisations to have their own local environments, access to the PowerApps Admin Portal and define their own
Data Loss Prevention policies. This level of access is not available through any other PowerApps licence type.
• 1The hybrid tenant Data Loss Prevention policy prevents PowerApps from connecting to data sources outside
O365 and Dynamics 365. NHSmail users who wish to build applications that connect to external data sources (i.e.
Salesforce) require a P2 licence type.
• Users with PowerApps through O365 licences (F1, E1, E3 & E5) will have access to one central PowerApps
environment shared across the hybrid tenant. Resources will be shared in this environment, however PowerApps
developed can’t be accessed by all environment members unless specifically shared by the creator.
• PowerApps cannot be shared with guest user accounts – this is a limitation set by Microsoft on all O365 tenants.
Features
NHSmail
O365
Local
O365
Build and publish custom applications
Share apps with NHSmail users
Connect to third-party applications1
Connect to Exchange Online (Outlook)
Share apps with external guest users
PowerApps
16
Microsoft Flow is a service that helps users to create automated workflows between different apps and
services to synchronise files, get notifications, collect data and more. It allows users to save time by
turning repetitive tasks into multi-step workflows.
Further information
• O365 licences (F1, E1, E3 & E5) are required to create and run Flows; two additional licence types can be
procured and are supported on the hybrid tenant – Flow Plan 1 and Plan 2.
• Flow Plan 2 enables organisations to have their own local environments, access to the Flow Admin Portal and
define their own Data Loss Prevention (DLP) policies. This level of access is not available through any other Flow
licence type.
• 1The hybrid tenant DLP policy prevents Flows from connecting to data sources outside O365 and Dynamics 365.
NHSmail users who wish to build Flows that connect to external data sources (i.e. Salesforce) require a Flow Plan
2 licence type.
• 2Flow email integration requires Exchange Online (as per Microsoft standards). The NHSmail Exchange platform is
on-premise and therefore Flow integration with Exchange / Outlook (email automation) is not possible.
• Flow storage and quota limits are determined by Microsoft on a per user basis; these are subject to change.
• Flows cannot be shared with guest user accounts – this is a limitation set by Microsoft on all O365 tenants.
Features
NHSmail
O365
Local
O365
Build and publish Flows
Share Flows with NHSmail users
Connect to third-party applications1
Connect to Exchange Online (Outlook) 2
Share Flows with external guest users
Flow
17
Microsoft Stream is an Enterprise Video service where NHSmail users can upload, view and share
videos securely. Stream allows users to share recordings of meetings, presentations, training sessions
or other videos that aid collaboration.
Further information
• Microsoft Stream is available through the standard O365 licence plans (F1, E1, E3 & E5); there are two additional
standalone Stream plans (Plan 1 & Plan 2) that can be procured and are supported on the platform.
• *Stream Groups can be created and managed by Local Administrators through the NHSmail Portal; non-
administrative users can create channels within their Stream Groups.
• Due to the nature of the multi-organisation hybrid tenant model both Local Administrators and users are restricted
from creating companywide channels.
• Teams Call Recording (for group calls only) can also be managed by Local Administrators through the standard
User Policy management page on the NHSmail Portal. Recorded calls will appear in a user’s Stream page. Users
with F1 licence cannot use the Teams call recording feature.
• Stream storage is allocated on a first come, first served basis. The Stream storage pool can be accessed by all
O365 enabled organisations.
• The Stream quotas and limitations are defined by Microsoft on a per tenant basis.
Features
NHSmail
O365
Local
O365
Upload and share enterprise videos
Create stream groups*
Create companywide channels
Utilise Teams call recording (E1, E3 and E5)
Manage Stream storage allocation
Stream
18
Project Online is a flexible online solution for Project Portfolio Management (PPM) and everyday work.
Delivered through O365, Project Online provides powerful project management capabilities for planning,
prioritising and managing projects / portfolio investments.
Further information
• Microsoft offers Project Online in three plans – Project Online Essentials, Project Online Professional and Project
Online Premium; all three licence types are supported on the hybrid platform.
• Local Administrators are able to manage Project licence allocation through the NHSmail Portal.
• 1Local Administrators can create Project Web Applications (PWA). Microsoft have limited the number of PWAs per
O365 tenant, therefore each organisation will be capped at creating 25 PWA sites each.
• 2Users cannot create projects directly via Project Online Web https://project.microsoft.com/ To create projects,
users are required to use PWA instance (can be created by Local Administrators via the NHSmail Portal). Once a
project is created, it can be accessed via Project Online Web https://project.microsoft.com/
• There is no limit on the amount of Project Plans that can be created within each PWA.
• Each Project licence carries an additional 10GB of storage; the NHSmail Portal automatically adds this storage
onto the quota available to the organisation that has procured the licences. This can also be used in SharePoint.
• Project Online Professional and Project Online Premium include the desktop client application. The option to
download this will be available to appropriate users through the O365 tenant.
Features
NHSmail
O365
Local
O365
Create Project Web Applications1
Create Projects2
Manage additional Project storage allocation
Integrate tasks with Exchange Online
Project Online
19
Visio Online is a flexible online solution for creating, editing, sharing and viewing Visio diagrams.
Delivered through O365, Visio Online provides powerful capabilities for creating block diagrams,
flowcharts, timelines, Specification and Description Language (SDL) diagrams and more.
Further information
• Delivered through O365, Microsoft offers Visio Online in two plans – Visio Online Plan 1 and Plan 2. Both are
supported on the hybrid platform.
• Visio Online Plan 2 includes the desktop application which will be available for download through the O365 portal.
• Users with an O365 licence (F1, E1, E3 & E5) can view diagrams created and shared through Visio Online.
However, to create and edit Visio diagrams either Plan 1 or Plan 2 must be in place.
Features
NHSmail
O365
Local
O365
Create and share diagrams
Download the desktop application
Basic One Drive for Business (2GB)
Visio Online
20
Azure business-to-business (B2B) collaboration allows organisations to securely share applications and
services with guest users from other organisations, while maintaining control of your own corporate
data. This is achieved via a simple invitation and redemption process which allows guests to use their
own credentials to access your organisation's resources. In the context of the NHS, Azure B2B will allow
NHSmail users to collaborate with external partners through the O365 suite of applications.
Further information
• External sharing is available for NHSmail users, however it is only available to users that have been configured as
Eligible Guest Inviters via the NHSmail Portal by their Local Administrators.
• NHSmail users can only invite external users as guests if they belong to an external organisation that is approved
within the Azure AD whitelist.
• Portal controlled lifecycle management processes exist to remove guest accounts that are no longer required.
• Azure Federated groups can be configured to provide dynamic guest access at an organisation level.
Features
NHSmail
O365
Local
O365
Guest user permissions are limited
Only users with the Guest Inviter role can invite
Members can invite
Guests can invite
Allow Guests from specified domains
Guest account lifecycle management
Azure Federated groups
Azure B2B (External Access)
21
Additional information
Licensing and registration
O365 licences must be procured by NHS organisations directly from Microsoft or their licence reseller as they currently do. O365 licences will not
be available to procure through NHSmail. Organisations are not required to procure Azure AD licences to consume the O365 service.
Registering your organisation to use the NHSmail O365 Hybrid service will be via the NHSmail Portal where organisations can submit their O365
licence details for allocation to the central NHSmail tenant.
Data and security
The NHSmail central O365 tenant is managed by NHSmail and hosted in Microsoft data centres. Data in Azure AD and O365 will be securely
held by Microsoft in their UK and EU data centres.
More information on O365 data residency is available.
Service support
Frontline support services for the NHSmail O365 Hybrid service is provided by the existing national NHSmail helpdesk. The Level 1 helpdesk
provides initial triage of contacts and will raise faults to Level 2 teams as required. The Level 2 teams support faults and issues that can be
resolved within the central O365 tenant admin centre. Faults beyond this will be passed directly to Microsoft and be subject to their standard
service level agreement and process for O365 services. There is no charge to hybrid users for this centrally provided service uplift.