fabianwilliams-zz/ golf_registerSPOPrincipaltoSP2013

## golf_registerSPOPrincipaltoSP2013
#you will need to set up a Trusted Authority in your ON Premises SP2013
#below takes SPO Principal Object and registers it with SP On Prem Root Web

$spoappprincipalID = (Get-MsolServicePrincipal -ServicePrincipalName $spoappid).ObjectID
$sponameidentifier = "$spoappprincipalID@$spocontextID"
$appPrincipal = Register-SPAppPrincipal -site $site.rootweb -nameIdentifier $sponameidentifier -displayName "SharePoint Online"

#you can verify this worked by running the POSH below

Get-SPAppPrincipal -site $site.rootweb -NameIdentifier $sponameidentifier | format-table -autosize -wrap

#to set the SharePoint Authentication Realm do the below

Set-SPAuthenticationRealm -realm $spocontextID

#to test it works type the below to see the output of the variables and object

$spocontextID

#and

Get-SPAuthenticationRealm

## alpha_loadingposhmodultes
Add-PSSnapin Microsoft.SharePoint.PowerShell
Import-Module Microsoft.PowerShell.Utility
Import-Module MSOnline -force
Import-Module MSOnlineExtended -force
Import-Module Microsoft.Online.SharePoint.PowerShell -force

## bravo_enableremoting
#as you will be using POSH from your local
#pc to affect Office 365 you must enable remoting
enable-psremoting
new-pssession


## charlie_logintoO365TennantPermalink
#you will need to grab the publishing file from O365
#you will need a Global Admin creds to do that
$cred=Get-Credential
Connect-MsolService -Credential $cred

## delta_setVarsForSPNandCerts
#you will be setting up the SPN and Certs here
#based on on your Public Authority SSL certs and
#Replacement STS cert
#in my example it was $spcn="*.fabiansworld.com" below

$spcn="*.<public_root_domain_name>.com"
$spsite=Get-Spsite <principal_web_application_URL>
$site=Get-Spsite $spsite
$spoappid="00000003-0000-0ff1-ce00-000000000000"
$spocontextID = (Get-MsolCompanyInformation).ObjectID
$metadataEndpoint = "https://accounts.accesscontrol.windows.net/" + $spocontextID + "/metadata/json/1"

#to test for the value that you just set which will return the GUID for the
#spocontextid type the below

$metadataEndpoint

## echo_uploadSelfSignSerttoO365
#the replacement STS Cert that was put on SharePoint On Prem needs
#to be on O365 as well
#it is better practice to set the end date value to one day less than the expiration date

$cerPath = "<path to replacement certificate (.cer file)>"
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $pfxPath, $pfxPass
$cer.Import($cerPath)
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert);
New-MsolServicePrincipalCredential -AppPrincipalId $spoappid -Type asymmetric -Usage Verify -Value $credValue -StartDate <start_date> -EndDate <end_date>

## foxtrot_addSPNofPubDomainToAzure
#by default O365 SPO  has a Principal Object public token GUID mapped to SPO
#you need to add your public domain as well that will be
#particpating in Hybrid

$msp = Get-MsolServicePrincipal -AppPrincipalId $spoappid
$spns = $msp.ServicePrincipalNames
$spns.Add("$spoappid/$spcn")
Set-MsolServicePrincipal -AppPrincipalId $spoappid -ServicePrincipalNames $spns

#to test your entry you should see your publid domain SPN with the POSH
#statement below. in fact you will see two, one for SPO and one for your domain

$msp = Get-MsolServicePrincipal -AppPrincipalId $spoappid
$spns = $msp.ServicePrincipalNames
$spns

## hotel_setupWAADasTrustedTokenIssuer
#for proper authentication you will need to allow WAAD to be a trusted
#token issuer on the On Prem SharePoint. This will set up a SA Proxy in
#your SErvice Applicaition and add a Trusted Authority in Security

New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri $metadataEndpoint -DefaultProxyGroup
New-SPTrustedSecurityTokenIssuer -MetadataEndpoint $metadataEndpoint -IsTrustBroker:$true -Name "ACS"

#you can look in CA>General Security>Manage Trust for this new entry or
#run the POSH below to verify it worked. One of them will say ACS

Get-SPTrustedSecurityTokenIssuer
	#you will need to set up a Trusted Authority in your ON Premises SP2013
	#below takes SPO Principal Object and registers it with SP On Prem Root Web

	$spoappprincipalID = (Get-MsolServicePrincipal -ServicePrincipalName $spoappid).ObjectID
	$sponameidentifier = "$spoappprincipalID@$spocontextID"
	$appPrincipal = Register-SPAppPrincipal -site $site.rootweb -nameIdentifier $sponameidentifier -displayName "SharePoint Online"

	#you can verify this worked by running the POSH below

	Get-SPAppPrincipal -site $site.rootweb -NameIdentifier $sponameidentifier \| format-table -autosize -wrap

	#to set the SharePoint Authentication Realm do the below

	Set-SPAuthenticationRealm -realm $spocontextID

	#to test it works type the below to see the output of the variables and object

	$spocontextID

	#and

	Get-SPAuthenticationRealm
	Add-PSSnapin Microsoft.SharePoint.PowerShell
	Import-Module Microsoft.PowerShell.Utility
	Import-Module MSOnline -force
	Import-Module MSOnlineExtended -force
	Import-Module Microsoft.Online.SharePoint.PowerShell -force
	#as you will be using POSH from your local
	#pc to affect Office 365 you must enable remoting
	enable-psremoting
	new-pssession
	#you will need to grab the publishing file from O365
	#you will need a Global Admin creds to do that
	$cred=Get-Credential
	Connect-MsolService -Credential $cred
	#you will be setting up the SPN and Certs here
	#based on on your Public Authority SSL certs and
	#Replacement STS cert
	#in my example it was $spcn="*.fabiansworld.com" below

	$spcn="*.<public_root_domain_name>.com"
	$spsite=Get-Spsite <principal_web_application_URL>
	$site=Get-Spsite $spsite
	$spoappid="00000003-0000-0ff1-ce00-000000000000"
	$spocontextID = (Get-MsolCompanyInformation).ObjectID
	$metadataEndpoint = "https://accounts.accesscontrol.windows.net/" + $spocontextID + "/metadata/json/1"

	#to test for the value that you just set which will return the GUID for the
	#spocontextid type the below

	$metadataEndpoint
	#the replacement STS Cert that was put on SharePoint On Prem needs
	#to be on O365 as well
	#it is better practice to set the end date value to one day less than the expiration date

	$cerPath = "<path to replacement certificate (.cer file)>"
	$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $pfxPath, $pfxPass
	$cer.Import($cerPath)
	$binCert = $cer.GetRawCertData()
	$credValue = [System.Convert]::ToBase64String($binCert);
	New-MsolServicePrincipalCredential -AppPrincipalId $spoappid -Type asymmetric -Usage Verify -Value $credValue -StartDate <start_date> -EndDate <end_date>
	#by default O365 SPO has a Principal Object public token GUID mapped to SPO
	#you need to add your public domain as well that will be
	#particpating in Hybrid

	$msp = Get-MsolServicePrincipal -AppPrincipalId $spoappid
	$spns = $msp.ServicePrincipalNames
	$spns.Add("$spoappid/$spcn")
	Set-MsolServicePrincipal -AppPrincipalId $spoappid -ServicePrincipalNames $spns

	#to test your entry you should see your publid domain SPN with the POSH
	#statement below. in fact you will see two, one for SPO and one for your domain

	$msp = Get-MsolServicePrincipal -AppPrincipalId $spoappid
	$spns = $msp.ServicePrincipalNames
	$spns
	#for proper authentication you will need to allow WAAD to be a trusted
	#token issuer on the On Prem SharePoint. This will set up a SA Proxy in
	#your SErvice Applicaition and add a Trusted Authority in Security

	New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri $metadataEndpoint -DefaultProxyGroup
	New-SPTrustedSecurityTokenIssuer -MetadataEndpoint $metadataEndpoint -IsTrustBroker:$true -Name "ACS"

	#you can look in CA>General Security>Manage Trust for this new entry or
	#run the POSH below to verify it worked. One of them will say ACS

	Get-SPTrustedSecurityTokenIssuer