| Service | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| SharePoint | Manage Query Rules | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/manage-query-rules.md | description: "Improve search results by creating and managing query rules. Query # Manage query rules -As a [SharePoint Administrator](/sharepoint/sharepoint-admin-role) and [above](/microsoft-365/admin/add-users/about-admin-roles) in Microsoft 365, you can improve search results in the classic search experience by creating and managing query rules. Query rules help searches respond to the intent of users. +As a [SharePoint Administrator](/sharepoint/sharepoint-admin-role) or [above](/microsoft-365/admin/add-users/about-admin-roles) in Microsoft 365, you can improve search results in the classic search experience by creating and managing query rules. Query rules help searches respond to the intent of users. In a query rule, you specify conditions and associated actions. When a query meets the conditions in a query rule, the search system performs the actions specified in the rule to improve the relevance of the search results. This could be by narrowing results or changing the order in which results are displayed. When the query rule condition is met, an associated action could be to show a specific item at the top of the search results. Say you have an intranet site where all company events are maintained in a library, and you want to promote a first-aid seminar. To do this, you create a query rule that boosts the first-aid seminar to the top of the search results when someone searches for "seminar" or "event." |
| SharePoint | Manage Result Sources | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/manage-result-sources.md | description: "Result sources limit searches to certain content or to a subset of Result sources limit searches to certain content or to a subset of search results. You can also use result sources to send queries to external providers such as Bing. -A a [SharePoint Administrator](/sharepoint/sharepoint-admin-role) and [above](/microsoft-365/admin/add-users/about-admin-roles) can manage result sources for all site collections and sites in the tenant. A site collection administrator or a site owner can manage result sources for a site collection or a site, respectively. +A [SharePoint Administrator](/sharepoint/sharepoint-admin-role) or [above](/microsoft-365/admin/add-users/about-admin-roles) can manage result sources for all site collections and sites in the tenant. A site collection administrator or a site owner can manage result sources for a site collection or a site, respectively. SharePoint has both a classic and a modern search experience. The modern search experience gets results from the default result source. If you change the default result source, this impacts both the classic and modern search experiences. [Learn more about the differences between the classic and modern search experiences in SharePoint](differences-classic-modern-search.md). |
| SharePoint | Accounts Needed For Hybrid Configuration And Testing | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/hybrid/accounts-needed-for-hybrid-configuration-and-testing.md | When you configure a SharePoint Server hybrid environment, you need several user In a hybrid environment, some or all user accounts in Active Directory are synchronized with Microsoft Entra directory services. We refer to these accounts as federated users. SharePoint Server and SharePoint in Microsoft 365 are configured with a server-to-server (S2S) trust relationship, and service applications can be configured to enable federated users to access content and resources from both farms using a single identity. Because user accounts and credentials are synchronized between SharePoint Server and SharePoint in Microsoft 365, list and library content security can be applied in both farms using the same set of users and groups. > [!NOTE]-> This table does not include service accounts, which may have specific requirements for service applications and features in certain SharePoint Server hybrid solutions. For more information about the requirements for each supported solution, see the solution configuration articles at [Configure a hybrid solution for SharePoint Server](configure-a-hybrid-solution.md). +> This table does not include service accounts, which may have specific requirements for service applications and features in certain SharePoint Server hybrid solutions. For more information about the requirements for each supported solution, see the solution configuration articles at [Configure a hybrid solution for SharePoint Server](configure-a-hybrid-solution.md). +> +> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. **Table: Accounts needed for SharePoint hybrid configuration and testing** |
| SharePoint | Configure Cloud Hybrid Searchroadmap | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/hybrid/configure-cloud-hybrid-searchroadmap.md | On the application server that hosts the SharePoint Server Central Administratio 1. Log on to the console as a farm administrator. -2. Connect to Office 365 as one of the following roles: - - Global Administrator - - Application Administrator - - Cloud Application Administrator +2. Connect to Office 365 as an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator) or [above](/entra/identity/role-based-access-control/permissions-reference#all-roles). + 3. Navigate to [https://go.microsoft.com/fwlink/?linkid=867176](https://go.microsoft.com/fwlink/?linkid=867176) to download, install, and start the Hybrid Configuration Wizard. On the application server that hosts the SharePoint Server Central Administratio **SPOTenantPortalUrl** is the URL of your company's or organization's SharePoint portal, and **CloudSsaID** is the name of the cloud SSA that you created earlier. -7. When prompted, use one of the following admin roles to sign in your Office 365 tenant: - - Global Admin - - Application Admin - - Cloud Application Admin +7. When prompted, sign in your Office 365 tenant as an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator) or [above](/entra/identity/role-based-access-control/permissions-reference#all-roles). ## Set up search architecture in SharePoint Server for cloud hybrid search <a name="BKMK_SetupSearchArch"> </a> |
| SharePoint | Configure Inbound Connectivity | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/hybrid/configure-inbound-connectivity.md | description: Learn how to configure inbound connectivity for SharePoint hybrid. **This article is part of a roadmap of procedures for configuring SharePoint hybrid solutions. Be sure you're [following a roadmap](configuration-roadmaps.md) when you do the procedures in this article. ** This article contains guidance the SharePoint hybrid environment deployment process, which integrates SharePoint Server and SharePoint in Microsoft 365.++> [!IMPORTANT] +> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. + ## Before you begin <a name="begin"> </a> - **Accessibility note:**SharePoint Server supports the accessibility features of common browsers to help you administer deployments and access sites. For more information, see [Accessibility for SharePoint 2013](../accessibility-guidelines.md). + **Accessibility note:** SharePoint Server supports the accessibility features of common browsers to help you administer deployments and access sites. For more information, see [Accessibility for SharePoint 2013](../accessibility-guidelines.md). If you haven't already done this, read [Plan connectivity from Microsoft 365 to SharePoint Server](plan-connectivity-from-office-365-to-sharepoint-server.md) before you start to configure anything.This is important because the planning article helps you make important decisions and record them on the [SharePoint hybrid deployment worksheet](https://go.microsoft.com/fwlink/?LinkId=391835), referred to in the rest of this article as the worksheet. This in turn informs which procedures in this article to use and which you can skip over. For more information about how to use split DNS in a hybrid topology, see [Archi #### Create an A record in the on-premises DNS <a name="hn_arecord"> </a> -The reverse proxy device must be able to resolve the internal URL of the host-named site collection. You can do this by creating an A record in the desired on-premises DNS namespace. This doesn't have to be in the same namespace as the reverse proxy device. However, the reverse proxy device must be able to resolve this namespace. This A record maps the host name of the External URL to the IP address of the on-premises SharePoint farm. Here's an example of an A record where the External URL is https://spexternal.adventureworks.com, and the IP address of the network load balancer for the SharePoint farm is 10.0.0.13. +The reverse proxy device must be able to resolve the internal URL of the host-named site collection. You can do this by creating an A record in the desired on-premises DNS namespace. This doesn't have to be in the same namespace as the reverse proxy device. However, the reverse proxy device must be able to resolve this namespace. This A record maps the host name of the External URL to the IP address of the on-premises SharePoint farm. Here's an example of an A record where the External URL is `https://spexternal.adventureworks.com`, and the IP address of the network load balancer for the SharePoint farm is 10.0.0.13.  In general, you should use the default settings. However, the following configur |In the **Security Configuration** section <br/> |Ensure that **Allow Anonymous** is set to **No**. <br/> | |In the **Security Configuration** section <br/> |Ensure that **Use Secure Sockets Layer (SSL)** is set to **Yes**. You'll have to bind an SSL certificate to the web application, which we discuss more in the next section. <br/> | |In the **Claims Authentication Types** section <br/> |Select the **Enable Windows Authentication** check box, select the **Integrated Windows authentication** check box, and in the drop-down menu, select **NTLM**. <br/> |-|In the **Public URL** section, in the **URL** box <br/> |Type the External URLΓÇöfor example, https://spexternal.adventureworks.com. <br/> By default, SharePoint in Microsoft 365 appends the port number to the default URL that it recommends for this field. When you replace that URL with the external URL, don't append the port number. <br/> | +|In the **Public URL** section, in the **URL** box <br/> |Type the External URLΓÇöfor example, `https://spexternal.adventureworks.com`. <br/> By default, SharePoint in Microsoft 365 appends the port number to the default URL that it recommends for this field. When you replace that URL with the external URL, don't append the port number. <br/> | To make things easier for yourself in later procedures, we recommend that you do the following. For more info about how to use split DNS in a hybrid topology, see [Architecture #### Create an A record in the on-premises DNS <a name="woaam_arecord"> </a> -The reverse proxy device must be able to resolve the internal URL of the host-named site collection. You can do this by creating an A record in the desired on-premises DNS namespace. This doesn't have to be in the same namespace as the reverse proxy device. However, the reverse proxy device must be able to resolve this namespace. This A record maps the host name of the External URL to the IP address of the on-premises SharePoint farm. Here's an example of an A record where the External URL is https://spexternal.adventureworks.com and the IP address of the network load balancer for the SharePoint farm is 10.0.0.13. +The reverse proxy device must be able to resolve the internal URL of the host-named site collection. You can do this by creating an A record in the desired on-premises DNS namespace. This doesn't have to be in the same namespace as the reverse proxy device. However, the reverse proxy device must be able to resolve this namespace. This A record maps the host name of the External URL to the IP address of the on-premises SharePoint farm. Here's an example of an A record where the External URL is `https://spexternal.adventureworks.com` and the IP address of the network load balancer for the SharePoint farm is 10.0.0.13.  To extend the web application, use the procedures in [Extend claims-based web ap |In the **Security Configuration** section <br/> |Ensure that **Allow Anonymous** is set to **No**. <br/> | |In the **Security Configuration** section <br/> |Choose the appropriate value for **Use Secure Sockets Layer (SSL)**. If you choose **No**, the web application will use unencrypted **HTTP**. If you choose **Yes**, the web application will use encrypted **HTTPS**, and you must bind an SSL certificate to the extended web application. We discuss this certificate more in the next section. <br/> | |In the **Claims Authentication Types** section <br/> |Select the **Enable Windows Authentication** check box, select the **Integrated Windows authentication** check box, and in the drop-down menu, select **NTLM**. <br/> |-|In the **Public URL** section, in the **URL** box <br/> |Type the External URLΓÇöfor example, https://spexternal.adventureworks.com. <br/> Note that by default, SharePoint appends the port number to the default URL that it recommends for this field. When you replace that URL with the external URL, don't append the port number. <br/> | +|In the **Public URL** section, in the **URL** box <br/> |Type the External URLΓÇöfor example, `https://spexternal.adventureworks.com`. <br/> Note that by default, SharePoint appends the port number to the default URL that it recommends for this field. When you replace that URL with the external URL, don't append the port number. <br/> | |In the **Public URL** section, in the **Zone** list <br/> |Select the zone that you want to assign to this extended web application. We recommend that you set the **Zone** value to **Internet** if it's available. <br/> | #### Ensure that an SSL binding exists on the primary web application (if it's needed) |
| SharePoint | Configure Server To Server Authentication | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/hybrid/configure-server-to-server-authentication.md | This article is part of a roadmap of procedures for configuring SharePoint hybri > [!NOTE] > We recommend using the [SharePoint Hybrid Configuration Wizard](hybrid-configuration-wizard-in-the-sharepoint-online-admin-center.md#hybrid-configuration-wizard-in-the-sharepoint-admin-center) to establish the Server-to-Server authentication between SharePoint Server and SharePoint in Microsoft 365. If you are unable to use the Hybrid Configuration Wizard for any reason, follow the steps in this article to enable server-to-server authentication.+> +> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. + ## Configure server-to-server authentication |
| SharePoint | Hybrid Configuration Wizard In The Sharepoint Online Admin Center | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/hybrid/hybrid-configuration-wizard-in-the-sharepoint-online-admin-center.md | To run the Hybrid Configuration Wizard, you must be: > [!IMPORTANT] > The Hybrid Configuration Wizard must be launched from an on-premises server with SharePoint Server 2013, SharePoint Server 2016, SharePoint Server 2019, or SharePoint Server Subscription Edition installed. Launch it in the environment you want to use for your SharePoint hybrid.+> +> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. + ## SharePoint Hybrid features offered in the Hybrid Configuration Wizard |
| SharePoint | Run Hybrid Picker | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/hybrid/run-hybrid-picker.md | Hybrid Configuration Wizard is located in Microsoft 365 for enterprises, and you > [!NOTE] > If you're using a pop-up blocker with your browser, be sure to turn it off before running the Hybrid Configuration Wizard.+> +> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. + **To run Hybrid Configuration Wizard** |
| SharePoint | Set Up Oidc Auth In Sharepoint Server With Msaad | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad.md | This article uses the following example values for Microsoft Entra OIDC setup: | Windows site collection administrator | contoso\yvand | | Email value of the federated site collection administrator | yvand@contoso.local | +> [!IMPORTANT] +> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. ++ ## Step 1: Setup identity provider Perform the following steps to set up OIDC with Microsoft Entra ID: |