Objective: To understand the identity management infrastructure requirements and key scenarios for hybrid in SharePoint Server 2013 and Office 365.
Hybrid for SharePoint Server 2013 and Office 365 overview video [4 mins] (transcript)
After viewing the video, use the following to practice and review:
Let’s take a look at hybrid for SharePoint Server 2013 and Office 365.
A hybrid SharePoint environment is composed of a SharePoint Server farm, typically deployed on-premises, and Microsoft Office 365 – SharePoint Online. A user can access either farm from an on-premises location or the Internet.
One challenge that arises from this configuration is identity management, as there are now two identity providers; the on-premises Active Directory Domain Services, or AD DS, and the online Azure AD.
To prevent the maintenance of two sets of user accounts and credentials, you can create a single sign-on, or SSO, experience. With SSO, users always use their AD DS credentials, regardless of whether they are on-premises or on the Internet and accessing
either farm. You deploy a Directory Synchronization server, which synchronizes the accounts in AD DS to the accounts in Azure AD, and an identity federation server, such as Active Directory Federation Services 2.0, or AD FS.
Here’s an example of how SSO works.
It is important to note that SharePoint 2010 also supports SSO with Directory Synchronization and access to the resources on either farm from on-premises or the Internet. However, with SharePoint 2010, there is no integration, such as cross-farm sharing
of data or services, between the farms. For example, there are no federated search results, in which the search results from both farms are gathered. Users must navigate to and search each farm separately.
SharePoint 2013 supports the Open Authorization, or, OAuth 2.0, protocol and server-to-server authentication. With OAuth, in addition to federated identities, hybrid for SharePoint 2013 supports the configuration of a server-to-server trust relationship
between the two farms. Requests for cross-farm resources are in the form of claims-based security tokens.
With the server-to-server trust relationship in place, the on-premises SharePoint farm can trust security tokens sent from the online SharePoint farm. Similarly, the online farm can trust security tokens sent from the on-premises farm.
Now, let’s examine the key hybrid scenarios for SharePoint 2013.
With federated search, users can obtain search results for resources on both farms. For example, the SharePoint Online user can see the on-premises search results and the online search results. Similarly, the on-premises user can see SharePoint Online search
results and on-premises search results.
For Business Connectivity Services, or BCS, a SharePoint app or an external list that is installed on a SharePoint Online site collection can use the SharePoint Online BCS service to connect to the BCS service of an on-premises SharePoint Server 2013 farm,
which brokers the connection for both read and write operations to on-premises OData Service endpoints.
With Duet Enterprise Online, either using a SharePoint app that is installed on a SharePoint Online site collection, or by enabling a Duet Enterprise Online feature, SharePoint Online users can perform both read and write operations against an on-premises
For additional information about hybrid for SharePoint Server 2013 and Office 365, see
For more information about SharePoint, see
1. What is the central problem with having two identity providers in a hybrid environment? How does the combination of directory synchronization and identity federation solve this problem?
Answer: With two identity providers, there are now two sets or accounts and their credentials (such as passwords) that must be used and maintained by users. Users can manually synchronize their names and passwords, but must maintain them
in two separate account stores, which might have different password length, complexity, and expiration policies.
With directory synchronization, there is now a single account per user, shared by both farms. With identity federation, a single, trusted server brokers the authentication process for both identity providers.
2. What is the key new feature of SharePoint 2013 that allows for cross-farm, hybrid scenarios?
Answer: The support of the Open Authorization, or, OAuth 2.0, protocol and server-to-server authentication.
3. True or False: Hybrid for SharePoint 2010 also supports federated search results, provided you configure a cross-farm service application trust for the Search service application on each farm.
Answer: False. Hybrid for SharePoint 2010 does not support federated search. Users must navigate to and search each farm separately.
4. Does the BCS hybrid scenario allow on-premises users access to the SharePoint app or external list that is hosted by the SharePoint Online BCS service?
Answer: No. The BCS hybrid scenario only allows data from the SharePoint Online BCS service to the BCS service of an on-premises SharePoint Server 2013 farm.
Thank you, very interesting article.