Skip to main content


The New and Improved Cloud Hybrid Search with SharePoint 2016

Cloud Hybrid Search is not a new concept.  How it’s being deployed and the end user experience is what’s new.
What once took a 10 page TechNet article to setup, is now just ensuring you have your prerequisites in order, executing 2 PowerShell scripts, and a few configuration steps.  No downtime replacing the STS cert either.  Major bonus in my book.
The biggest plus as I see it is your users get unified search results, search relevance ranking, and refiners even if your organization has content both on-premises and in Office 365.  There are no longer result blocks and all of the search results live happily together sorted by relevancy.  This makes for a very happy end user.
A sticking point with many of my clients is “I do not want my content in the cloud so how can I possibly do hybrid search?”  Good news! With hybrid search, it’s not in the cloud.  The encrypted metadata is in the cloud, not the content.   The content never gets moved.
First make sure you have your prerequisites ready for using Office 365 Hybrid Search:

  1. Office 365 subscription that includes SharePoint + Activated Users
  2. Synchronization of AD users and groups
  3. SharePoint 2016 on-premises
  4. Reverse proxy back to on-premises Office Online Server (for search previews)

Then, using a PowerShell script you can create the SSA and then execute an onboarding script to integrate SPO with SP2016.
Next create the content sources.  The content sources can be SP2016, SP2013, SP2010, SP2007, fileshares, and BCS that reside within the corporate network and content that resides in SPO.  Kick off the crawl.  The Cloud SSA starts off by crawling and parsing all of the content sources.  The crawlers encrypts the metadata, goes out to Office 365 and submits it in batches. As items are indexed in Office 365, the access control entries are looked up in the cloud directory service.

  • User SIDs are mapped to PUIDs
  • Group SIDs are mapped to Object IDs
  • “Everyone” and “Authenticated Users” are mapped to “Everyone except external users”

Therefore you must have access to the document on-premises to see the search result in SPO – basic security trimming is still at play.  Also, if you want to access/open an on-premises document you must be signed into the on-premises instance.
How a query works….

  1. On-premises content is crawled by the crawler in the cloud SSA and pushed to the search index in Office 365.
  2. Users enter a query in the SharePoint Online Search Center, the query is sent to the search index in Office 365, and results are returned to the SharePoint Online Search Center.


  1. In SPO users enter a query in an on-premises site search box and the query is sent via the server with the Cloud SSA to the search index in Office 365.
  2. Results are returned via the server with the Cloud SSA to the on-premises site search box.

The ACL is honored, even for the Office 365 Global Admin.
Extra configuration tip:  If you choose, you can setup the “old hybrid” way to keep results separate in results blocks so highly sensitive data can be seen in a separate result set.
How this is better with SharePoint 2016:

  • The UI in SharePoint 2016 is nearly identical to O365 so end users won’t even know the difference when they traverse between the two.
  • With this new hybrid configuration, you can also discover relevant information in Delve—regardless of where information is stored.

If you are interested in hearing more please comment!  And download the SharePoint 2016 guide here

Thoughts on “The New and Improved Cloud Hybrid Search with SharePoint 2016”

  1. 4. Reverse proxy back to on-premises Office Online Server (for search previews)
    If i don’t want search previews can i skip reverse proxy or does SPO talk to the on prem servers ?

  2. A reverse proxy is not a requirement for hybrid search/search results. It’s only required for search previews

  3. Hi There,
    I am in the process of configuring two ways Hybrid Federated search between our SharePoint online and on premise SP 2016 farm. All my SharePoint servers (Two WFE, one App, one Search, one SSRS and one SQL) are internally and behind firewall with no access to internet. Which server(s) of above needed to have access to the internet in order to be able to configure Federated Search?
    Thank you very much,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Erin Zapata

More from this Author

Follow Us