Blogs

SharePoint Hybrid Implementation – Overview

Following capabilities can be achieved in hybrid implementation.

• Hybrid Search
• Hybrid Sites
  • Hybrid Profiles
  • One Drive for Business
  • Hybrid Extranet Sites
• Hybrid BCS
• Duet Enterprise Online

There are three ways to achieve hybrid implementations.

• One-Way outbound Topology (SharePoint on-premises version can query SharePoint Online)
• One-Way Inbound Topology (SharePoint Online can be connected to SharePoint On-Premises)
• Two-Way bidirectional Topology (SharePoint On-premises and SharePoint Online can access each other functionalities)
In this blog, I will focus on Hybrid Search using One-Way Outbound topology.

Hybrid Search

Hybrid Search can be achieved using three steps.

• Directory Synchronization
• Server to Server Trust & Identity Management
• Search Service Integration

Directory Sync

Three Identity Models are available. We will focus on Synchronized identity for simplicity.

• Cloud Identity
• Synchronized Identity
• Federated Identity

In Synchronized Identity, Identities are managed in on-premises Active Directory and are synchronized to Azure AD through Azure AD Connect. Synchronization also sync password hashes.

Here is given the steps to achieve directory synchronization.

• Enable Directory Synchronization in you tenant (Office 365)
• Add On-Premise domain (user suffix) to Office 365 Tenant. (Domain Name should be publicly accessible for reverse sync)
• Update DNS Records (MX / TXT records) in your Domain Hosting Panel.
• Download and Run the User Sync from Tenant
• In Office 365, Import users / groups and validate.
• Activate Users and Assign Licenses.

Server to Server Trust & Identity Management

Trust between SP On-Premises and Office 365 tenant (Server to Server) can be established by following below steps.

• Replace STS Certificate (All on-premises servers)

  Set-SPSecurityTokenServiceConfig –ImportSigningCertificate

• Establish Remote Windows Power Shell Connection

  enable-psremoting

  new-pssession

  Import-Module MSOnline –force –verbose

  Import-Module MSOnlineExtended –force –verbose

• Add Service Principal for on-premises domain

  Connect-MsolService

  New-MsolServicePrincipalCredential –AppPrincipalId -Type asymmetric –Usage Verify –value

  $SPOnlinePrincipal = Get-MsolServicePrincipal – AppPrincpalId $SPOnlineNameSpace = $SPOnlinePrincipal.ServicePrincipalNames

  $SPOnlineNameSpace.Add(“PrincipalID/PrincipalCommonName”)

  Set-MsolServicePrincipal –AppPrincipalId -ServicePrincipalNames $SPOnlineNameSpace

• Establish On-Premise Farm Trust with ACS

  $SPContextID = (Get-MsolCompanyInformation).ObjectID

  Register-SPAppPrincipal –site -nameIdentifier -displayName “SharePoint Online”

• Set Authentication Realm

  Set-SPAuthenticationRealm –realm

• Configure Proxy in On-premises farm

  New-SPAzureAccessControlServiceApplicationProxy –Name “ACS” –MetaDataServiceEndPointUri

  “https://accounts.accesscontrol.windows.net/metadata/json/1/” –DefaultProxyGroup

  New-SPTrustedSecurityTokenIssuer –MetadataEndpoint “https://accounts.accesscontrol.windows.net/metadata/json/1/” –

  IsTrustedBroker –Name “ACS”

Search Service Integration

Search Integration process is based on 3 parts.

• Configure Result Source

  Search Result Source can be configured in SharePoint on-premises by Adding Result Source in Site Collection Administration. Protocol should be chosen as Remote SharePoint. Credential should be chosen as Default Authentication. In case of Inbound, Select SSO ID.

• Create Query Rule

  You can filter when to trigger remote Query Processor by creating a Query Rule. Specific words can be added as triggers. You can also specify where the result set should appear. By Default, all remote results come on top for easier identification. It can also be set to come in between complete result set.

• Validate Query Rule

  It’s an optional step to verify whether Query Rule has been configured properly and is returning correct result.

Share it