Following capabilities can be achieved in hybrid implementation.
1. Hybrid Search
2. Hybrid Sites
a. Hybrid Profiles
b. One Drive for Business
c. Hybrid Extranet Sites
3. Hybrid BCS
4. Duet Enterprise Online
There are three ways to achieve hybrid implementations.
1. One-Way outbound Topology (SharePoint on-premises version can query SharePoint Online)
2. One-Way Inbound Topology (SharePoint Online can be connected to SharePoint On-Premises)
3. Two-Way bidirectional Topology (SharePoint On-premises and SharePoint Online can access each other functionalities)
In this blog, I will focus on Hybrid Search using One-Way Outbound topology.
Hybrid Search can be achieved using three steps.
- Directory Synchronization
- Server to Server Trust & Identity Management
- Search Service Integration
Three Identity Models are available. We will focus on Synchronized identity for simplicity.
- Cloud Identity
- Synchronized Identity
- Federated Identity
In Synchronized Identity, Identities are managed in on-premises Active Directory and are synchronized to Azure AD through Azure AD Connect. Synchronization also sync password hashes.
Here is given the steps to achieve directory synchronization.
- Enable Directory Synchronization in you tenant (Office 365)
- Add On-Premise domain (user suffix) to Office 365 Tenant. (Domain Name should be publicly accessible for reverse sync)
- Update DNS Records (MX / TXT records) in your Domain Hosting Panel.
- Download and Run the User Sync from Tenant
- In Office 365, Import users / groups and validate.
- Activate Users and Assign Licenses.
Server to Server Trust & Identity Management
Trust between SP On-Premises and Office 365 tenant (Server to Server) can be established by following below steps.
1. Replace STS Certificate (All on-premises servers)
2. Establish Remote Windows Power Shell Connection
Import-Module MSOnline –force –verbose
Import-Module MSOnlineExtended –force –verbose
3. Add Service Principal for on-premises domain
New-MsolServicePrincipalCredential –AppPrincipalId -Type asymmetric –Usage Verify –value
$SPOnlinePrincipal = Get-MsolServicePrincipal – AppPrincpalId $SPOnlineNameSpace = $SPOnlinePrincipal.ServicePrincipalNames
Set-MsolServicePrincipal –AppPrincipalId -ServicePrincipalNames $SPOnlineNameSpace
4. Establish On-Premise Farm Trust with ACS
$SPContextID = (Get-MsolCompanyInformation).ObjectID
Register-SPAppPrincipal –site -nameIdentifier <SPPrincipalID@SPContextID> -displayName “SharePoint Online”
5. Set Authentication Realm
6. Configure Proxy in On-premises farm
New-SPAzureAccessControlServiceApplicationProxy –Name “ACS” –MetaDataServiceEndPointUri “https://accounts.accesscontrol.windows.net/metadata/json/1/” –DefaultProxyGroup
New-SPTrustedSecurityTokenIssuer –MetadataEndpoint “https://accounts.accesscontrol.windows.net/metadata/json/1/” –IsTrustedBroker –Name “ACS”
Search Service Integration
Search Integration process is based on 3 parts.
1. Configure Result Source
Search Result Source can be configured in SharePoint on-premises by Adding Result Source in Site Collection Administration. Protocol should be chosen as Remote SharePoint. Credential should be chosen as Default Authentication. In case of Inbound, Select SSO ID.
2. Create Query Rule
You can filter when to trigger remote Query Processor by creating a Query Rule. Specific words can be added as triggers.
You can also specify where the result set should appear. By Default, all remote results come on top for easier identification. It can also be set to come in between complete result set.
3. Validate Query Rule
It’s an optional step to verify whether Query Rule has been configured properly and is returning correct result.