While working on a large Cloud Hybrid Search implementation for one of our enterprise customers, we ran into an issue where users can't find certain items and documents when submitting search queries from SharePoint Online!! We have confirmed the users had permissions to these items from the on-premises SharePoint farms and we also have confirmed these individual missing documents have been crawled successfully by the Cloud Hybrid Search Service Application by reviewing the search crawl logs, yet those items still didn't show up when querying from the search center on SharePoint online!!
One fact to point out is, when reviewing the crawl logs for the Cloud Hybrid Search Service Application, if an item shows as successfully crawled, then it is. Meaning, we do send an acknowledgement back to the Hybrid Search Service when the item has successfully been added to the SPO index.
Best method to confirm the item is actually in the SPO index is to use the Content Search (FKA, Compliance Search) through the Security and Compliance center, that is because the way queries are handled by eDiscovery or Compliance Search are different than just submitting it through the regular search center. We indeed were able to see the missing documents/items through Compliance Search. This confirms the items are for sure in the SPO index, however, users still can't find it through the search center.
It became obvious at this point that we are dealing with a security trimming issue, working with my colleague Manas Biswas (Manas has a great multi-part series on how to Configure Hybrid Search check it out), we dumped the ACLs for some of these items we have found two issues:
- An Active Directory group securing some of the items has not been synced to Azure AD through the AD Connect Tool. To solve this issue, all security groups securing content on SharePoint On-Prem must be synchronized to Azure AD.
- If you are securing Sites/Site Collections/Web Applications on-prem through AD groups or granted direct permissions to individuals, then the root site collection in SharePoint online must have either one of the following permissions:
- Everyone or Everyone Except External Users groups added to it (for example, adding Everyone Except External Users to the visitors group on the root site collection in SPO.
- If you don't want everyone to access to root site collection (the Everyone and Everyone Except External Users Groups have been removed from the root site collection in SPO) then you would need to grant explicit permissions to those AD Groups or individuals to the root site collection in SPO.
In summary, all that we need is users/groups to be present in Azure AD and be permissioned in one or the other way (any security group or explicit user addition ) to the root site collection in SPO either directly or through the Everyone or Everyone Except External Users.
Hope this helps anyone that runs through these issues.
Happy SharePointing 🙂
Sammy Kailini | Premier Field Engineer | Microsoft