11. A server-to-server (S2S) trust needs to be created
between your on-premises farm and Azure Access
Control Services (ACS)
12. “ACS is a cloud-based federation service that provides an easy way to
authenticate users against identity providers and, most important of all,
Azure Active Directory”
13. It’s all about trust
• ACS works as a trust broker between SharePoint on-premises and
SharePoint Online / Office 365
• It generates security tokens which are trusted by both sides
• These tokens are used to authorize actions on behalf of the user
15. ACS is about to be deprecated
• You can’t create any more namespaces since July 2017
• The future is Azure Active Directory
• SharePoint still needs it for hybrid & add-ins
• No official message yet on what will happen
17. Trust creation | Online
• Office 365 already trusts ACS by default
• The on-premises farm will be registered as a service principal
• To sign the security token, a certificate needs to be created
• The certificate will be registered as credential for the service principal
18. Trust creation | On-Premises
• Office 365 will be registered as an app principal
• The farm’s authentication realm will be changed to your tenant id
• A link to ACS will be created by adding a service application proxy
• ACS will be registered as a Trusted Security Token Issuer
19. Do we always need that trust?
Feature Identity Sync Single Sign On Trust creation Reverse Proxy
OneDrive Y O O N
Profiles Y O O N
Sites Y O Y N
Search Y O Y O
Trust is only needed for specific scenario’s
20. Hybrid features vs SharePoint versions
Feature SP 2013 SP 2016 SP2019
Federated hybrid search RTM RTM Public preview
Cloud hybrid search 01/2016 CU RTM Public preview
Hybrid app launcher 07/2016 CU RTM Public preview
Hybrid OneDrive & Profiles 09/2015 CU RTM Public preview
Hybrid Sites 07/2016 CU RTM Public preview
Hybrid Taxonomy 11/2016 CU FP1 (11/2016 CU) Public preview
Hybrid Content Types 06/2017 CU 06/2017 CU Public preview
Hybrid Auditing (preview) N/A FP1 (11/2016 CU) N.A.
Hybrid self service site
creation
03/2017 CU 11/2017 CU Public preview
MySite creation defaults to
OneDrive for Business
10/2017 CU N/A Public preview
21. Required service applications
App Management Service
Subscription Settings Service
User Profile Service
You still need an on-premises
User Profile configuration!
22. Additional Requirements for Search
• Azure Active Directory PowerShell
• Microsoft Online Services Sign-In Assistant
23. Getting ready for a hybrid setup
• Decent internet connectivity (duh)
• Office 365 Enterprise subscriptions
• Identity synchronization & management is key
• SharePoint Admin account for on-premises
• Tenant Admin account for Office 365
38. Caution!
Enabling hybrid features can break
• Provider-hosted add-ins
• Workflow Manager trust
Recent versions of the configuration wizard are able to
detect/fix this issue!
39.
40. Manual Workaround
Scripts to fix provider-hosted add-ins:
http://thvo.me/fixhybridpha
https://support.microsoft.com/kb/4010011
42. Tip | Licenses & Identity Synchronization
• Make sure all users are synchronized
• Make sure all users have an appropriate license
Sync & give your admin accounts a license in Office 365!
47. Networking-related issues
• Internet connectivity (client & server)
• Ports to be opened, sites to be reachable for search
http://thvo.me/sphybridsearchports
• Proxy servers!
netsh winhttp import proxy source=ie
netsh winhttp set proxy proxy.company.net:8080
48. Tip | Direct link to the configuration wizard
http://thvo.me/sphybridwizhttps://mshrcstorageprod.blob.core.windows.net/sharepointhybridpicker/Microsof
t.Online.CSE.HybridSP.Client.application
49. Tip | Run the wizard with admin privileges
Important for things like starting the SharePoint Insights service in 2016 for hybrid auditing or when something just
doesn’t work…
51. Tips | Hybrid search
• You have to create a new search service application
• Your existing search topology might not be valid anymore
More tips: https://speakerdeck.com/thomasvochten
52. Security & Identity | Hybrid Search
The user identities now mirror the on-premises (AD) directory by using the on-premises SID
Groups are mapped to ObjectId, «everyone» & «authenticated users» > «everyone exept external users»
AD AAD
Account
Name
CORPjaden
SID S-1-5-21-1212121212-
1212121212-1212
Account
Name
jaden@corp.hybridsearch.com
msOnline-OnPremiseSecurity
Identifier
S-1-5-21-1212121212-1212121212-1212
PUID PUID-XXXX-XXXXXXXXXX
Hybrid search only works with Windows AuthN (Kerberos or NTLM)
53. Where to configure what? | Hybrid Search
Feature SharePoint Online SharePoint On-Premises
Content Sources N/A Cloud SSA
Search Schema Tenant No
Result Sources Tenant – Consumed Online SSA – Consumed On-Premises
Query Rules Tenant, Site Collection, Sit Cloud SSA, Site Collection, Site
Result Types Site Collection No
Search Usage Reports Site Collection No
Query Suggestions Tenant No
Authoritative Pages Tenant No
Crawl Log N/A Cloud SSA
http://www.ableblue.com/blog/archive/2017/10/09/result-type-rules-and-display-templates-with-sharepoint-
hybrid-search/
Table by Matthew McDermott
54. Tips | Hybrid search
• Use the “IsExternalContent” managed property
• Don’t forget to create an on-premises result source and set it as
default
More tips: https://speakerdeck.com/thomasvochten
55. Limitations | Hybrid Search
• Limited customization options
No entity extraction
No content enrichment (announced)
No custom security trimming
No real Delve integration
…
• No internet, no search (be aware of proxy servers)
• Central administration integration
• No dashboard of your online index search health
56. Tips | Taxonomy & Content Types
• Grant your farm account permissions on the term store
• Watch the timer jobs!
Taxonomy Groups Replication
Content Type Replication
• PowerShell to copy your on-prem termstore/ctypes to the cloud:
Copy-SPTaxonomyGroups
Copy-SPContentTypes
More tips: https://speakerdeck.com/thomasvochten
57. Limitations | Taxonomy & Content Types
• Synced items can still be deleted (will be recreated upon next job run)
• Your on-premises term store can still be changed (which can cause
problems!)
• Does not do site-collection scoped taxonomy, only central metadata
• You need to make the farm account a term store administrator in on-
premises
• SharePoint on-premises can have 1.000.000 items in a term store,
SharePoint Online can "only" have 200.000
58. Tips | App Launcher
Not seeing your custom app icon?
Use the developer tools console in your browser:
ClearSuiteLinksCache()
59. Tips | SRXCore
• Search diagnostics tool
• Can be used to diagnose some hybrid issues too
http://thvo.me/srxcore
60. • Don’t skip the “obvious” prerequisites, like
licensing and identity synchronization
• Different hybrid capabilities have different
requirements
• Understand the key architecture, the trust
model and their moving parts
• Always use the latest version of the hybrid
configuration wizard, it’s updated regularly
• Develop a troubleshooting, learn the
PowerShell cmdlets
• Don’t skip the “obvious” prerequisites, like
licensing and identity synchronization
• Different hybrid capabilities have different
requirements
• Understand the key architecture, the trust
model and their moving parts
• Always use the latest version of the hybrid
configuration wizard, it’s updated regularly
• Develop a troubleshooting strategy, learn the
PowerShell cmdlets