skip to Main Content

Building a SharePoint Hybrid Environment

With the release of SharePoint 2016 last year, Microsoft signalled to all organisations that a move to the cloud is inevitable. They did not say everyone has to move right now or else, instead they made it a compelling discussion and move by ensuring that various components from Office 365 are now able to be used within your On-premises SharePoint environment. In previous versions, you were really limited to a few features such as Search and Business Connectivity Services. With the latest updates, you can now utilise:

Hybrid Sites

When enabled, users will see not only OneDrive for Business sites, but sites that are followed either On-premises or Online are accessible in a single place. User profiles are also available within both, for users that have the Hybrid sites option available to them. Hybrid sites also allow site self-service creation which redirects the user to the SharePoint Online site creation wizard instead of the On-premises one.

Hybrid OneDrive for Business

OneDrive for Business that would-be setup locally within SharePoint 2016 can be configured to simply redirect the end users local OneDrive directly into Office 365. This allows the end user to utilise also the features that are available within Office 365’s OneDrive for Business instead of the On-premises version.

Cloud Hybrid Search

Hybrid Search is broken into two different pieces:

Cloud Hybrid

When using this approach, your SharePoint On-premises and Online crawl index will now reside within the Office 365

Hybrid Federated

Federated Search, means that your results are separated by infrastructure, but connected to Office 365 to allow a combined searching experience for both On-premises and Online.

Cloud Hybrid search, offers a better experience for you as a user. Users will get a unified search experience which includes ranking and refiners no matters there the content resides. For IT, there is no index management required as it now resides in the cloud, and of course everyone gets the latest searching experience from Office 365 as it is released. As well specific search features, other tools such as Delve is then available over both the On-premises and Online content, if running in Cloud Hybrid mode.

Shared App Launcher

With the release of Office 365 and subsequent updates to both SharePoint 2013 and 2016, users will see the App Launcher (a.k.a Waffle) available in the top left corner of the site. This is used as a central navigational item to bounce the users to various is their services or applications. When configured for Hybrid items from Office 365 such as Delve, Video and custom applications will be listed. Management of this is then come within Office 365 and reflected back to On-premises.

Hybrid Auditing

Having the ability to see what users have been doing with their content both On-premises and Online is an important feature to have for all organizations. Hybrid Auditing uploads the On-premises audit logs directly into the Office 365 tenant combining them with the Online results making them available within the Audit Log search. This gives IT a better view of what users are doing with all content being used.

Hybrid Taxonomy

Hybrid Taxonomy allows you to have a single Taxonomy that spans both, On-premises and Online SharePoint environments. This removes the need to recreate that was built On-premises to Online or vice versa. The shared Taxonomy is managed within Office 365, allowing you to determine which terms should be used for either one or both. It is important to note that the On-premises version is a read only copy of the Online version.

As you can see these are great components to that actually make it a more viable option. Microsoft have also done a great job in making the setup much easier than before. However, there is still core connectivity work that needs to be completed before you can truly take advantage. PowerShell is the tool of choice with various scripts being made available to ensure this is a simple process. To implement Hybrid SharePoint, I have created the PowerShell and combined that with the Microsoft required scripts in a single download. Bear in mind that these scripts do not setup all the Hybrid features, they are more for the core plumbing for Hybrid, except in the case of Cloud Hybrid Search, which is a fully scripted creation. These PowerShell scripts can be copied from various locations such as MSDN and TechNet from Microsoft. This can take some time to get all the specific functions written ready to run both On-premises and in the Cloud.

Once you have got everything together, the actual process is defined in a very logical order. The order for initial setup is as follows:

  1. Replace Default Secure Token Certificate
  2. Upload Secure Token Certificate to SharePoint Online
  3. Add Service Principal Name to Azure Active Directory
  4. Register SharePoint Online Application Principal ID
  5. Set SharePoint Authentication Realm
  6. Configure On-Premises Proxy for Azure Active Directory
  7. Create Cloud Search Service Application
  8. Onboard Cloud Hybrid Search

The PowerShell can be very complex if you are not used to it, I would advise either studying for a long time to understand how it works or bring someone in who can help with this. If this part if not performed correctly, it can cause often very strange and hard to diagnose errors.

One key task is to upload a certificate that connects the two systems together, creating the trust between the SharePoint On-premises servers and SharePoint Online. This requires a certificate to be created, and then exported into its combined certificate and private key file (PFX). Once this is done the rest of the core commands can be completed which will set up the main tenant connectivity.

Before the PowerShell can be ran, specific dependency components need to be downloaded and installed. One of the first lines within any of the PowerShell scripts and commands is to use Modules defined by Microsoft. To ensure they all work, you will need the Microsoft add-ons for Office 365 and Azure in order for these import statements to work. You can get the downloads here:

  1. Install the 64-bit version of the Microsoft Online Services Sign-in Assistant: Microsoft Online Services Sign-in Assistant for IT Professionals RTW.
  2. Install the 64-bit version of the Windows Azure Active Directory Module for Windows PowerShell: Windows Azure Active Directory Module for Windows PowerShell (64-bit version)

If you already had a PowerShell windows open, you will need to close them and launch them again to get these to work. Next you can walk through the other scripts to ensure that everything is connected together and that you see no errors. The final step is to then create the Cloud Search Service Application and complete the Microsoft On-boarding process.

That’s it you now are done. You now have an On-Premises SharePoint Environment running in Hybrid mode to an Office 365 Tenant. Don’t forget that the first task before you do any of this is to setup Active Directory synchronization from On-premises to Office 365 Azure AD. More details on that can be found here:

Now we need to move onto the SharePoint On-premises server, and access the Office 365 tenant, to gain access to the Hybrid Picker. To access the Hybrid Picker, once logged into your Tenant follow the steps below:

  1. Log in to the console of a SharePoint Server 2013/2016 farm server as a farm administrator.
  2. From the farm server, connect to Office 365 as a global administrator.
  3. On the App Launcher, choose Admin.
  4. In the left pane, under Admin, click SharePoint.
  5. In the left pane of the SharePoint admin center, click configure hybrid.
  6. Once the page redirects click the link to initiate the Hybrid Picker.

An application will be launched from Azure, this can then be used to configure the components needed. Simply select the features you need and follow the wizard as needed.


Once you have selected the features that you wish to enable through the wizard, simply restart Internet Information Services (IIS) within the On-premises environment. This will ensure that the custom configuration that was enabled is accepted by SharePoint and instantly works for your end users.

As you can see setting up a Hybrid environment using the scripts provided and the Hybrid Picker is now really easy and makes what is a really complex process simple. Of course, you still need to make sure your core tasks are done beforehand for authentication and network access.

By Liam Cleary (MVP), Contributor

Liam Cleary is a 10 time SharePoint MVP, focusing on Architecture but also crosses into Development. His speciality over the past few years has been security in SharePoint and its surrounding platforms. He spends most of his days designing solutions for SharePoint in many different industries and business sectors from Defense, Financial, Non-profit, Commercial and Corporate. Liam is a Pluralsight Author, the main content contributor for SharePoint Pro Mag and has been a speaker at various international conferences including Microsoft Ignite and TechEd.

About the Author

Liam Cleary is a Microsoft MVP in Office Apps and Services, holding his title for a record 13 years, making him truly an expert in the field of SharePoint and Office 365. Liam writes a blog, authored a Microsoft 365 course and is very active in the conference circuit with webinars, staffing and speaking engagements around the world.


Back To Top
Contact us for a chat