Glossary for hybrid SharePoint 2013

SharePoint 2013

We are in the process of combining the SharePoint Server 2013 and SharePoint Server 2016 content into a single content set. We appreciate your patience while we reorganize things. See the Applies To tag at the top of each article to find out which version of SharePoint an article applies to.


Applies to: SharePoint Online, SharePoint Server 2013

Topic Last Modified: 2016-12-16

Summary: Learn about the terms we use to talk about SharePoint hybrid environments.

The following table contains definitions of terms that we use frequently in the SharePoint hybrid articles.

SharePoint hybrid terminology

Term Definition

Bridging URL

In inbound solutions, the internal URL of the on-premises SharePoint Server 2013 web application to which the reverse proxy device forwards inbound requests from SharePoint Online.


The term “the cloud” is used in many different ways and is commonly used to refer to a suite of services, web applications, and/or remote storage that are hosted by a third-party provider.

In a SharePoint Server 2013 hybrid environment, the term “cloud” refers to services hosted by Microsoft. such as Office 365, SharePoint Online, and Azure.

External URL

In inbound solutions, the URL that resolves to the public IP address on the reverse proxy that is configured to accept connections from SharePoint Online. This URL is specified in the SharePoint Online tenant as the location of the on-premises SharePoint Server 2013 farm.

Extranet user

An extranet user is an on-premises domain user who accesses secure resources from an unsecured network (such as the Internet) and authenticates using an ADFS proxy server or other identity provider that is accessible from the Internet.

Federated user

A federated user is a user whose on-premises Active Directory domain account is synchronized with the Office 365 directory service. Because Active Directory credentials are associated with a trusted account object in each directory service, a federated user can authenticate with and access authorized resources in both Active Directory and Office 365. The SharePoint Server 2013 hybrid authentication model requires that user claims from either directory service are trusted by the other. Therefore, only federated users can enjoy the benefits of a hybrid solution.

In addition, federated user accounts in a SharePoint Server 2013 hybrid environment must be configured with a User Principal Name (UPN) that is identical to the public DNS domain namespace used to register the corporate domain in the Office 365 tenant.

There are two identity management strategies that can be implemented to support this authentication model:

  • A federation service such as Active Directory Federation Services (AD FS) 2.0 is configured to intercept the user’s authentication request and provide an authentication token to Office 365

  • The Azure Active Directory Sync tool (minimum version 6385.0012) is configured to use the Password Sync feature to synchronize user account password hashes with Office 365.

Host header

A host header is a header in HTTP and HTTPS messages (see RFC 2616, section 4) containing the URL to which the message was sent. In Internet Information Services (IIS), you can add URLs to the Host Name field of a web site’s bindings, and IIS will match the host header of inbound HTTP messages to the values in this field. If the values cannot be matched, IIS will reject the message.

Host name

A host name is the unique name that identifies a server or device on a network. A host name can be expressed as either a non-distinguished name, such as host, or as a fully qualified domain name (FQDN) that comprises the name of the host, a period, and the domain name, such as or


Inbound refers to the direction of either authentication requests or network traffic, and it assumes the on-premises SharePoint Server 2013 deployment as the point of reference. An inbound authentication topology enables SharePoint Online to make authenticated connections to the on-premises SharePoint Server 2013 farm. Connections to SharePoint Server 2013 that originate from SharePoint Online are referred to as inbound connections.


Outbound refers to the direction of either authentication or network traffic, and it assumes the on-premises environment as the point of reference. An outbound authentication topology enables the on-premises SharePoint Server 2013 farm to make authenticated connections to SharePoint Online. Connections to SharePoint Online that originate from SharePoint Server 2013 are referred to as outbound connections.

Password Sync

Broadly defined, password synchronization (also known as password "sync") is an authentication process that synchronizes and enables password coordination across multiple computers and systems so that a user has to remember only a single password.

Password Sync is also a feature of the Azure Active Directory Sync tool that synchronizes user passwords from your on-premises Active Directory to Azure Active Directory. This feature enables your users to log on to their Azure Active Directory services (such as Office 365, Microsoft Intune, and CRM Online) using the same passwords as they use to log on to your on-premises network. It is important to note that this feature does not provide a single sign-on (SSO) solution because there is no token sharing or exchange in the Password Sync–based process.

Primary web application

With the exception of hybrid OneDrive for Business, all SharePoint hybrid solutions require one web application in the on-premises SharePoint Server 2013 farm as part of the communication channel between the on-premises farm and Office 365. We refer to this as the primary web application.

In a hybrid environment that’s configured for an inbound authentication topology, the primary web application is a web application in the SharePoint Server 2013 farm that’s configured for inbound connections. This web application is used to receive all inbound connections and to configure services and connection objects for the hybrid features deployed in the environment.

Reverse proxy device

A reverse proxy device is a computer, router, or network service that relays and sometimes pre-authenticates inbound connection requests from external networks, such as the Internet, to an internal server. In a hybrid SharePoint Server 2013 environment, a reverse proxy device is configured to authenticate and relay connections from SharePoint Online to SharePoint Server 2013.

For more information, see Configure a reverse proxy device for SharePoint Server 2013 hybrid.

Search index

The search index is a set of files and associated metadata representing the content crawled by the SharePoint Server 2013 search crawl component. The contents of the search index determines what people will find when they look for information by entering search queries.

In a SharePoint Server 2013 hybrid environment configured with a search solution, the local search index is passed to the requesting search service when a federated user enters a search query. The requesting search service then applies query rules, filtering, and security trimming before returning the appropriate results to the user.

For more information, see the article Overview of search in SharePoint Server 2013.

Secure Channel certificate

In a SharePoint Server 2013 hybrid environment, the Secure Channel certificate is a wildcard or SAN SSL certificate that is bound to both the reverse proxy external endpoint and the Secure Store target app in the SharePoint Online tenant.

“Secure Channel” is not a class of certificate; we use the term as a way to differentiate this particular certificate from other SSL certificates used in the environment.

SharePoint hybrid

With SharePoint Server 2013 hybrid, productivity services in SharePoint Online can be securely integrated with on-premises SharePoint Server 2013 to provide unified functionality and access to data. For enterprises that want to gradually move their existing on-premises Office SharePoint Server services to the cloud, SharePoint Server 2013 hybrid provides a staged migration path by extending high-impact SharePoint Server 2013 workloads to SharePoint Online.

A SharePoint Server 2013 hybrid environment enables identity management and trusted communications between SharePoint Online and SharePoint Server 2013. When you have established this trust framework, you can configure solutions that provide integrated functionality between services and features, such as SharePoint Search, Microsoft Business Connectivity Services, and Duet Enterprise Online for Microsoft SharePoint and SAP.

User Principal Name (UPN)

In Active Directory, a User Principal Name (UPN) is the name of a user account in the format <username>@<domain name>, where <domain name> is either the primary or an alternate UPN suffix. In a SharePoint Server 2013 hybrid environment, the UPN suffix of all federated user accounts must be identical to the public DNS domain namespace used to register the corporate domain in the Office 365 tenant. When configuring inbound connectivity, it must also be identical to the namespace of the external URL associated with the reverse proxy endpoint.

Azure Active Directory

Azure Active Directory is the trust broker for both the on-premises SharePoint Server 2013 farm and SharePoint Online. Azure AD is used in a SharePoint hybrid environment as a trusted token issuer and is used during the user authentication process to sign security tokens on behalf of the on-premises Security Token Service (STS).

Azure Active Directory also provides account directory services for SharePoint Online.

Azure Access Control Service (ACS)

Azure Active Directory Access Control (also known as Access Control Service or ACS) is a cloud-based service that provides an easy way of authenticating and authorizing users to gain access to web applications and services without having to maintain authentication and authorization code in the application or service. Instead of implementing an authentication system with user accounts that are specific to your application, you can let ACS orchestrate user authentication and much of the authorization.

For more information, see the article Access Control Service 2.0.