Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
SharePoint Hybrid Scripts for Identity Management
#you will need to set up a Trusted Authority in your ON Premises SP2013
#below takes SPO Principal Object and registers it with SP On Prem Root Web
$spoappprincipalID = (Get-MsolServicePrincipal -ServicePrincipalName $spoappid).ObjectID
$sponameidentifier = "$spoappprincipalID@$spocontextID"
$appPrincipal = Register-SPAppPrincipal -site $site.rootweb -nameIdentifier $sponameidentifier -displayName "SharePoint Online"
#you can verify this worked by running the POSH below
Get-SPAppPrincipal -site $site.rootweb -NameIdentifier $sponameidentifier | format-table -autosize -wrap
#to set the SharePoint Authentication Realm do the below
Set-SPAuthenticationRealm -realm $spocontextID
#to test it works type the below to see the output of the variables and object
Add-PSSnapin Microsoft.SharePoint.PowerShell
Import-Module Microsoft.PowerShell.Utility
Import-Module MSOnline -force
Import-Module MSOnlineExtended -force
Import-Module Microsoft.Online.SharePoint.PowerShell -force
#as you will be using POSH from your local
#pc to affect Office 365 you must enable remoting
#you will be setting up the SPN and Certs here
#based on on your Public Authority SSL certs and
#Replacement STS cert
#in my example it was $spcn="*" below
$spsite=Get-Spsite <principal_web_application_URL>
$site=Get-Spsite $spsite
$spocontextID = (Get-MsolCompanyInformation).ObjectID
$metadataEndpoint = "" + $spocontextID + "/metadata/json/1"
#to test for the value that you just set which will return the GUID for the
#spocontextid type the below
#the replacement STS Cert that was put on SharePoint On Prem needs
#to be on O365 as well
#it is better practice to set the end date value to one day less than the expiration date
$cerPath = "<path to replacement certificate (.cer file)>"
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $pfxPath, $pfxPass
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert);
New-MsolServicePrincipalCredential -AppPrincipalId $spoappid -Type asymmetric -Usage Verify -Value $credValue -StartDate <start_date> -EndDate <end_date>
#by default O365 SPO has a Principal Object public token GUID mapped to SPO
#you need to add your public domain as well that will be
#particpating in Hybrid
$msp = Get-MsolServicePrincipal -AppPrincipalId $spoappid
$spns = $msp.ServicePrincipalNames
Set-MsolServicePrincipal -AppPrincipalId $spoappid -ServicePrincipalNames $spns
#to test your entry you should see your publid domain SPN with the POSH
#statement below. in fact you will see two, one for SPO and one for your domain
$msp = Get-MsolServicePrincipal -AppPrincipalId $spoappid
$spns = $msp.ServicePrincipalNames
#for proper authentication you will need to allow WAAD to be a trusted
#token issuer on the On Prem SharePoint. This will set up a SA Proxy in
#your SErvice Applicaition and add a Trusted Authority in Security
New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri $metadataEndpoint -DefaultProxyGroup
New-SPTrustedSecurityTokenIssuer -MetadataEndpoint $metadataEndpoint -IsTrustBroker:$true -Name "ACS"
#you can look in CA>General Security>Manage Trust for this new entry or
#run the POSH below to verify it worked. One of them will say ACS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment