Step by Step Installation Guide – SharePoint 2013 On-Premises and Office 365 Hybrid Lab

Building end-to-end SharePoint hybrid environment isn’t trivial and requires understanding of various players ranging from on-premises to the cloud infrastructure. This guide is intended to walk you through key steps requires to design SharePoint 2013 hybrid infrastructure.

At high level as shown in following diagram, key players are: Operational AD DS, Internet routable AD domains, DNS, and SSL certificates, Office 365 Enterprise Subscription, SharePoint Server 2013 Enterprise on-premises farm, Directory Synchronization, Directory Federation with ADFS, and Reverse Proxy Appliances.

Hybrid Architecture Key Players

As an overview, my SharePoint Hybrid Lab consists of Microsoft Azure hosted SharePoint 2013 On-premises environment with Office 365 hybrid trust.

I have 3 VMs in Microsoft Azure for SharePoint 2013 on-premises environment – All-up SharePoint 2013 VM with AD and SQL, ADFS+Azure AD Sync VM for SAML provider, and WAP VM acting as reverse proxy. This environment is trusted by Office 365 tenant syncing on-premises users in Office 365 and configured with both in-bound and out-bound SharePoint search.

Hybrid lab

Here are the high level steps one needs to take and consider while building end-to-end SharePoint 2013 hybrid lab.

Prepare AD, DNS and Domain requirements

  • Procure Public SSL certificates – Plan to have either Wildcard or UCC/SAN certificates for internet routable URLs. In mycase, I had procured UCC/SAN certs from GoDaddy supporting key URLs –,, and
  • Prepare Public Domain and Public DNS – Register internet routable public domain and DNS service if it’s required (e.g. and add DNS name servers to the domain if required. In my case, I had requested public domain and DNS services from GoDaddy.
  • Prepare Internal DNS for SharePoint Hybrid – This is an optional step. Add an alternative zone for public domain in internal DNS, if internal domain is different (e.g. add public domain zone for internal domain
  • Prepare Internal AD for SharePoint Hybrid – Your internal AD must be at Windows Server 2003 R2 functional level a minimum, if public domain differs to corporate domain name, update UPN suffix for all the users in on-premises AD domains that matches the public domain. e.g. UPN for all the users in AD environment is, rather than

Provision Office 365 Tenant

  • Choose level of subscription – E1-E4, you can mix these licenses
    • Specify the unique tenant name and Global admin User id/password. (e.g. Tenant name is chipchybrid1 and Global admin is
    • Specify the country where your tenant will be located (unless your EA states otherwise)
  • Add an On-premises Public domain to Office 365
    • Specify a domain name and confirm ownership (e.g.
    • Set the domain purpose of which services (e.g. Lync or Exchange) will be used
    • Configure DNS by creating verification record with DNS hosting provider
    • Complete the domain setup and choose default domain

Provision SharePoint 2013 On-Premises

  • Configure SharePoint 2013 SP1 on-premises environments at minimum: SP1 allows Yammer and OneDrive for Business redirection from on-premises.
  • Configure primary web applications and site collections – For hybrid search, web application with Integrated Windows Authentication NTLM claims is required – this can be dedicated zone extended from default SAML Claims zone. In my case – I have Path Based SAML web application as primary ( and extended NTLM application for search (
  • Enable SharePoint on-premises services for hybrid
    • Required Service Applications – User Profile Application (UPA)  and  App Management Service and Subscription Settings Service.
    • Also it is recommended to enable – Managed Metadata Service and User Profile Sync Service (UPS)

Configure Directory Synchronization (or Azure AD Sync)

  • DirSync provisions and synchronizes directory objects between Windows Active Directory on-premises and Windows Azure Active Directory, identities are created and managed on on-premises and synchronized to the cloud.
  • DirSync provides single identity and credentials but no single sign-on for on-premises and Office 365 services. You will require ADFS for SSO.
  • DirSync with password hash is a requirement for SharePoint outbound hybrid scenarios including search. When a user issues a query from on-premises to SharePoint online, SP Online must rehydrates the user’s identity. During rehydration process, if no or multiple profiles exist the query will fail rather than security trimmed results being returned.
  • Configure Activate Directory Synchronization on Office 365 tenant
    • Activate Active Directory Synchronization for your Office 365 tenant from Admin UI.
    • Alternatively you can PowerShell command – Set-MsolDirSyncEnabled –EnableDirSync $true
  • Install Directory Synchronization Tool on ADFS/DirSync server
    • Download and install DirSync tool on a member server in on-premises environment using domain admin.
    • Make sure outbound 443 port is open to synchronize on-premises AD to Azure AD.
    • No need to install The Microsoft Online Services Sign-In Assistant, it’s part of DirSync installer. You will encounter error if it’s installed prior to DirSync install.
    • You must logoff and login again to add account in FIM group after DirSync Install.
  • Configure and verify Directory Synchronization – Run DirSync tool on server where installed and start the synchronization of users to cloud.
  • Assign Licences & verify SharePoint online access.
  • Alternatively, you can use Azure Active Directory Sync rather than DirSync, which is recommended as vNext DirSync tool.

Federate Office 365 and SharePoint On-Premises for SSO

Configure Outbound Topology and Office365-SP2013 On-Premises S2S Trust

  • Server-to-server trust between SharePoint Online and SharePoint On-Premises: The trust relationship between SharePoint on-premises, SharePoint Online, and Windows Azure Active Directory.
  • Security tokens issued by Windows Azure Active Directory Access Control Services are trusted by both SharePoint on-premises and SharePoint Online grant access to resources for users.
  • SharePoint Online is registered as a high-trust application in SharePoint on-premises.
  • Create Self-Signed STS Cert for S2S
    • Either Self-Signed or Public CA certificate supported but domain-issued cert is not supported.
    • Security token service (STS) certificate should be at least 2038 bit.
    • Export STS cert in PFX or CER format for Office 365 S2S configuration.
  • Replace STS Certificate in On-Premises
    • Create a new security token service (STS) certificate (at least 2038 bit) for Server-to-Server trust.
    • Either Self-Signed or Public CA certificate supported but domain-issued cert is not supported.
    • Replace the default STS certificate on all on-premises SharePoint servers in the farm.
  • Configure Server-to-Server trust
    • Install the following tools on the Central Administration server – The Microsoft Online Services Sign-In Assistant, The Azure Active Directory Module for Windows PowerShell (64 bit version), and The SharePoint Online Management Shell (64 bit version).
    • Execute PowerShell to configure S2S trust between SharePoint on-premises and SharePoint Online. You must logon to the central admin server with a Farm Admin account (e.g. sp_farm) to run PowerShell.
    • You can use PowerShell script provided in the presentation attached in this article.
  • Here is the detailed TechNet article for your reference –

Configure Outbound Search

  • Verify Search Configuration from inside firewall
    • Enable Search Service on SharePoint on-premises services.
    • Create crawled content in SharePoint on-premises and SharePoint Online.
    • Verify search in SharePoint on-premises and SharePoint Online for same user.
  • Configure Result Source in On-Premises
    • Protocol: Remote SharePoint
    • Remote Service URL: SharePoint Online root site URL
    • Credentials: Default Authentication – SharePoint Online is configured to authenticate queries using Windows Azure Active Directory.
  • Configure Query Rule in On-Premises – Use Result Source created in previous step.
  • Verify outbound search configuration.

Configure Inbound Topology and Reverse Proxy

  • Reverse proxies are required for one-way inbound or two-way authentication topologies and provides a secure Internet endpoint for inbound connections.
  • Understand the SharePoint External URL requirements – Publish SharePoint 2013 on-premises for inbound requests via Reverse Proxy.
  • Understand the Inbound Hybrid Cert requirements
    • SSL issued and trusted by public CA.
    • SSL cert must be either wildcard or SAN cert.
    • SSL cert must support both client and server authentication.
  • Publish SharePoint On-Premises through Reverse Proxy
    • Reverse Proxy is required for one-way inbound or two-way authentication topologies.
    • Use PowerShell to public WAP endpoint with client certificate for Office 365 S2S communication.
  • Configure SharePoint Online Secure Store Service
    • Create Secure Store Target Application
      • Target Application ID: SecureChannelTargetApplication, must match in SharePoint Online result source.
      • Display Name: Secure Channel Target Application
      • Credentials: Create fields for certificate and certificate password
      • Target Application Administrators: SharePoint Online Admins
      • In Members, type Users and Groups For Access: All users should have access.
    • Set Credentials for Target Application – select Import Secure Channel Certificate.

Configure Inbound Search

  • Verify search configuration from outside firewall
    • Create crawled content in SharePoint on-premises and SharePoint Online.
    • Verify search on both SharePoint on-premises and SharePoint Online for same user.
  • Configure Result Source in SharePoint Online
    • Protocol: Remote SharePoint
    • Remote Service URL: Reverse-proxy address of the SharePoint on-premises primary web application
    • Credentials: SSO ID – To authenticate to the reverse proxy, enter the secure store target application ID that contains the Windows certificate
  • Configure Query Rule in SharePoint Online, use the result source created in previous step.
  • Verify inbound search configuration.

Hopefully you would be able to navigate steps mentioned in this article. For more detailed step by step guidance, please review my SharePoint Fest presentation.


This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to Step by Step Installation Guide – SharePoint 2013 On-Premises and Office 365 Hybrid Lab

  1. BiVi Bori says:

    Nik, You always write the best articles. Thanks!

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s