So, you've decided on the trust approach for connecting your SharePoint on-premise and online systems? Next comes the core configuration.
You have to set up some basic integration between Office 365 for enterprises and SharePoint Server 2013 before you can configure a hybrid environment. The following steps are needed:
- Sign up for Office 365.
- Register your domain with Office 365.
- Assign UPN domain suffixes.
- Synchronize accounts with Office 365.
- Assign licenses to your users.
Hopefully you will have done the majority of this, just because you have an Office 365 Tenant already. If not, then you need to sign up. We will not run through getting an Office 365 subscription, but you can just visit the main site and sign up.
The next few steps are all about configuration and setup. The DNS configuration can be complete by reading the following link:
Now one of the core pieces of making this all work comes down to the authentication being used, too often Office 365 is deployed for an organization and then no single sign o or synchronize process is used to federate local accounts to the cloud service making it very hard to take full advantage of it. The first part of this process is to create User Principle Names (UPN) that matches the domain want to use in Office 365.
The following steps show how to manually do these tasks. To create the UPN suffix in your on-premises DNS
- On the Active Directory server, open Active Directory Domains and Trusts.
- In the left pane, right-click the top-level node, and then click Properties.
- In the UPN suffixes dialog box, enter the domain suffix in the Alternative UPN suffixes box that you want for hybrid, and then click Add > OK.
To manually assign a UPN domain suffix to users
- In Active Directory Users and Computers, in the left pane, click the Users node.
- In the Name column, right-click the user account that you want to federate, and then click Properties.
- In the Properties dialog box, click the Account tab.
- Select the UPN domain suffix that you added in the previous procedure from the drop-down list, as shown in the following picture.
- Repeat steps 2 through 4 for each additional user account that you want to federate.
Now we the right domains configured within the On-Premises Active Directory we can then start to Synchronize the accounts to the cloud. Directory synchronization helps you mirror those accounts between your online and on-premises environments. With directory synchronization, your users don't have to remember new information for each environment, and you don't have to create or update accounts twice.
The two core approaches are using either Directory Synchronization or full Single Sign On.
Different user account management techniques provide different experiences for your users, as shown in the following table.
Historically “DirSync” was used for this process, now however Azure AD Connect replaces this. Once this has performed the Sync process you should have accounts that now reside within Office 365, tagged as such. The regular accounts you may have will be listed as “Cloud” accounts which means they are just available within Office 365 not On-Premises.
Now we have both, we can now use some sort of single sign on, simply by using the same accounts. This is not true SSO, but at least it allows me to use the same credentials in both locations, which is a start.
SharePoint Server 2013 hybrid configurations all require the following services to be running on your farm:
- Managed Metadata service application
- User Profile Service application
- My Sites
If you're setting up OneDrive for Business, these are the only services you need. If you're setting up a Search or BCS hybrid solution, there are some additional. As with other SharePoint services, you should choose an appropriate server in your farm where you want to run these services, keeping in mind the workloads that those servers are already handling. You can run the services on multiple servers for added reliability, but it's not a requirement. The following items need to be completed for the full Hybrid scenario:
- Enable the Subscription Service
- Ensure User Profile Synchronization Services is configured and running
- Enable Server-to-Server Authentication between On-premises and SharePoint Online
- Install and Setup the Online Services Management Tools and PowerShell into the On-Premises Environment
- Modify SSL certificates within the On-Premises Environment
- Run the Hybrid Picker within Office 365 to determine the Hybrid Scenario Selected
- Configure the Inbound Connectivity between the two services
- As needed configure the reverse Proxy
As you can see there are quite a few more steps needs to get your entire system ready for a true Hybrid Environment. The core steps are to get the Authentication and User Synchronization setup, then work through preparing the environments as needed.