A hybrid environment making use of SharePoint Server 2013 and SharePoint Online makes it possible for solutions that integrate functionality in between services and functions in both environments such as Search, Business Connectivity Services (BCS), and Duet Enterprise Online. A hybrid environment offers 3 layers of trust and service integration: Domain federation, Server-to-server (S2S) trust and identity management, and Service integration. Domain federation enables SSO and AD directory synchronization, which offers federated authentication and account synchronization from on-premises AD to Windows Azure Active Directory (Azure AD). Azure AD offers authentication services for Office 365 user accounts and federated accounts from a linked on-premises AD DS domain, and also serves as a trusted token issuer in hybrid environments. The Azure AD tenancy connected with your Office 365 tenant is not itself an independent tenant, but is rather a distinct identifier for your Office 365 tenant within the international Office 365 Azure AD tenant. You can not perform management operations on the Windows Azure AD tenant. Server-to-server (S2S) trust and identity management makes it possible for reputable communications between SharePoint Server 2013 and SharePoint Online, and allows OAuth authentication for federated users. Service integration allows integration in between sustained SharePoint Server 2013 and SharePoint Online services such as Search, Business Connectivity Services (BCS), and Duet Enterprise Online. Integration at this level depends on brand-new attributes and integration support included in SharePoint Server 2013.
A hybrid environment can be set up One-way outbound, One-way incoming, and Two-way (bidirectional). One-way outgoing authorization topology makes it possible for the on-premises SharePoint Server 2013 farm to connect to SharePoint Online. One-way inbound authentication topology makes it possible for SharePoint Online to connect to SharePoint Server 2013 through a reverse proxy gadget. Two-way or bidirectional authorization topology enables hybrid connections between both environments. If extranet authentication services are configured, this topology likewise permits extranet individuals to log in from another location with an on-premises Active Directory account and utilize all available hybrid functionality.