Preparing for SharePoint Online (Office 365) app deployment - On-Premise HPRM Servers

We have been approached by a number of customers and partners looking for guidance on deploying the HPRM Governance and Compliance  App into SharePoint Online (Office 365), with on-premise HPRM servers. The app is a 'provider-hosted' app, therefore the environment needs to be prepared to support provider-hosted apps for Office 365. This is not specific to our app, it is a requirement to run any provider-hosted apps on Office 365, where the app is hosted on-premise.

Now, the installation guide does not cover this in detail, purely because an integrated Office 365/On-Premise environment is a pretty large topic, and there a number of ways to configure authentication and co-existence of users across on-premise and the cloud. We cannot prescribe a specific approach, it is simply something outside the scope of the install guide. This article has two aims:

  1. Get you thinking about required preparation steps before deploying the app.
  2. Point you towards useful reference material and documentation.

So, we are talking about a scenario that looks a little like this:

Note that with synchronization, users can sign on to SharePoint Online from inside or outside the corporate network, using their domain credentials. Authentication is performed by Azure AD. You will need to manage Azure AD as part of directory sync setup, if you have an Office 365 subscription, you can sign-up for a free Azure account to manage this instance. Instructions are included in the linked posts below.

Essentially the app requires a number of things to function in this configuration:

  1. Working synchronization of user accounts across local and cloud environments.
  2. Correct domain configuration to support Directory Synchronisation and to provide an access point for the app website. This includes:
    • Either an existing company domain or a newly created custom domain to route requests to the app Website running on the HPRM Server/s.
    • A commercial SSL certificate to secure access to the app website.
  3. The ability to access the app website from an external location (Outside of the corporate network).

Let's look at each of these.

Synchronization of user accounts between Office 365 and On-Premise

For the app to work, clearly you need to be able to authenticate users between SharePoint Online, and HPRM Servers running in the local domain.

Broadly speaking, there are two approaches to this:

  • Directory synchronization, with or without password sync
  • Directory Synchronization with Single-Sign-On

For more details on the pros and cons of both approaches, and information on how to configure and run directory sync, please refer to the following Office support post:

https://support.office.com/en-ie/article/Office-365-integration-with-on-premises-environments

Note that a new tool has been released, and is in Public Preview at the time of writing, called Azure Connect. This provides a wizard to walk you through the steps of configuring directory synchronization. We have not tried this tool, so use at your own risk.

https://msdn.microsoft.com/en-us/library/azure/dn832699.aspx

Domain Configuration

You must add and verify your company’s domains, or a custom domain, in order to use them in Azure Active Directory and Office 365. A domain is needed for directory synchronization, and to route app requests through to the app website. For more details on domain configuration, refer to the following post:

https://msdn.microsoft.com/en-US/library/azure/hh969247.aspx

You must secure this domain  with a commercial SSL certificate, otherwise Office 365 will NOT talk to the app web running on the HPRM Server. You may already have wildcard SSL certificates within your organization. If not, for testing and development purposes, there are some low-cost certificates available, just don't use these in production!

Accessing the app website from an external location

SharePoint Online needs to be able to access the app web, therefore this must be accessible from outside the corporate network. You need:

  • A domain that has been validated in Office 365
  • A CNAME alias  that points to a usable public IP address for your organization
    • e.g. hprmapp.mydomain.com
  • Port forwarding (Most likely on SSL port 443) through to the HPRM Server or load-balancer

Test it by visiting https://hprmapp.mydomain.com/pages/dialogloader.html, from an external location, where hprmapp is your chosen alias, and mydomain is the relevant domain. If you see the following image, the app web can be accessed correctly.

Note that you absolutely must ensure that you test this from outside your corporate network, Office 365 accesses the pages from outside the network, it's a common failure that it cannot reach the app pages. One of the easiest ways to test this is to access the URL from your phone, make sure it isn't connected to corporate WIFI, and then browse to the dialogloader page.

 

That's about it for this article! Combining this with the installation guide, should help get you over the line. Note that this may not cover all scenarios, and the options I have highlighted may not entirely suit your organizations architecture. The reality is that you need some pretty reasonable SharePoint/Office 365 expertise to stand up an app environment, if this is already in place then installing and configuring the app is a much smaller piece of the puzzle.

Additional Resources

For even more in-depth information, I would suggest downloading Microsoft white papers from here:

http://www.microsoft.com/en-au/download/details.aspx?id=36391