Microsoft is heavily investing in its Office 365 platform, which integrates SharePoint Online. This investment has resulted in the appearance of multiple functionalities to help us hybridize our SharePoint OnPremises platform (2013, 2016 and the new 2019 versions), with our SharePoint Online tenant.

In this article we are going to show you how to carry out a hybrid search in our OnPremises version of SharePoint vs. our SharePoint Online tenant.

Hybrid search:

So, lets break it down for you:

  • The On-Premises content (1) is indexed through the Cloud-SSA service application (2) and established in the Office 365 indexer (3).
  • Users enter a query (4) in the SharePoint Online search center, the query is sent to the Office 365 indexer (3) and the results are returned to the SharePoint Online search center (4).
  • If necessary, you can configure the search in SharePoint 2013 to obtain the results of the Office 365 indexer. Users enter a query in the search box On Premises (5) and the query is sent by the server through the application of SSA cloud service (2) to the indexer in Office 365. The results are returned to the server through Cloud SSA (2) to the search results On Premises (5).

To hybridize the search service application, we must first make sure that we have the following correctly configured prerequisites:

SharePoint On Premises

In the SharePoint On Premise farm, there are several service applications that are required to support the SharePoint Apps infrastructure and it is a prerequisite of SharePoint Online to be registered as trusted applications in SharePoint Server.

The service applications are:

  • Subscription Settings Service
  • App Management Service Application
  • User Profile Service Application

SharePoint Online

All users who want to benefit from these new hybrid capabilities must have an active SharePoint license in Office 365.

Synchronizing Accounts

Accounts must be synchronized in Office 365 in order to obtain a unique identity and Single Sign On in Office 365.

The following tools are supported to perform a directory synchronization:

  1. Dirsync
  2. AADSync
  3. AADConnect

What software do we need during the hybrid search configuration

On the SharePoint server where you will perform the hybrid search configuration, the following software should be installed as a prerequisite, in this specific order:

Microsoft Online Services sign-in assistant

http://go.microsoft.com/fwlink/?LinkID=286152

Microsoft Azure Active Directory Module for Windows PowerShell

  • Open a PowerShell command prompt at the administrator level.
  • Execute the Install-Module MSOnline command.
  • If you are asked to install the NuGet provider, type ‘Y’ and press ENTER.
  • If you are asked to install the module from PSGallery, type ‘Y’ and press ENTER.
  • After installation, close the PowerShell command window.

S2S certificate

The server-to-server (S2S) authentication configuration for SharePoint hybrid environments is to establish trust between local SharePoint and ACS. ACS is, therefore, the trusted agent for both SharePoint On Premise and SharePoint Online. When the S2S trust is fully configured, each farm relies on security tokens issued by ACS and are used to authenticate access to resources on behalf of the identified user. You must have a certificate that is used to sign authentication tokens issued on behalf of users.

There are a number of options available to obtain this certificate, each offering different advantages:

  1. Obtain a Secure Sockets Layer (SSL) certificate signed by a trusted certificate signing authority.
  2. Create a new self-signed certificate specifically for this purpose
  3. Extract the built-in self-signed certificate implemented on each server in the farm and use it as the Secure Token Service (STS) signing certificate for communication between servers in the local SharePoint farm.

Configure the search service application – how to create the content sources for the bidirectional hybrid search

In this section, we will configure the search application to track the contents of the On Premise and Online portal, following these steps:

Content Source SP On Premise to SP Online

  1. From the SharePoint Server Central Administration, in the Application Management section, click Manage service applications.
  2. Select the search service application in the cloud, in our case it will be called “MyPortal_SSA_Search_App”.
  3. On the Search Administration page, in the Crawl section, click Content Sources.
  4. On the Manage Content Sources page, click “Local SharePoint Sites.”
  5. In the starting address section, in the following addresses start type (one per line) text box, include the root url of all web applications:

http://sitio.midominio.es

https://mysite.domain.com

  1. In the crawl schedule section,
  2. a) specify programming to completely track the content source at 00:00 each day. b)Specify an incremental crawl every hour every day.

SP Online Content Source to SP On Premise

  1. From the SharePoint Server Central Administration, in the Application Management section, click Manage service applications.
  2. Select the cloud search service application, in our case it will be called “MyPortal _SSA_Search_App”.
  3. On the Search Administration page, in the Crawl section, click Content Sources.
  4. On the Manage Content Sources page, click “New content source”
  5. In the name section, we write SP Online.
  6. In the section Start Addresses, in the type of start following addresses (one per line) text box, include the url root of all the web applications of our tenant that we want to track:

https: //mitentant.sharepoint .com

  1. In the crawl schedule section,
  2. specify a schedule to completely track the content source at 00:00 each day.
  3. Specify an incremental crawl every hour every day.

Incorporation of hybrid search

The incorporation process is to establish a server-to-server (S2S) trust between local SharePoint and Azure Access Control Services (ACS) so that ACS can act as a trusted agent to validate an exit request from the local farm.

ACS is the trusted agent for both local SharePoint and SharePoint Online. When the S2S trust is fully configured, each farm relies on security tokens issued by ACS and is used to authenticate access to resources on behalf of the identified user. For a hybrid search implementation, ACS simply acts as an “invisible” trust agent for applications.

There are four key stages in the incorporation process:

  • Get-HybridSSA. This stage validates that the name of the cloud search service application is provided as a parameter for the execution script to be valid; If no parameters are provided, an existing search service application will have the IsHybrid property set to 1.
  • Prepare environment. This stage verifies that the prerequisites for the implementation are installed. Check for the MSOnline single sign-on client and Windows PowerShell. If any of these tools are missing, the script will close with a warning to install them.
  • Connect-SPFarmToAAD. This completes the OAuth trust configuration with the Azure Access Control Services (ACS) and implements the ACS proxy. In addition, it implements a new SPO connection proxy so that the farm can communicate with the external end point of the Azure Search Service (SCS).
  • Add-ServicePrincipal. The final stage adds the primary ID of the Office 365 service to the local farm and sets the correct Main Service name in the Active Directory of Azure for the local URL. This guarantees that the federation of outgoing queries can succeed between the Office 365 tenant and the local farm.

Requirements to run the script

Before proceeding with the scripts execution, make sure that the following requirements are met:

  • The script must be executed from the SharePoint server
  • The user that will execute the script should be:
  1. able to log in to the SharePoint server
  2. be a SharePoint farm administrator
  3. or able to access the internet (see proxy settings)
  • The global administrator account of the tenant must be:
  1. able to access the URLs of Office 365 endpoints (see proxy settings)
  2. or able to authenticate in Office 365 without multi-factor authentication (otherwise, the script will not authenticate the global administrator)

To ensure all these conditions are met, you can perform this quick test:

  1. Open a PowerShell console
  2. Execute the following command:

Connect-Subservice

Get-MSOLDomain

  1. When the authentication window appears, enter the global administrator credentials.
  2. If everything is fine, you should get an output similar to the following:

Name Authentication status

—- —— ————–

miTenant.onmicrosoft.com Verified Managed

Otherwise, if you receive an error message that means you lost some configuration, such as:

“Connect-MsolService: Exception of type ‘Microsoft.Online.Administration.Automation.MicrosoftOnlineException’ was launched.”

Receiving this error probably means that the user ID that is used for authentication is enabled for single sign-on (SSO), and a problem on the client computer is preventing SSO communication with Active Federation Services Directory (AD FS), with Azure Active Directory System authentication, or with both.

“The username or password is incorrect, check your username and then retype your password”

If you receive this message even when you enter the correct credentials, this means the authentication flow couldn’t validate the provided credentials, probably due to the inabaility to communicate with the federations servers.

You can also try accessing this URL: https://portal.office.com, from the SharePoint server and submit the global administrator credentials, to understand what happens during the authentication process. If you are redirected to a page other than the default login page, the script will not be able to run it and will crash.

Running the script

To configure server-to-server authentication between SharePoint Server and your Office 365 tenant, follow these steps:

  1. Open a PowerShell command from any SharePoint server
  2. Run the CreateCloudSSA.ps1 script, providing these parameters:

o PortalUrl – URL of the SharePoint Online portal (example: https://contoso.sharepoint.com)

o CloudSsaId: name or ID of the cloud search service application, created with the CreateCloudSSA script (if omitted, the script will attempt to automatically discover an SSA from the cloud)

o Credential: login credential for the global tenant administrator (you will be asked if it is not specified).

. \ Onboard-CloudHybridSearch.ps1 – PortalUrl:  https://miTenant.sharepoint.com

Post-Validation

After the script has run successfully, you can validate the results by verifying that the following service applications were added to the farm and are running:

  • ACS
  • SPO App Management Proxy

Finally, verify the tracking record and make sure that the index is loading in the cloud.

NOTE: Wait about 30 minutes after running the enrollment script, as it takes a while before you can propagate the search index to the cloud.

  1. Open SharePoint Central Administration
  2. In Application Management, select Manage service applications.
  3. Click on the cloud search service application.
  4. On the Search Administration page, under Quick Launch, in the Diagnostics section, click Crawl Log.
  5. Verify that there are no relevant errors and verify that the content has been successfully tracked and sent to Office 365. You should get something closer to the following:

 

Search experiences achievable after the hybrid search configuration

After you have set up hybrid search in the cloud and complete a full crawl of local content, Office 365 index hybrid results will automatically be displayed in the Office 365 Search Center.

With hybrid search, you can search for files and documents in SharePoint Server and SharePoint Online, which gives you easy access to the files you need.

Implementing a hybrid SharePoint infrastructure allows users to search both systems and gain access to both their content.

What are the advantages?

  • Users will get search results, search relevance rankings and unified refiners, even if the organization has both local and Office 365 content.
  • Users will automatically obtain the latest SharePoint Online search experience, without the organization having to update existing SharePoint servers.
  • You will no longer have to worry about the size of the search index because it will be in Office 365. This means that the use of the SharePoint Server search server farm will be smaller and, consequently, so will the total cost of ownership of the property search.
  • SharePoint Server 2013 allows crawling farms of existing content servers in SharePoint Server 2007 and SharePoint Server 2010.
  • SharePoint Server 2016 allows crawling farms of existing content servers in SharePoint Server 2007, SharePoint Server 2010, and SharePoint Server 2013.
  • You no longer need to migrate the search index to a newer version of SharePoint Server, because this occurs automatically in Office 365.

Written by: Sergio Gallego