About Me

• Principal Consultant, Slalom Consulting, Chicago

• Current focus area SharePoint 2013 and Office 365

Contact Info

• Email - patenik2@yahoo.com

• Blog - Nik Patel’s SharePoint World - http://nikpatel.net/

• Twitter - @nikxpatel, @slalomchicago

• LinkedIn - linkedin.com/in/nikspatel

• Slideshare - slideshare.net/patenik2

What is SharePoint Hybrid?

Federated identity and directory synchronizationEnables consistent single sign-on experience across SharePoint online and on-premises

SharePointOn-premises

Hosting critical business data

and applications with full

control over ownership and

change management cycle

SharePointOnline

Microsoft’s Mobile-First, Cloud-

First, and Productivity-First

model with innovations

delivered more frequently

SharePoint Hybrid

Contents and workloads

spanning to both on-premises

and on the cloud

Why SharePoint Hybrid?

Cloud-first strategy easily scale up and down

easily collaborate

inability to have full control

Existing investments Protect sensitive data

Leverage the strengths of both parts

on-premises flexibility with cloud agility

Decision Matrix for SharePoint Hybrid

WorkloadsIdentityInfrastructureTopology

One-way outboundEnables SharePoint Server 2013 on-premises server farm to connect to SharePoint Online

One-way inboundEnables SharePoint Online to connect to SharePoint Server 2013 through a reverse-proxy device

Two-way (bidirectional)Enables connections between SharePoint Online and SharePoint Server 2013 from both systems

CorporateData CentersAllows you to fully control the SharePoint environment including server and network updates

Third-partyData CentersAllows you to outsource SharePoint environment as dedicated service including server and network updates

Windows Azure or Amazon IaaSAllows you to host SharePoint environment to public cloud service and offload server and network maintenance tasks

Cloud Identity

Single identity in the cloud

Synchronized Identity

Single identity across both

cloud and on-premises

Federated Identity (SSO)

Single federated identity across

both cloud and on-premises

• External Sharing

• Collaboration

• Communication and

Publishing

• Social Conversations

• Personal Storage

• Digital Asset Management

• Personalized Insights

• Self-Service BI

• Hybrid Search

• Custom Applications

Integration with BCS

• Managed Metadata and

Terms

• User Profiles and

personalized preferences

• Web Content

Management

• Record Management

• Enterprise BI

Configuring SharePoint Hybrid

Operational AD DS

Internet routable AD domains, DNS, and SSL certificates

Office 365 Enterprise Subscription

SharePoint Server 2013 Enterprise on-premises farm

Directory Synchronization

Directory Federation with ADFS

Reverse Proxy Appliances

Good bandwidth and Internet connectivity

Network Optimization Appliances

DOMAIN CONTROLLER

DOMAIN.NET

DOMAIN.COM

WINDOWS AZURE ACTIVE DIRECTORY

DOMAIN.SHAREPOINT.COM

ADFS1

ADFS2

WID/SQL

ADFS.DOMAIN.COM

EXTERNAL USERS INTERNAL USERS

SP SQL2

WAC1

WAC2

SP APP1

SP APP2

SP WEB1

SP WEB2

SP SQL1

SHAREPOINT.DOMAIN.COM

AZURE ACTIVEDIRECTORY

SYNC

WID/SQL

Directory Synchronization

NETWORK LOAD

BALANCER

WAP1

WAP2

NETWORK LOAD

BALANCER

DOMAIN CONTROLLER

DOMAIN.NET

DOMAIN.COM

EXTERNAL USERS INTERNAL USERS

NETWORK LOAD

BALANCER

NETWORK LOAD

BALANCER

DOMAIN CONTROLLER

DOMAIN.NET

DOMAIN.COM

WINDOWS AZURE ACTIVE DIRECTORY

DOMAIN.SHAREPOINT.COM

EXTERNAL USERS INTERNAL USERS

NETWORK LOAD

BALANCER

NETWORK LOAD

BALANCER

Choose level of subscription – E1-E4, you can mix these licenses

Specify the unique tenant name and Global admin User id/password

Specify the country where your tenant will be located (unless your EA states otherwise)

Specify a domain name and confirm ownership (e.g. chipchybrid.com)

Set the domain purpose of which services (e.g. Lync or Exchange) will be used

Configure DNS by creating verification record with DNS hosting provider

Complete the domain setup and choose default domain

DOMAIN CONTROLLER

DOMAIN.NET

DOMAIN.COM

WINDOWS AZURE ACTIVE DIRECTORY

DOMAIN.SHAREPOINT.COM

EXTERNAL USERS INTERNAL USERS SP SQL2

WAC1

WAC2

SP APP1

SP APP2

SP WEB1

SP WEB2

SP SQL1

SHAREPOINT.DOMAIN.COM

NETWORK LOAD

BALANCER

NETWORK LOAD

BALANCER

Configure SharePoint 2013 SP1 on-premises environments at minimum: SP1 allows Yammer

and OneDrive for Business redirection from on-premises

Configure primary web

applications and site

collections

For hybrid search, web

application with Integrated

Windows Authentication NTLM

claims is required – this can be

dedicated zone extended from

default SAML Claims zone

Enable SharePoint on-premises services for hybrid

• Required Service Applications

• User Profile Application (UPA)

• App Management Service and Subscription Settings

Service

• Also it is recommended to enable

• Managed Metadata Service

• User Profile Sync Service (UPS)

DOMAIN CONTROLLER

DOMAIN.NET

DOMAIN.COM

WINDOWS AZURE ACTIVE DIRECTORY

DOMAIN.SHAREPOINT.COM

EXTERNAL USERS INTERNAL USERS SP SQL2

WAC1

WAC2

SP APP1

SP APP2

SP WEB1

SP WEB2

SP SQL1

SHAREPOINT.DOMAIN.COM

AZURE ACTIVEDIRECTORY

SYNC

WID/SQL Directory Synchronization

NETWORK LOAD

BALANCER

NETWORK LOAD

BALANCER

Windows Azure

Active Directory

User

On-Premises Identity(chipchybrid\npatel)

Directory

Synchronization

Cloud Identity(npatel@chipchybrid.com)

AD

http://blogs.technet.com/b/ad/archive/2014/09/16/azure-active-directory-sync-is-now-ga.aspx

DOMAIN CONTROLLER

DOMAIN.NET

DOMAIN.COM

WINDOWS AZURE ACTIVE DIRECTORY

DOMAIN.SHAREPOINT.COM

ADFS1

ADFS2

WID/SQL

ADFS.DOMAIN.COM

EXTERNAL USERS INTERNAL USERS SP SQL2

WAC1

WAC2

SP APP1

SP APP2

SP WEB1

SP WEB2

SP SQL1

SHAREPOINT.DOMAIN.COM

AZURE ACTIVEDIRECTORY

SYNC

WID/SQL Directory Synchronization

NETWORK LOAD

BALANCER

WAP1

WAP2

NETWORK LOAD

BALANCER

Federation is optional for Outbound or Inbound Hybrid Topologies buts recommended to configure for

SSO user experience

Have dedicated ADFS service account and activate ADFS 3.0 role on Windows Server 2012 R2

Steve Peschka’s guide

SharePoint and ADFS SAML limitations and how to overcome UPS & Search

Publish ADFS through Reverse Proxy for external access

Create a Public DNS record for publishing to internet (e.g. adfs.chipchybrid.com)

Set up a trust between ADFS and Office 365 and Windows Azure AD

Install Microsoft Online Services Sign in Assistant and Windows Azure AD PowerShell Modules on ADFS server

Run Convert-MsolDomainToFederated –DomainName <domain>

Server-to-server trust between SharePoint Online and SharePoint On-Premises: The

trust relationship between SharePoint on-premises, SharePoint Online, and Windows Azure Active Directory

Security tokens issued by Windows Azure Active Directory Access Control Services are trusted by both SharePoint on-premises and SharePoint Online grant access to resources for users

SharePoint Online is registered as a high-trust application in SharePoint on-premises

Create a new security token service (STS) certificate (at least 2038 bit)

Either Self-Signed or Public CA certificate supported but domain-issued cert is not supported

#Import the SharePoint Management PowerShell

#Replace the STS certificate for the on-premises environment

Create a new security token service (STS) certificate (at least 2038 bit) for Server-to-Server trust

Either Self-Signed or Public CA certificate supported but domain-issued cert is not supported

Replace the default STS certificate on all on-premises SharePoint servers in the farm

# Load PowerShell Modules

# Configure Remoting in PowerShell

# Log on to SharePoint Online tenant (use credentials of a tenant Global Administrator)

Install the following tools on the Central Administration server

The Microsoft Online Services Sign-In Assistant

The Azure Active Directory Module for Windows PowerShell (64 bit version)

The SharePoint Online Management Shell (64 bit version)

Execute PowerShell to configure S2S trust between SharePoint on-premises and SharePoint Online

You must logon to the central admin server with a Farm Admin account (e.g. sp_farm) to run PowerShell

# Setup variables

# Upload the new on-premises STS certificate to SharePoint Online

# Add service principal name (SPN) for public domain name in Azure AD

# Register SharePoint Online application principal object ID as a trusted provider in SharePoint On-Premises farm

# Set the on-premises SharePoint authentication realm to the context ID of Office 365 tenancy

# Establish a S2S trust relationship between SharePoint on-premises and Windows Azure AD# Configure an on-premises ACS proxy for Azure AD to validate OAuth requests between SharePoint Online and SharePoint On-Premises, which will become a trusted token issuer for the on-premises farm

# Fix SharePoint on-premises (if on-premises April 2014 CU or later) - See: http://support.microsoft.com/kb/3000380

http://governance.codeplex.com/releases/view/120702

Enable Search Service on SharePoint on-premises services

Create crawled content in SharePoint on-premises and SharePoint Online

Verify search in SharePoint on-premises and SharePoint Online for same user

Protocol: Remote SharePoint

Remote Service URL: SharePoint Online root site URL

Credentials: Default Authentication - SharePoint Online is configured to authenticate queries using Windows

Azure Active Directory

http://technet.microsoft.com/en-us/library/dn607304.aspx#devices

https://intranet.chipchybrid.com

https://intranetext.chipchybrid.com

WINDOWS AZURE ACTIVE DIRECTORY

DOMAIN.SHAREPOINT.COM

EXTERNAL USERSINTERNAL USERS

SP SQL2

WAC1

WAC2

SP APP1

SP APP2

SP WEB1

SP WEB2

SP SQL1

SHAREPOINT.DOMAIN.COM

NETWORK LOAD

BALANCER

WAP1

WAP2

NETWORK LOAD

BALANCER

HTTPS

Communication

Office 365 S2S

Communication

Create crawled content in SharePoint on-premises and SharePoint Online

Verify search on both SharePoint on-premises and SharePoint Online for same user

Protocol: Remote SharePoint

Remote Service URL: Reverse-proxy address of the SharePoint on-premises primary web application

Credentials: SSO ID - To authenticate to the reverse proxy, enter the secure store target application ID

that contains the Windows certificate

Hybrid Challenges

Hybrid Story is still evolving

Handling Social Experience

Change Management and Operations

User Experience and Navigation

Wrap Up

Q&A

• Blog - http://nikpatel.net/

• Twitter - @nikxpatel

• Slideshare - slideshare.net/patenik2