Configuring SharePoint 2013 and Office 365 Hybrid – Part 1 Brendan Griffin
Me.About() Senior Premier Field Engineer @ Microsoft http://aka.ms/fromthefield @brendankarl Senior Premier Field Engineer @ Microsoft Microsoft Certified Master: SharePoint 2010 10 years experience with SharePoint
Agenda What is Hybrid? Identity Considerations Base Configuration for Hybrid
What is Hybrid? Office 365 + SharePoint 2013 = Hybrid Securely integrate SharePoint Online with SharePoint On-Premises Facilitates gradual migration from On-Premises to Office 365 Addresses key workloads – Search, BCS and Social *This session will focus on configuring the infrastructure to support Hybrid, Part 2 will take a closer look at SharePoint specific configuration and advanced scenarios
Example: Hybrid Search Imagine a Scenario… Your company are using SharePoint On-Premises and Office 365 User content is currently stored in both Does this mean that your users have to search both to find content???
Example: Hybrid Search Certainly Not! Hybrid Search provides the ability for Office 365 content to be surfaced in Search results within an On-Premises farm and vice versa End users can perform a single Search query to find content! 3 options are available for configuring Hybrid search – Outbound, Inbound and Two-Way
Hybrid Topologies This session will focus on the One-Way Outbound topology Easiest of the three options to configure Start with the One-Way Outbound topology first before embarking on more complex Hybrid topologies
Hybrid Topologies Example: One-Way Outbound Topology
Identity Considerations How does Authorization Work? There are three different identity scenarios for Office 365 Hybrid requires the ability to map an On-Premise user to a Cloud Identity – Cloud Identity (only) isn’t an option for Hybrid
Identity Considerations Decisions, Decisions??? Should you go for Synchronised or Federated Identity…it all depends! A great Blog post that outlines potential reasons to opt for Federated Identity over Synchronised Already use ADFS? Require auditing? Immediate account disable? Restrict sign in by location/time?
Identity Considerations In this session we will look at Directory & Password Synchronization Users from the On-Premise AD will be sync’d to Office 365 (Azure AD) – includes a hash of their password Enables users to logon to SharePoint On-Premises and Office 365 using the same username and password – this isn’t SSO though!
On-Premises Service Applications SharePoint On-Premises requires a number of Service Applications to support Hybrid Secure Store is required for inbound Hybrid User Profile Service required to rehydrate users for Security Trimming
Deployment Steps Four Steps to Configure One-Way Outbound Hybrid Search Infrastructure Pre-Requisites Setup AAD Sync (DirSync) Establish S2S Trust with Azure ACS Configure SharePoint On-Premises Search – Covered in Part 2
Deployment Steps Required Tools Microsoft Online Services Sign-In Assistant – Link Azure Active Directory Module for Windows PowerShell – Link SharePoint Online Management Shell – Link
Deployment Steps Infrastructure Pre-Requisites – Verify Internal Domain Verify the internal AD domain name with Office 365 – Needs to be a routable domain! Enables Microsoft to verify that you “own” the domain If you are using a non-routable domain (.local) for AD – all is not lost! Verifying a domain increases the Office 365 object limit from 50K to 300K!
Deployment Steps Infrastructure Pre-Requisites – Verify Internal Domain In my environment the AD domain is griffin.local which isn’t routable! I purchased brendg.co.uk and associated this with the AD domain griffin.local by adding a UPN Suffix Updated user accounts to use the new domain
Deployment Steps Infrastructure Pre-Requisites – Verify Internal Domain Involves adding a temporary DNS record to the domain The existence of this record is verified by Microsoft to validate domain ownership Instructions included for the most common DNS hosting providers
Deployment Steps Infrastructure Pre-Requisites – Verify Internal Domain
Deployment Steps Infrastructure Pre-Requisites – Active Directory AD domain must be at least Windows Server 2003 Forest Functional Level Run IdFix to identify objects that could cause sync issues and remediate Illegal characters Duplicate entries Length …
Deployment Steps Admin Center Infrastructure Pre-Requisites – Activate Directory Sync PowerShell Admin Center
Demo 1: Infrastructure Pre-Requisites
IdFix - Walkthrough
IdFix undo
Verify domain and activate sync
UPN update
Deployment Steps Setting up AAD Sync Install and configure the AAD Sync tool – http://aka.ms/aadsync Assign user licenses in Office 365
Demo 2: Setting up AAD Sync
AAD Sync install/configure
AAD Sync user tidy up
Deployment Steps Additional Considerations For greater control over the attributes that are synchronised to Azure AD select Azure AD app and attribute filtering Password write-back requires Azure AD Premium
Deployment Steps Checking Directory Synchronisation
Deployment Steps Directory Synchronisation – Notification e-mail
Deployment Steps Assigning Licenses using the Office 365 Portal
Deployment Steps Assigning Licenses using PowerShell Licenses all users with a Username (UPN) of *.brendg.co.uk Also sets their location to GB
Deployment Steps AAD Sync Schedule By default AAD Sync will sync AD users with Office 365 every 3 hours A sync can be manually performed using DirectorySyncClientCmd.exe – automate using a Scheduled Task
Deployment Steps AAD Sync Account Account is created in AD during AAD Sync configuration Used by AAD Sync to read attributes from AD This account is granted the following permissions: Replicating Directory Changes Replicating Directory Changes All
Deployment Steps Establish S2S Trust with Azure ACS Replace the STS Certificate within the On-Premises SharePoint farm Register the On-Premises STS as a Service Principal in Office 365 Establish a trust between the On-Premises farm and Azure ACS
Demo 3: Establish S2S Trust with Azure ACS
Export certs
Pre-req’s and update STS certificate
Azure ACS trust
Base Configuration for Hybrid Summary Added a custom domain to Office 365 (brendg.co.uk) Tidied up AD and activated Directory Sync in Office 365 Setup Azure AD Sync to sync users from On-Premises AD to Office 365 (Azure AD) Established S2S trust between SharePoint 2013 and Office 365 The next session will demonstrate Hybrid Search configuration
Questions
Thank You to Our Sponsors!