Skip to main content

Microsoft Authenticator

Information about NHS CIS2 Authentication using Microsoft Authenticator.

Page contents

Microsoft Authenticator

Microsoft Authenticator provides an authentication mechanism, alongside an email address and password, that allows users to authenticate into NCRS.

Multifactor Authentication is a common standard and many users are already be familiar with it to log in to their NHS Mail accounts.

Microsoft Authenticator example window

About this graphic

This graphic shows the Microsoft Authenticator app mobile interface indicating an account with Care Identity Authentication, specifically for the user with the email address [email protected].

It also shows a a 6-digit security code and a countdown timer.

The 6-digit security code is: 711 725

There are 23 seconds left on the timer before the code changes.

Convenient

Benefits for Users
  • Enables secure authentication to national clinical information systems - without the need for a smartcard and reader
  • Free App to download

Secure

Using NHS CIS2 Authentication and Microsoft Authenticator is more secure than username and password.

Reliable

NHS CIS2 Authentication is a platinum service, supported 24 hours a day, 7 days a week.

See our latest availability statistics.

Case study

Carers at Canterbury Care Home accessing NCRS pilot

The organisation and service

Canterbury Care homes have been delivering person-centred care since 2005, and currently operate three individual care homes in England and Scotland. 

Each resident receives bespoke support to become as independent as possible and enjoy the next chapter of their lives to the full.

As part of wanting to improve the quality of the service they provide, carers at Canterbury Care Home wanted to remove the need to chase GPs and wait weeks for them to respond about a patient's medical history.

Moving to NHS CIS2 Authentication

Most Care Home staff had the Microsoft Authenticator app already installed on their personal phones. For those that didn't, they were able to easily download it from the Apple App store or Google Play store.

Care Home staff using business phones had the Microsoft Authenticator app installed for them by their local IT support.

The experience

With the introduction of accessing NCRS using NHS CIS2 Microsoft Authenticator they can now look up the information themselves, saving theirs and the GP's time and improving the level of care that they provide.

To not have to rely on a GP getting back, and to have 24/7 access to care records is incredibly useful.

Considerations for organisations providing IT Support

Benefits
  • Free app that many people have already
  • No certificate renewals required
Microsoft Authenticator is currently enabled for NCRS, eRS and MESH

Microsoft Authenticator is currently enabled for NCRS, eRS and MESH

Microsoft Authenticator is currently being used to access national services by organisations across health and care settings.

Microsoft Authenticator is available now for all organisations to use. If you would like further information please contact the NHS England Identity and Access Management team at [email protected]

Procurement

No procurement is required - the Microsoft Authenticator App is free to download and install with minimal effort.

To use Microsoft Authenticator, the user's email address domain must be on the NHS CIS2 Authentication email domain whitelist. 

Registering devices to users

To enable Microsoft Authenticator App for use, users need to request and complete an Authenticator Registration from a Registration Authority (RA).

Trust Network
Trust Network
Relying Party Network
(may sit inside a Trust Network)
Relying Party Network...
Relying Party Application
 Relying Party Application
Live Environment
Live Environment
NHS CIS2 Authentication
NHS CIS2 Authentication
Requests to
Relying Party Application 
Requests to...
https://...
Back-Channel Logout endpoint
 https://......
Requests to
NHS CIS2 Authentication
Requests to... User
OIDC Authorization Code Flow
e.g.  .../access_token
   .../userinfo
OIDC Authorization Code Flow...
https://am.nhsidentity.spineservices.nhs.uk/...
 NHS CIS2 Authentication domain
https://am.nhsidentity.spineservices.nhs.uk/......
OIDC Authorization Code Flow
e.g.  .../authorize
OIDC Authorization Code Flow...
OIDC Back-Channel Logout
.../<backchannel_logout_uri>
OIDC Back-Channel Logout...
Public
Internet
 Public...
Public
Internet
Public...
Important:
Important:
Fixed IP Range
 Fixed IP Range
Randomly
allocated
IP address
Randomly...
52.142.148.70/31
51.143.231.182/31
52.142.148.70/31...
May require network configuration changes
May require network...
Phone
with Microsoft Authenticator
Phone... Text is not SVG - cannot display Network diagram showing the connection out from the User's device and the replying party clinical information application to NHS CIS2 Authentication. It also shows the connection in to the replying party clinical information application from NHS CIS2 Authentication.

Out to NHS CIS2 Authentication

Both end users and applications need to be allowed to send requests out to https://am.nhsidentity.spineservices.nhs.uk/.

This domain is on randomly allocated IP address and is subject to change. 

In from NHS CIS2 Authentication

Whenever the user's NHS CIS2 Authentication session is destroyed (e.g. on expiration), NHS CIS2 Authentication can send Back-Channel Logout requests to the application.

These requests come from a small number of fixed IP ranges.

The application, therefore, may require that its hosting network allows requests from NHS CIS2 Authentication to be routed through firewalls to the application.

If the application is installed within trust networks, it is recommended that these are isolated on web servers and not directly exposed on critical internal servers.

Google Authenticator

Google Authenticator also works with NHS CIS2 Authentication.

Having spoken with a number of trusts and health and care organisations, we understand that Google Authenticator is a well-used authenticator app. Google Authenticator did not work with NHS CIS2 Authentication from the start, but we've since made changes to enable it to work.

However, NHS CIS2 Authentication recommends users and trusts use Microsoft Authenticator instead of Google Authenticator, due to the additional security in place (specifically a biometrics check to open and use the app).

Support

You can get support by going to the NHS Digital Customer Portal or emailing [email protected]

Our vision is evolving as we learn

There are lots of features we are working on and considering for the future.

We'd love to hear what you think.

To suggest, comment or vote on these features, visit our feedback portal or contact us by emailing [email protected]

Last edited: 5 June 2025 2:31 pm