SharePoint 2016 Hybrid Features Explained
/
Andreas Glaser
Plan, prepare and configure SharePoint 2016 Hybrid Features including Hybrid Sites, OneDrive for Business and Cloud Hybrid Search.
1. Overview
Microsoft wants to move customers from using on-premise SharePoint installations to the cloud using Office 365.
The hybrid approach integrates an on-premise installation with Office 365 and targets 2 types of companies:
- Companies that only have an on-premise SharePoint 2016 installation
Often companies have concerns about security, performance, latency or legal jurisdiction regarding their data. In this case the integration allows an adoption or test "at your own pace" [1].
- Companies that already have both, an on-premise installation and Office 365
By default there’s no integration between both environments. Hybrid features bring both environments together allowing a "more seamless user experience" [2].
I’ll show you how the integration works, what requirements must be met and what a "more seamless user experience" includes [2]:
Back to top
SharePoint 2016 hybrid features can be categorized into 3 topics:
- Consolidated site following & user profiles from both environments in Office 365
- Offloading a user’s personal storage to the cloud
- Consolidated search results from both environments in Office 365
As you can see your data flows in one direction: from your on-premise installation to the cloud.
You’ll be able to access your consolidated data from both your on-premise installation as well as Office 365 but it’s stored in the cloud. And you can access Office 365 using any device.
Packages
If you want to use site following, user profiles and if you want to offload a user’s personal storage to the cloud you can choose between 2 packages:
- Hybrid OneDrive for Business includes Profiles and OneDrive for Business
- Hybrid sites features includes Site following, Profiles, OneDrive for Business and Extensible app launcher
Audiences
You can limit hybrid features to a SharePoint audience [3] so people not in the audience can work with on-premise SharePoint as they were used to.
Back to top
1.1 Hybrid Sites
Hybrid Sites focus on a better user experience. Instead of maintaining two separate sets of data for the sites a user follows and user profiles, Hybrid Sites allows [4]:
- Storing sites you follow from SharePoint 2016 and Office 365 in a single list in the cloud and accessing this list from both environments.
- Storing and accessing user profile information in a single profile in the cloud.
Back to top
1.1.1 Hybrid Site Following
If you’ve enabled My Sites in SharePoint 2016 you have one list that stores the sites you follow and if you use Office 365 you have a second list.
How it works
If you enable Hybrid Sites [5]:
- If you follow a site in SharePoint 2016 it will be added to the followed sites list in SharePoint 2016 and Office 365.
- If you click the sites link in SharePoint 2016 you’ll be redirected to the sites list in Office 365.
- Followed sites in Office 365 are not stored in the followed sites list in SharePoint 2016.
Limitations
- Followed sites in Office 365 are not stored in the followed sites list in SharePoint 2016.
- After you turned the feature on followed sites from SharePoint 2016 are not migrated to Office 365. The list in Office 365 stays the same and you have to follow a site in SharePoint 2016 again so that it is added to the Office 365 list.
- Newsfeed, followed documents and followed people is not part of Hybrid Sites.
Back to top
1.1.2 Hybrid Profiles
Users have different profiles in SharePoint 2016 and Office 365 so they have to keep in sync / update two profiles.
How it works
If you enable Hybrid Sites [6]:
- User profiles of hybrid users are redirected to Office 365 if you click on a username in SharePoint 2016 (even if you haven’t used Office 365 before).
- User profiles in Office 365 are populated with data from your on-premise Active Directory.
- Office 365 users see user profiles in Office 365.
Limitations
- User profiles updated in Office 365 are not written back to your on-premise Active Directory and therefor are not imported to SharePoint 2016. Microsoft pulled the option of the user writeback from Office 365 to your Active Directory. It may be added later if the feature leaves the preview state.
Back to top
1.1.3 Extensible App Launcher
SharePoint 2016 and Office 365 sites display an app launcher. The app launcher is a link list including links to important content and the link itself is called ‘tile’. Both app launchers display different tiles in both environments. The hybrid app launcher offers a better user experience if enabled.
How it works
If you enable Hybrid Sites [7]:
- The tiles in the SharePoint 2016 app launcher are changed so you can access your content in Office 365 instead of SharePoint 2016.
- The app launcher in SharePoint 2016 also includes additional & custom tiles you added to the Office 365 launcher.
- Changes in the Office 365 launcher will be reflected in the SharePoint 2016 app launcher within a day (within 30-60 minutes during my tests).
- The app launcher in Office 365 stays the same after you enabled hybrid sites.
Back to top
1.2 Hybrid OneDrive for Business
OneDrive for Business allows users to store and share documents in a personal library. Users have two different libraries if you have SharePoint 2016 and Office 365.
Hybrid OneDrive for Business allows [8] syncing files from your PC with Office 365 and sharing them with others. You can access files through Office 365 from any device.
How it works
If you enable OneDrive for Business [9]:
- If you select OneDrive in SharePoint 2016 you are redirected to OneDrive in Office 365.
- You need to migrate your users’ content to Office 365.
Limitations
- You need to migrate your users’ content to Office 365.
- In Office 365 you won’t see a message when someone shares a document in SharePoint 2016 with you.
Advantage
- You can add storage as you need and don’t have to provide it on-premise.
Back to top
1.3 Cloud Hybrid Search
Hybrid search allows users to query one index in the cloud which includes crawled data from SharePoint 2016 and Office 365 [10].
How it works
If you enable cloud hybrid search [11]:
- The Cloud Search Service Application indexes on-premise content and transfers it encrypted from the server to the Office 365 search index.
- Users in Office 365 can query one cloud index including data from SharePoint 2016 and Office 365.
- User in SharePoint 2016 can query the same cloud index including data from SharePoint 2016 and Office 365.
- If a user opens in Office 365 a link to a search result stored in SharePoint 2016 the user needs to be logged on to where the content is stored or you need a VPN / Reverse Proxy.
Advantages [12]
- Includes unified search results, search relevance ranking and refiners.
- Users only see content they have access to (requires Active Directory on-premise / Office 365 sync).
- On-premise content remains secure in SharePoint 2016.
- Get the newest search experience with Office 365 without upgrading SharePoint 2016.
Compliance
It’s important to understand that sometimes you are not allowed to store sensitive data in the cloud e.g. patient data. Although crawled documents and content stay in the on-premise SharePoint farm properties and metadata are sent to the cloud index:
"The content that is passed from onpremises to the azure cloud search connector (SCS) consists of crawled properties, keywords, acls, tenant info and some other metadata about the item. This is encrypted on premises using a key supplied by the SCS and transmitted to the endpoint in Azure. Once there it is stored in an encrypted blob store and queued for processing. We retain the encrypted package in the blob store for use should we need to issue a content recrawl. The encrypted object is not the document though, it is just a parsed and filtered version that makes sense to the search engine." [13]
If patient data is included in the properties or metadata you may violate policies.
Back to top
2 Concepts
You can use SharePoint 2016 and Office 365 environments in different ways [14][15]: Of course, you can keep them separate with no synchronization of users and content. But that’s not the reason why you are reading this material.
As a user, you want it as easy as possible:
- You don’t want to hassle with different accounts and different passwords.
- You want to have an up-to-date profile in SharePoint 2016 and in Office 365.
- You don’t want to switch environments because one has the things you need and the other one not.
As an administrator, you have needs too:
- You need to make sure that users have the same permission in the cloud as on-premise.
- Granting or removing permissions should be propagated with a process (if you put users in AD groups and AD groups in SharePoint groups).
A synchronized identity will do the things for you and your users.
As an administrator, you have still more needs:
- Since content is synchronized from SharePoint to the cloud you need a secure connection between both environments. (Content e.g. search index, followed sites, cloud app launcher)
A secure server to server authentication will do this for you.
Back to top
2.1 Identity Synchronization
SharePoint 2016 hybrid features require user identity synchronization. There are two ways you can synchronize users to the cloud:
- Synchronized identity
- Federated identity
Synchronized Identity
Users are synchronized from an Active Directory either without password synchronization or with password synchronization. The latter option makes it easier for your users since they can use the same on-premise credentials in Office 365. They still need to sign in a second time.
How it works [16]:
- You need to prepare your on-premise Active Directory and Office 365.
- You install a synchronization tool which periodically checks your AD and provisions identities into Azure AD. It links on-premise and cloud identities to one another and synchronizes the password hash.
- Identities are made available in Office 365 through Azure AD and managed through the Office 365 Admin Center.
Federated Identity
A federated identity is basically the same as a synchronized identity but your users can use single sign-on so they don’t have to sign in when going to Office 365.
How it works [17]:
- You need to prepare your on-premise Active Directory and Office 365.
- You install a synchronization tool which periodically checks your AD and provisions identities into Azure AD. It links on-premise and cloud identities to one another and synchronizes the password hash.
- Identities are made available in Office 365 through Azure AD and managed through the Office 365 Admin Center.
- A security token is issued if a federated user signs in. The token is passed to Azure AD, verified and the user is authorized.
Summary
If you want to use any of the SharePoint 2016 hybrid features you need to configure the synchronized or federated identity model including: An Active Directory to synchronize from and a tool called ‘Azure AD Connect’ that does the synchronization.
Back to top
2.2 Server to Server Authentication
The server to server authentication establishes a trust between SharePoint 2016 and a SharePoint Online Tenant and is required for hybrid features like cloud search.
Enabling server to server authentication is complicated and requires a lot of steps but can be automated as shown later in this document.
The process contains the following steps [18][19]:
- Replacing the SharePoint 2016 Security Token Service certificate
- The Security Token Service (STS) builds, signs, and issues security tokens
- Replacing the STS certificate in SharePoint 2016 is required to establish trust between the STS and the SharePoint Online Tenant. The STS and Azure Active Directory can sign security tokens for authenticated users.
- You can either create a self-signed certificate or reuse the certificate from the SharePoint 2016 STS.
- Establish SharePoint 2016 Trust with ACS
- Azure Active Directory Access Control (ACS) is a cloud-based service that provides an easy way to handle authentication and authorization of users.
- Azure AD will be added as a trusted security token issuer in SharePoint 2016.
- Update Service Principals in Office 365
- A Service Principal Name (SPN) is create for the on-premise SharePoint farm and added to the SharePoint principal in Azure AD.
- The certificate of the SharePoint 2016 STS is associated with the SharePoint principal in Azure AD.
- A service principal for the SharePoint 2016 search is created in Azure AD and SPNs are added to it.
Back to top
3 Hybrid Architecture
I used the following scenario to enable all hybrid features:
The on-premise environment is completely virtualized with Hyper-V:
- There’s an on-premise Active Directory with a domain ‘domserver.com’ and a user ‘Don Funk’.
- A SharePoint 2016 server hosts content and imports user identities from AD.
- All SharePoint data is stored in a SQL Server 2014.
SharePoint 2016 hybrid features should be enabled to integrate on-premise content and users with Office 365:
- My public URL ‘andreasglaser.com’ is verified within my Office 365 subscription.
The user Don Funk should be able to sign in to the on-premise and cloud environment using the same username ‘donf@andreasglaser.com’ and password.
- The identity synchronization tool is installed on the SharePoint server.
Also, server to server authentication is enabled to connect the SharePoint server with the cloud.
- Hybrid features including site following, profiles, OneDrive for Business and cloud search are configured on the SharePoint server.
Back to top