Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
SharePoint Hybrid Scripts for Identity Management
#you will need to set up a Trusted Authority in your ON Premises SP2013
#below takes SPO Principal Object and registers it with SP On Prem Root Web
$spoappprincipalID = (Get-MsolServicePrincipal -ServicePrincipalName $spoappid).ObjectID
$sponameidentifier = "$spoappprincipalID@$spocontextID"
$appPrincipal = Register-SPAppPrincipal -site $site.rootweb -nameIdentifier $sponameidentifier -displayName "SharePoint Online"
#you can verify this worked by running the POSH below
Get-SPAppPrincipal -site $site.rootweb -NameIdentifier $sponameidentifier | format-table -autosize -wrap
#to set the SharePoint Authentication Realm do the below
Set-SPAuthenticationRealm -realm $spocontextID
#to test it works type the below to see the output of the variables and object
$spocontextID
#and
Get-SPAuthenticationRealm
Add-PSSnapin Microsoft.SharePoint.PowerShell
Import-Module Microsoft.PowerShell.Utility
Import-Module MSOnline -force
Import-Module MSOnlineExtended -force
Import-Module Microsoft.Online.SharePoint.PowerShell -force
#as you will be using POSH from your local
#pc to affect Office 365 you must enable remoting
enable-psremoting
new-pssession
#you will be setting up the SPN and Certs here
#based on on your Public Authority SSL certs and
#Replacement STS cert
#in my example it was $spcn="*.fabiansworld.com" below
$spcn="*.<public_root_domain_name>.com"
$spsite=Get-Spsite <principal_web_application_URL>
$site=Get-Spsite $spsite
$spoappid="00000003-0000-0ff1-ce00-000000000000"
$spocontextID = (Get-MsolCompanyInformation).ObjectID
$metadataEndpoint = "https://accounts.accesscontrol.windows.net/" + $spocontextID + "/metadata/json/1"
#to test for the value that you just set which will return the GUID for the
#spocontextid type the below
$metadataEndpoint
#the replacement STS Cert that was put on SharePoint On Prem needs
#to be on O365 as well
#it is better practice to set the end date value to one day less than the expiration date
$cerPath = "<path to replacement certificate (.cer file)>"
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $pfxPath, $pfxPass
$cer.Import($cerPath)
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert);
New-MsolServicePrincipalCredential -AppPrincipalId $spoappid -Type asymmetric -Usage Verify -Value $credValue -StartDate <start_date> -EndDate <end_date>
#by default O365 SPO has a Principal Object public token GUID mapped to SPO
#you need to add your public domain as well that will be
#particpating in Hybrid
$msp = Get-MsolServicePrincipal -AppPrincipalId $spoappid
$spns = $msp.ServicePrincipalNames
$spns.Add("$spoappid/$spcn")
Set-MsolServicePrincipal -AppPrincipalId $spoappid -ServicePrincipalNames $spns
#to test your entry you should see your publid domain SPN with the POSH
#statement below. in fact you will see two, one for SPO and one for your domain
$msp = Get-MsolServicePrincipal -AppPrincipalId $spoappid
$spns = $msp.ServicePrincipalNames
$spns
#for proper authentication you will need to allow WAAD to be a trusted
#token issuer on the On Prem SharePoint. This will set up a SA Proxy in
#your SErvice Applicaition and add a Trusted Authority in Security
New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri $metadataEndpoint -DefaultProxyGroup
New-SPTrustedSecurityTokenIssuer -MetadataEndpoint $metadataEndpoint -IsTrustBroker:$true -Name "ACS"
#you can look in CA>General Security>Manage Trust for this new entry or
#run the POSH below to verify it worked. One of them will say ACS
Get-SPTrustedSecurityTokenIssuer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.