Accounts needed for hybrid configuration and testing


Applies to: SharePoint Online, SharePoint Server 2013

Topic Last Modified: 2015-05-15

Summary: Learn about the accounts you need to use when you configure and test a SharePoint Server 2013 hybrid solution.

When you configure a SharePoint Server 2013 hybrid environment, you need several user accounts in both your on-premises Active Directory and Office 365. These accounts also need different permissions and group or role memberships. Some of these accounts are used to deploy and configure software, and some are used to test specific functionality to help ensure that security and authentication systems are working as expected.

In a hybrid environment, some or all user accounts in Active Directory are synchronized with Azure AD directory services. We refer to these accounts as federated users. SharePoint Server 2013 and SharePoint Online are configured with a server-to-server (S2S) trust relationship, and service applications can be configured to enable federated users to access content and resources from both farms using a single identity. Because user accounts and credentials are synchronized between SharePoint Server 2013 and SharePoint Online, list and library content security can be applied in both farms using the same set of users and groups.

This table does not include service accounts, which may have specific requirements for service applications and features in certain SharePoint Server hybrid solutions. For more information about the requirements for each supported solution, see the solution configuration articles at Configure a hybrid solution for SharePoint Server 2013.

Table: Accounts needed for SharePoint hybrid configuration and testing

Account Identity provider Role

Global Administrator

Office 365 and Azure Active Directory

Use an Office 365 work account that has been assigned to the Global Administrator role for Office 365 configuration tasks such as configuring SharePoint Online features, running Azure AD and SharePoint Online Windows PowerShell commands, and testing SharePoint Online.

AD Domain Administrator

On-premises AD

Use an AD account in the Domain Admins group to configure and test AD, ADFS, DNS, and certificates and to do other tasks that require elevation.

SharePoint Farm Administrator

On-premises AD

Use an AD account in the Farm Administrators SharePoint group for SharePoint Server configuration tasks such as running Windows PowerShell commands in the SharePoint Management Shell to configure S2S trusts, create and configure web applications and site collections, deploy and configure SQL Server databases, and troubleshoot SharePoint Server.

This account must also have additional privileges to use the SharePoint Management Shell:

  • Membership in the securityadmin fixed server role on the SQL Server instance.

  • Membership in the db_owner fixed database role on all databases that are to be updated.

  • Membership in the Administrators group on the server on which you are running the Windows PowerShell cmdlets.

For more information on the permissions required to use SharePoint Management Shell, see the Permissions section in Use Windows PowerShell to administer SharePoint 2013.

For more information about required account permissions in SharePoint Server, see Account permissions and security settings in SharePoint 2013.

Federated Users

On-premises AD

Use AD accounts that have been synchronized with Office 365 to test access to specific resources in both SharePoint Server and SharePoint Online.

These accounts, or groups of which they are members, must have permissions to SharePoint Server site collections and resources in both environments and have the appropriate product licenses assigned in the Office 365 subscription. They also must be set to use the alternative domain UPN suffix that you specify for federated users during the planning process.

You can configure multiple federated accounts with different permissions or group memberships to test for appropriate security trimming and access to site resources.