N365:NHS shared Tenant or your own tenant, which one is right for you?

N365:NHS shared Tenant or your own tenant, which one is right for you?

The deal between NHSX, NHS Digital and Microsoft for low-cost access to Microsoft’s 365 digital services offers amazing advances in productivity, collaboration and security. However, once you start thinking about deployment, it does not take long for the question of whether to deploy these licences in your own Office 365 tenant, or the shared NHS tenant to raise its head.

On the surface it seems like quite an easy question to answer. If you to use @nhs.net email and also want to take advantage of the lowest pricing model, then the shared tenant seems the obvious answer.

For some organisations though, the answer is not quite as straightforward. we’ve taken some of the conversations we’ve had with clients recently and distilled the main concerns and questions down into the following:

Mandatory Security Services

In 2021, the shared tenant will require the use of Multi-factor authentication, Conditional Access and other advanced security offerings from Microsoft, by way of the Active Directory Premium products.

There is no doubt that these services are a vital weapon in any organisation’s security arsenal, but some we speak to are unaware that the upcoming cost of deploying this service is to be borne by each NHS organisation and not centrally.

In addition, the protection these tools offer will only extend to the shared tenant and not your own services, so you may well end up with two different solutions adding confusion and complexity for your users.

Choosing to utilise your own tenant would ensure you have a single security solution that would work across your entire organisation.

Utilising Azure Services

If you have any desire to utilise Microsoft Azure services within your organisation then, by implication, you are going to have your own tenant anyway as Office 365 and Azure share the same core service.

The Azure environment is a significant resource that extends past simply being a new place to host your servers rather, it can lead to significant cost reductions, better staff usability, lower maintenance and greater performance & uptime.   

Whilst discussion around Azure should be a Blog topic in its own right, if you have plans to consider its use, understanding the impact of this in relation to using the shared tenant, vs your own tenant is vital.

Moving to Modern IT

Moving to a Modern IT model allows for the deployment of modern services such as AutoPilot for Windows deployment with Microsoft Endpoint Manager (aka InTune) used for ongoing management. When combined with other services, this approach significantly drives down the cost of running the IT basics in your organisation, reduces your servers and allows your support teams to move away from constant fire-fighting and in to more value-add services. 

Modern IT also has the advantages of uncoupling your user’s location from where the IT management services are, as any Internet connection, in any location allows a device to remain compliant to your standards.

We think it’s fair to say that there’s still some work to do from Microsoft & Accenture in this area to clarify exactly what can and can’t be done when using the shared tenant (it’s pretty simple if you decide to use your own tenant).

There are some technical concerns to overcome, such as giving you your own access to manage devices directly as opposed to using the Accenture Service Request process.

Using Two Tenants

We often get asked whether it’s possible to use your own tenant and the shared tenant at the same time.  For example, can you use the shared tenant for free email and Teams access whilst using your own tenant for more advanced services where you have more control?

In short, the answer is yes, although Microsoft and NHS Digital have said this isn’t recommended, I know organisations that are doing it successfully because it meets their specific needs at the right price point. 

And the main reason for the “not recommended” statement?  When we pressed Microsoft on this point it seems the only answer is because it’s a little more complex to set-up, but we would argue for progressive organisations looking to have access to more than just basic email and Teams services it’s a model that should be given serious thought.

In conclusion, there are different factors that will influence your decision as to which tenant model to deploy, and what might seem right and easy today may not be the best decision for the long-term.

If you want to utilise more than simply basic @nhs.net email then there are several factors to work through and plan out quickly to ensure that you can deploy the services in a way that gives you maximum flexibility, low cost and positive impact to your end users.

Whichever model is right for you, you will need to decide quickly, because to take advantage of the N365 licence agreement, you must have all services deployed by October 2021.