SP2013/SP2016 – Switching tenant on a Cloud SSA : Onboarding

Hi Folks

Starting a series of quick posts on the Cloud SSA so you could take full advantage of its capabilities and enrich your SPO Search experience.

Today's Problematic

I came across the necessity to re-onboard a Cloud SSA on my SP2013 environment against a different tenant. There are few considerations when doing so. In this post, I'll focus on the Onboarding problematic.

Having tried the Onboarding script as-is, it wasn't straight forward as I already had an Azure Access Control Service (ACS), SPO App Management Proxy and ACS Token Issuer configured. The script isn't removing any of those only requiring you to do it manually.

Those 3 entities are bound to your tenant one way or another therefore deletion is mandatory to onboard our Cloud SSA on a different tenant.

If you dump those 3 objects you will see those bounds to your tenant. My tenant id is e46a619f-8a46-4b91-a8c5-60904e04e135 and uri https://msxxxxxx.sharepoint.com.

Azure Access Control Service (ACS)

SecurityTokenServiceHostNameSuffix : 
TypeName                           : Azure Access Control Service Application Proxy
DiscoveryConfiguration             : Microsoft.SharePoint.Administration.SPAzureAccessControlServiceDiscoveryConfiguration
MetadataEndpointUri                : https://accounts.accesscontrol.windows.net/e46a619f-8a46-4b91-a8c5-60904e04e135/metadata/json/1
ManageLink                         : 
PropertiesLink                     : 
CanUpgrade                         : True
IsBackwardsCompatible              : True
NeedsUpgradeIncludeChildren        : False
NeedsUpgrade                       : False
UpgradeContext                     : Microsoft.SharePoint.Upgrade.SPUpgradeContext
Name                               : ACS
DisplayName                        : ACS
Id                                 : 31089571-eb78-4d69-a7ff-ae8bc3345ed3
Status                             : Online
Parent                             : SPAzureAccessControlServiceProxy
Version                            : 4034005
Properties                         : {}
Farm                               : SPFarm Name=SP_Config
UpgradedPersistedProperties        : {}
CanSelectForBackup                 : True
DiskSizeRequired                   : 0
CanSelectForRestore                : True
CanRenameOnRestore                 : True


ACS STS - TrustedSecurityTokenIssuer

IsSelfIssuer                  : False
NameId                        : 
RegisteredIssuerName          : 00000001-0000-0000-c000-000000000000@e46a619f-8a46-4b91-a8c5-60904e04e135
IdentityClaimTypeInformation  : Microsoft.SharePoint.Administration.Claims.SPTrustedClaimTypeInformation
Description                   : 
SigningCertificate            : [Subject]
AdditionalSigningCertificates : {[Subject]
MetadataEndPoint              : https://accounts.accesscontrol.windows.net/e46a619f-8a46-4b91-a8c5-60904e04e135/metadata/json/1
IsAutomaticallyUpdated        : True
Name                          : ACS-STS
TypeName                      : Microsoft.SharePoint.Administration.Claims.SPTrustedSecurityTokenService
DisplayName                   : ACS-STS
Id                            : 6626e9a3-8f2a-4797-90a7-52858cb10655
Status                        : Online
Parent                        : SPSecurityTokenServiceManager Name=SecurityTokenServiceManager
Version                       : 4034018
Properties                    : {}
Farm                          : SPFarm Name=SP_Config
UpgradedPersistedProperties   : {}


SPO App Management Proxy

TypeName                    : SharePoint Online Application Principal Management Service Application Proxy
OnlineTenantUri             : https://msxxxxxx.sharepoint.com/
ManageLink                  : 
PropertiesLink              : 
CanUpgrade                  : True
IsBackwardsCompatible       : True
NeedsUpgradeIncludeChildren : False
NeedsUpgrade                : False
UpgradeContext              : Microsoft.SharePoint.Upgrade.SPUpgradeContext
Name                        : SPO App Management Proxy
DisplayName                 : SPO App Management Proxy
Id                          : d8f3ff14-6182-4c6b-a544-1597ff00e20a
Status                      : Online
Parent                      : SPOnlineApplicationPrincipalManagementServiceProxy
Version                     : 4034024
Properties                  : {}
Farm                        : SPFarm Name=SP_Config
UpgradedPersistedProperties : {}


Conclusion : you need to delete those 3 entities before re-onboarding any new tenant in your Cloud SSA.


PowerShell Script to remove those tenant-bound entities


[Parameter(Mandatory=$true, HelpMessage="SharePoint Online portal URL, for example 'https://contoso.sharepoint.com'.")]


[string] $PortalUrl,

[switch] $Remove




# Remove ACS Proxy

$acsProxy = Get-SPServiceApplicationProxy | ? {$_.DisplayName -eq $ACS_APPPROXY_NAME}

$acsProxy | fl *

if ($Remove) { Remove-SPServiceApplicationProxy -Identity $acsProxy.Id }

# Remove the ACS Token Issuer

$acsTokenIssuer = Get-SPTrustedSecurityTokenIssuer | ? {$_.DisplayName -eq $ACS_STS_NAME}

$acsTokenIssuer | fl *

if ($Remove) { Remove-SPTrustedSecurityTokenIssuer -Identity $acsTokenIssuer }

# Remove the SPO App Management

$spoProxy = Get-SPServiceApplicationProxy | ? {$_.TypeName -eq "SharePoint Online Application Principal Management Service Application Proxy" -and $_.OnlineTenantUri -eq [System.Uri] $PortalUrl}

$spoProxy | fl *

if ($Remove) { Remove-SPServiceApplicationProxy -Identity $spoProxy.Id }


Done. Note that by default the script will allow you to validate which entity we are referring to. You can double-check your tenant URI and GUID too. Then use the -Remove flag to proceed with the deletion.

I hope you help quicken your re-onboarding.

Keep in Search

Skip to main content