Hybrid scenarios between SharePoint Server 2013 and O365 take a number of guises including search and business connectivity capabilities. All hybrid scenarios require a base identity configuration on which the hybrid workload can be configured. Hybrid workloads can operate in what are known as inbound and outbound directions. Outbound is considered the simplest configuration with inbound being complicated by the addition of extra on premises infrastructure and the perception of it being a difficult task to configure correctly. In this session we want to dispel that myth and show how configuring the identity infrastructure including dirsync with password synchronization to support outbound and inbound hybrid search between SharePoint 2013 server and O365 can be done. Configuration of Windows 2012 R2 Web Application Proxy (WAP) Server to support inbound hybrid authentication will be a key component of this session as well as the use of Windows Azure for the on premises SharePoint roles.

2. Pre-Microsoft
Process Chemist (Drugs, Poisons and Explosives)
CSC SharePoint Specialist – 5 Years
Microsoft (2005-)
SharePoint PFE - 5 Years
SharePoint Service Engineering O365 - 3 Years
Office 365 CXP CAT - Current
MCM/MCSM SharePoint Instructor Team
Contact
Email – neil.hodgkinson@microsoft.com
Twitter - @nellymo

3. • Verbalise the advantages hybrid scenarios bring as a waypoint
towards a full cloud experience
• Discuss the technical implementation of hybrid configurations with
architects and engineers
• Understand the role of the reverse proxy server in an inbound hybrid
setup, and in particular gain insight into the configuration of Windows
Web Application Proxy

5. Hybrid Solution

6. On Premises Cloud

8. Microsoft data center Internet Intranet
SharePoint Server 2013 Farm
Primary web app
Microsoft Office 365 tenant
On-premises SharePoint Server 2013 Enterprise Search portal: Local and remote search results are available
SharePoint Online search portal: Local search results are available
SharePoint Online
Local search
results only
Site collection
SharePoint
Hybrid search
results
Outbound
Inbound
SharePoint Online cannot query SharePoint Server
Customer network
SharePoint Server can query SharePoint Online

9. Customer network
Microsoft data center Internet Intranet
Outbound
Inbound
Perimeter
network
Reverse proxy
Microsoft Office 365 tenant
SharePoint Online
SharePoint Server 2013 Farm
SharePoint
SharePoint Online can query SharePoint Server SharePoint Server cannot query SharePoint Online
On-premises SharePoint Server 2013 Enterprise Search portal: Local search results are available
SharePoint Online search portal: Local and remote search results are available
Hybrid search
results
Site collection
Local search
results only
Primary web app

10. Microsoft data center Internet Perimeter Intranet
Outbound
Inbound
Microsoft Office 365 tenant
SharePoint Server 2013 Farm
On-premises SharePoint Server 2013 Enterprise Search portal and SharePoint Online search portal: Local and remote
search results are available.
SharePoint Online can query SharePoint Server
network
Customer network
Reverse proxy
SharePoint Search can query SharePoint Online
SharePoint Online
SharePoint
Hybrid search
results
Site collection Primary web app
Hybrid search
results

11. Results from
Cloud
Results from
SharePoint
On-Premise

12. SharePoint
Online
SharePoint
On Premises
Index Component
Index Component
Index Component
User Profile
Service App
Query Processing
Component
? ?
Query Processing
On Premises
Search Center Component
Index Component
Authenticated
User

13. SharePoint
On Premises
SharePoint
Online
User Profile
Service App
Query Processing
? ?
O365
Index Component
Index Component
Index Component
Component
Query Processing
Component
Search Center Index Component
Authenticated
User
Reverse Proxy

15. Create a
Business Data
Connectivity
service
application in
SharePoint
on-premises
Configure the
Business
Connectivity
Services
Metadata
Store
Configure the
target
application
for the
Secure Store
Service
Define the
external
content type
for external
data
Create the
external list
and
configure
permissions

16. Business Connectivity
Services on-premises
deployment
Client layer
SharePoint service layer
❶ ❽
❸
External system layer
❺ ❻
❹
SharePoint 2013
Business Connectivity
Services and Secure
Store Service
External data source
A user in need of on-premises data goes to an on-premises
application or external list
The external list or application requests data and sends
it to Business Connectivity Services
Business Connectivity Services accesses the external content type
to determine how to gain access to the external data and what credentials to use
Business Connectivity Services passes a request to a connector
that retrieves the data by using either the user’s credentials
or credentials from a secure store
Optional: The user uses Connect to Outlook to take data offline
The Click Once installation installs the Business Connectivity
Services model on the client
Microsoft Outlook connects to the external data and synchronizes
to the Outlook SharePoint external list (formatted as a contact list)
The user interacts with the data, and synchronizes changes with
the external data source manually or automatically
❼
❷

17. Enables users to publish on-premises data to a list or application
external to SharePoint Online
Enables federated users to gain access to on-premises data from
SharePoint Online
Requires a two-way authentication topology using an external URL
published by reverse proxy
Connects only through OData source

18. • Business
Connectivity
Services must be
installed on-premises
• On-premises
instance must have
connectivity to the
external data
source
• Two-way
authentication
topology must be
configured
• External URL
to SharePoint
on-premises must
be configured

19. Using federated credentials, a user in need of on-premises
data logs on to the online app or external list
The app or external list creates a request for data and sends it to
Business Connectivity Services
Business Connectivity Services gains access to the external content
type to determine how to access the external data and what credentials to use
Business Connectivity Services retrieves a secure-channel certificate from the secure
store and an OAuth token from Windows Azure Active Directory for user authentication
Business Connectivity Services sends an HTTPS request to the published endpoint
for the data source with the certificate and token
The reverse proxy authenticates the request and forwards
it to SharePoint on-premises
SharePoint on-premises retrieves the identity from the token and maps
it to the on-premises identity that has access to the data
On-premises Business Connectivity Services forwards the
request to the OData service endpoint
The OData endpoint authenticates the request through Internet
Information Services and returns the data
❶
SharePoint
Online
tenancy
External list
Business Connectivity Services
Secure
store and
Access
Control
Service
Perimeter
network
Reverse proxy
Internal
network
On-premises SharePoint farm External data source
Authentication flow
Data flow
❷ ❸
❼
❻
❹
❾
❺
❽

20. Enables integration of data into SharePoint Online from SQL Azure
Enables external users to gain access to data published online
Configuration and requirements
• Can be configured in addition to or separate from hybrid Business Connectivity Services
• Does not require a hybrid environment or hybrid identity management infrastructure

21. SharePoint online
SQL Azure
❶
❼
❷
❹
❺
❻
❸
Users who need online data go to the online application or external list
The external list or online application creates a request for
data and sends it to Business Connectivity Services
Business Connectivity Services accesses the external content
type to determine how to access the external data
The external content type tells Business Connectivity Services the
credentials to use—in this case, credentials from the secure store
Business Connectivity Services passes the request to the endpoint
of SQL Azure Windows Communication Foundation Service
SQL Azure returns the data
SharePoint Online displays the data in the browser

23. Infrastructure Setup
S2S Trust & Identity Management
Workload Integration

24. Infrastructure Setup
• Domain Setup
• ADFS
• Directory Synchronization
• Reverse Proxy
S2S Trust & Identity Management
Workload Integration

25. On Premises Infrastructure
Microsoft data center Internet Perimeter Intranet
network
Customer network
ADFS Proxy AD Servers
Office 365
tenant
Identity Platform
Azure AD DirSync Server
Directory Service
ADFS Servers
ACS Trust
Azure AD Tenant Azure AD Proxy
SharePoint
STS
User Profile
Sync Service
Secure Store
Target App
SharePoint
Reverse Proxy
Federation
Gateway
SharePoint

26. On Premises Infrastructure
Microsoft data center Internet Perimeter Intranet
network
Customer network
Office 365 Identity Platform
tenant
Azure AD
Directory Service
ACS Trust
Federation
Gateway
Azure AD Tenant Azure AD Proxy
AD Servers
DirSync Server
with Password
Sync
SharePoint
STS
User Profile
Sync Service
SharePoint
SharePoint

27. Cloud Identity
Single identity in the cloud
Suitable for small organizations
with no integration to on-premises
directories
Directory & Password
Synchronization*
Single identity
suitable for medium
and large organizations
without federation*
Federated Identity
Single federated identity
and credentials suitable
for medium and large
organizations

28. Federated Identity
Single federated identity
and credentials suitable
for medium and large
organizations
Cloud Identity
Single identity in the cloud
Suitable for small organizations
with no integration to on-premises
directories
Directory & Password
Synchronization*
Single identity
suitable for medium
and large organizations
without federation*

29. Windows Azure
Active Directory
Directory
Synchronization
On-Premises Identity
Ex: DomainAlice
User
Cloud Identity
Ex: alice@contoso.com
AD

30. • Activate Activate directory synchronization in your tenant
Add Domain • Add on-premises domain to O365 tenant
TXT or MX Records • Update DNS records
Install and Configure • Run the wizard and start the sync
Sync • In O365 dashboard validate users and groups
Activate Users • Activate users and grant licenses
• For Directory synchronization detailed configuration see: http://aka.ms/directorysync

32. Web Application Proxy
Threat Management Gateway
F5 Big IP
Citrix Netscaler
Squid

33. Certificates
• SSL
• Client Auth
• ADFS
ADFS
• Install
• Configure
WAP
• Install
• Publish
SharePoint
• PowerShell
Test
• Access
• Result
Source

34. On Premises Infrastructure
Microsoft data center Internet Perimeter Intranet
network
Customer network
AD Servers
Office 365
tenant
Azure AD
Identity Platform
Directory Service
ACS Trust
Azure AD Tenant Azure AD Proxy
SharePoint
STS
User Profile
Sync Service
Secure Store
Target App
SharePoint
Reverse Proxy
Federation
Gateway
SharePoint

36. Infrastructure Setup
• Directory Synchronization
• Reverse Proxy for Inbound
S2S Trust & Identity Management
• Replace S2S Token Signing Certificate for S2S Trust
• Validate UPA
• ACS Trust Setup
Workload Integration

37. For Remote Index to work we need to establish an OAuth Trust with ACS between SharePoint On-
Premises and Online.
Replace the STS
certificate across all
SharePoint servers in on-premises
farm
Deploy Windows Azure
AD PoSH with the pre-requisite
of Microsoft
Sign-in Assistant
Establish trust between
on-premises SP Farm
and SP Online by
replacing certificate
Add SPN for the on-premises
domain.
(Eg.00000003-0000-0ff1-
ce00-000000000000“
/*.nellymo.com)
Register SP Online
application principal as a
trusted provider in SP
on-premises
Set authentication realm
for SharePoint
Configure a proxy in the
on-premise farm for
Azure AD
This enables S2S Authentication – 7 Steps to Heaven

38. User Profile Service Application is configured and running
Profile Service App created
Profile Services Started
Profile Sync Service Running
MIIS Client
User Profiles are synced with AD for the same set of users as specified for
DirSync
User Profile Service Profile Search
O365 Users and Groups
User profile attributes are correctly
populated, key ones are:
User Principal Name (UPN)
Name Identifier (Most Commonly this is
Windows Security Identifier(SID))
Simple Mail Transport Protocol (SMTP)
Address
Session Initiation Protocol (SIP) address

39. SUPPORTED:
DOES NOT WORK:

40. • Certificate Thumbprint
• Get-SPSecurityTokenServiceConfig
Confirm STS
Configuration
• Get-MsolServicePrincipal
Confirm App
Principal
Registration

42. On Premises Infrastructure
Microsoft data center Internet Perimeter Intranet
network
Customer network
Office 365 Identity Platform
tenant
Azure AD
Directory Service
ACS Trust
Federation
Gateway
Azure AD Tenant Azure AD Proxy
AD Servers
DirSync Server
with Password
Sync
SharePoint
STS
User Profile
Sync Service
SharePoint
SharePoint

43. Infrastructure Setup
• Directory Synchronization
S2S Trust & Identity Management
Workload Integration i.e. Search
• Configure Result Source
• Create a Query Rule
• Validate Search Configuration

48. With all components in place you will see Search
results form both verticals.
Results from
Cloud
Results from
Cloud
Results
from
SharePoint
On-Premise
Results from
SharePoint
On-Premise

49. Blogs
http://blogs.msdn.com/b/spses/archive/2013/10/22/office-365-configure-hybrid-search-with-directory-synchronization.
aspx - Configure Outbound Hybrid Search with Directory Synchronization
http://blogs.msdn.com/b/spses/archive/2014/01/05/office-365-configure-hybrid-search-with-directory-synchronization-
password-sync-part2.aspx - Configure Inbound Hybrid Search with Directory Synchronization
http://blogs.msdn.com/b/spses/archive/2014/01/07/identity-federation-amp-single-sign-on-deployment-for-hybrid-
search-in-office-365-sharepoint-online-part3.aspx - Configure Single Sign on experience for Hybrid
Search with Directory Synchronization
http://blogs.msdn.com/b/spses/archive/2014/07/06/sharepoint-2013-configure-on-premises-users-to-leverage-office-
365-for-their-mysite-onedrive-part-4.aspx - Configure OneDrive Redirection to SharePoint Online with
SharePoint 2013 SP1
http://blogs.msdn.com/b/spses/archive/2014/07/06/configure-onedrive-for-business-as-a-hybrid-search-vertical-
in-sharepoint-onpremise-search-center-part5.aspx - Configure OneDrive as a Hybrid Search vertical in
SharePoint 2013

50. Outbound Search (most common)
Inbound Search
Two-way Search
Guidance: Start small with outbound search first. Then as needed, add inbound search

51. Hybrid Key

52. Hybrid Key