Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
SharePoint: Configure hybrid search results from SharePoint Online in SharePoint on-premise #SharePoint #PowerShell


In this post I'll show you how to get search results from your SharePoint Online in your SharePoint 2013 on-premise search center.


  • User synchronisation ActiveDirectory to Office 365 with DirSync
  • DirSync password sync or ADFS SSO
  • SharePoint Online
  • SharePoint 2013 on-premise
    • Enterprise Search service
    • SharePoint Online Management Shell


All configuration will be done either in the Search Administration of the Central Administration or in the PowerShell console of your on-premise SharePoint 2013 server.

Set up Sever to Server Trust

Before we start with configuring and installing I highly recommand you to make a backup of your SharePoint databases and severs.

The most risky configuration of this tutorial will be the replacing of the signing certificate of the secure token service.

By running the command Backup-SPFarm -ShowTree you'll get an summary of all install services on your SharePoint.

Select the most important services and create a backup with:

Backup-SPFarm -Directory <BackupFolder> -BackupMethod {Full | Differential} -Item <ServiceApplicationName> [-Verbose]

A restore is simply done by checking the backup history and restore a selected backup.

Get-SPBackupHistory -Directory <BackupFolder>
Restore-SPFarm -Directory <BackupFolder> -Item <ServiceApplicationName> -RestoreMethod Overwrite [-BackupId <GUID>] [-Verbose]

Export certificates

To create a server to server trust we need two certificates.

[certificate name].pfx: In order to replace the STS certificate, the certificate is needed in Personal Information Exchange (PFX) format including the private key.

[certificate name].cer: In order to set up a trust with Office 365 and Windows Azure ACS, the certificate is needed in CER Base64 format.

  1. First launch the Internet Information Services (IIS) Manager
  2. Select your SharePoint web server and double-click Server Certificates
  3. In the Actions pane, click Create Self-Signed Certificate
  4. Enter a name for the certificate and save it with OK
  5. To export the new certificate in the Pfx format select it and click Export in the Actions pane
  6. Fill the fields and click OK Export to: C:\[certificate name].pfx Password: [password]
  7. Also we need to export the certificate in the CER Base64 format. For that purpose make a right-click on the certificate and click on View...
  8. Click the Details tab and then click Copy to File
  9. On the Welcome to the Certificate Export Wizard page, click Next
  10. On the Export Private Key page, click Next
  11. On the Export File Format page, click Base-64 encoded X.509 (.CER), and then click Next.
  12. As file name enter C:\[certificate name].cer and then click Next
  13. Finish the export

Import the new STS (SharePoint Token Service) certificate

Let's update the certificate on the STS. Configure and run the PowerShell script below on your SharePoint server.

if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}

# set the cerficates paths and password
$PfxCertPath = "c:\[certificate name].pfx"
$PfxCertPassword = "[password]"
$X64CertPath = "c:\[certificate name].cer"

# get the encrypted pfx certificate object
$PfxCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20

# import it
Set-SPSecurityTokenServiceConfig -ImportSigningCertificate $PfxCert
certutil -addstore -enterprise -f -v root $stsCertificate

Type Yes when prompted with the following message.

You are about to change the signing certificate for the Security Token Service. Changing the certificate to an invalid, inaccessible or non-existent certificate will cause your SharePoint installation to stop functioning. Refer to the following article for instructions on how to change this certificate: Are you sure, you want to continue?

Restart IIS so STS picks up the new certificate.

& iisreset
& net stop SPTimerV4
& net start SPTimerV4

Now validate the certificate replacement by running several PowerShell commands and compare their outputs.

# set the cerficates paths and password
$PfxCertPath = "c:\[certificate name].pfx"
$PfxCertPassword = "[password]"

# get the encrypted pfx certificate object
New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20

# compare the output above with this output

Establish the server to server trust

if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
Import-Module MSOnline 
Import-Module MSOnlineExtended

# set the cerficates paths and password
$PfxCertPath = "c:\[certificate name].pfx"
$PfxCertPassword = "[password]"
$X64CertPath = "c:\[certificate name].cer"

# set the onpremise domain that you added to Office 365
$SPCN = "" 

# your onpremise SharePoint site url

# don't change this value

# get the encrypted pfx certificate object
$PfxCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20

# get the raw data
$PfxCertBin = $PfxCert.GetRawCertData()

# create a new certificate object
$X64Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2

# import the base 64 encoded certificate

# get the raw data
$X64CertBin = $X64Cert.GetRawCertData()

# save base 64 string in variable
$CredValue = [System.Convert]::ToBase64String($X64CertBin)

# connect to office 3656

# register the on-premise STS as service principal in Office 365

# add a new service principal
New-MsolServicePrincipalCredential -AppPrincipalId $SPOAppID -Type asymmetric -Usage Verify -Value $CredValue
$MsolServicePrincipal = Get-MsolServicePrincipal -AppPrincipalId $SPOAppID
$SPServicePrincipalNames = $MsolServicePrincipal.ServicePrincipalNames
Set-MsolServicePrincipal -AppPrincipalId $SPOAppID -ServicePrincipalNames $SPServicePrincipalNames

# get the online name identifier
$MsolCompanyInformationID = (Get-MsolCompanyInformation).ObjectID
$MsolServicePrincipalID = (Get-MsolServicePrincipal -ServicePrincipalName $SPOAppID).ObjectID
$MsolNameIdentifier = "$MsolServicePrincipalID@$MsolCompanyInformationID"

# establish the trust from on-premise with ACS (Azure Control Service)

# add a new authenticatio realm
$SPSite = Get-SPSite $SPSite
$SPAppPrincipal = Register-SPAppPrincipal -site $SPSite.rootweb -nameIdentifier $MsolNameIdentifier -displayName "SharePoint Online"
Set-SPAuthenticationRealm -realm $MsolServicePrincipalID

# register the ACS application proxy and token issuer
New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri "" -DefaultProxyGroup
New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "" -IsTrustBroker -Name "ACS"

Add a new result source

To get search results from SharePoint Online we have to add a new result source. Run the following script in a PowerShell ISE session on your SharePoint 2013 on-premise server. Don't forget to update the settings region

if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}

# region settings 
$RemoteSharePointUrl = "http://[example]"
$ResultSourceName = "SharePoint Online"
$QueryTransform = "{searchTerms}"
$Provier = "SharePoint-Remoteanbieter"
# region settings end

$SPEnterpriseSearchServiceApplication = Get-SPEnterpriseSearchServiceApplication
$FederationManager = New-Object Microsoft.Office.Server.Search.Administration.Query.FederationManager($SPEnterpriseSearchServiceApplication)
$SPEnterpriseSearchOwner = Get-SPEnterpriseSearchOwner -Level Ssa  

$ResultSource = $FederationManager.GetSourceByName($ResultSourceName, $SPEnterpriseSearchOwner)
    Write-Host "Result source does not exist. Creating..."
    $ResultSource = $FederationManager.CreateSource($SPEnterpriseSearchOwner)

$ResultSource.Name = $ResultSourceName
$ResultSource.ProviderId = $FederationManager.ListProviders()[$Provier].Id
$ResultSource.ConnectionUrlTemplate = $RemoteSharePointUrl

Add a new query rule

  1. In the Search Administration click on Query Rules
  2. Select Local SharePoint as Result Source
  3. Click New Query Rule
  4. Enter a Rule name f.g. Search results from SharePoint Online
  5. Expand the Context section
  6. Under Query is performed on these sources click on Add Source
  7. Select your SharePoint Online result source
  8. In the Query Conditions section click on Remove Condition
  9. In the Actions section click on Add Result Block
  10. As title enter Results for "{subjectTerms}" from SharePoint Online
  11. In the Search this Source dropdown select your SharePoint Online result source
  12. Select 3 in the Items dropdown
  13. Expand the Settings section and select "More" link goes to the following URL
  14. In the box below enter this Url https://[example]{subjectTerms}
  15. Select This block is always shown above core results and click the OK button
  16. Save the new query rule


Replace the STS certificate for the on-premises environment
Display hybrid search results in SharePoint Server 2013
Office 365-Configure Hybrid Search with Directory Synchronization –Password Sync
Office 365-Configure Hybrid Search with Directory Synchronization –Password Sync –Part2
Back up service applications in SharePoint 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.