SharePoint Hybrid Sync, Permission, and Access Errors, All Fixes

Microsoft Fix Advanced 14 min read Official Docs Grounded Updated April 20, 2026
What's in This Guide
  1. Why This Happens
  2. The Quick Fix
  3. Step-by-Step Solution
  4. Advanced Troubleshooting
  5. Prevention & Best Practices
  6. FAQ

Why SharePoint Hybrid Errors Happen

I've seen this exact scenario play out on dozens of enterprise SharePoint deployments: you spend days, sometimes weeks, configuring SharePoint hybrid search between your on-premises farm and Microsoft 365. You follow the setup wizard, tick all the boxes, set up the result sources, configure the query rules. Then a user runs a search from a SharePoint Online site and gets nothing back from on-premises. Or worse, they hit this message:

Sorry, something went wrong. (Search has encountered a problem that prevents results from being returned. If this issue persists, please contact your administrator)

I know how demoralizing that is after all that configuration work. The error message tells you absolutely nothing useful. And if you try to open Query Builder from the result block inside the associated query rule in SharePoint Online, you get slapped with a 401 Unauthorized deep inside a stack trace referencing Microsoft.SharePoint.Client.ClientContext and RemoteSharepointProducer. Not exactly the friendly guidance you were hoping for.

So what's actually going on? The root cause in the vast majority of SharePoint hybrid search not returning results cases is that your Search Service Application Proxy is deployed in partitioned mode. Microsoft 365 simply does not support incoming hybrid search queries when the on-premises Search Service Application Proxy is running in partitioned mode. Full stop. The two systems can't negotiate the query handshake properly, and the result is either a blank result set or that 401 Unauthorized authentication failure.

Partitioned mode is a multi-tenancy feature designed for SharePoint hosting environments where different tenants need isolated search indexes. In a single-organization hybrid setup, which is what most enterprises are running, partitioned mode is almost never intentional. It often gets set during an automated farm provisioning script, an older version of the Hybrid Configuration Wizard, or a migration from a managed hosting provider. You may not even know it's enabled until search breaks.

This problem affects SharePoint Server 2013, 2016, 2019, and Subscription Edition farms configured for inbound hybrid search with Microsoft 365. If you're running any of those versions and you're seeing these symptoms, you're in the right place.

The SharePoint hybrid access errors and sync permission problems you're experiencing all trace back to one misconfigured property on the proxy object. Fixing it is entirely doable from PowerShell, no GUI gymnastics, no recreating the entire hybrid configuration from scratch (unless the property fix alone doesn't take, but we'll cover that too). Browse all Microsoft fix guides →

The Quick Fix, Try This First

If you want the shortest path to resolving SharePoint hybrid search not returning results, this is it. Open the SharePoint Management Shell on your on-premises server, run it as Administrator, and execute this block of commands. I'll explain every line in detail in the step-by-step section below, but if you're experienced with PowerShell and just need the fix right now, here it is:

# Step 1: Grab the Search Service Application
$ssa = Get-SPEnterpriseSearchServiceApplication

# Step 2: Grab the Search Service Application Proxy
$proxy = Get-SPEnterpriseSearchServiceApplicationProxy

# Step 3: Disable partitioned mode on the proxy
$proxy.Properties["Microsoft.Office.Server.Utilities.SPPartitionOptions"] = 0
$proxy.Update()

# Step 4: Tell the SSA to ignore tenantization
$ssa.SetProperty("IgnoreTenantization", 1)
$ssa.Update()

After running those four commands, give it a few minutes, search index propagation isn't instant, then go back to a SharePoint Online site and run a search query that should pull on-premises results. If you see results from your on-premises content sources, you're done.

If the property update doesn't stick, or if results still don't come through after 15–20 minutes, don't panic. The next escalation is removing and recreating the proxy entirely, I walk through that in Step 5 below. That fixes the remaining cases.

One important note before you touch anything: make a backup of your Search Service Application first. This is a core SharePoint component and modifying proxy properties directly can have unintended side effects if something goes wrong mid-operation. The official guidance is explicit on this. Use Central Administration → Backup and Restore → Perform a backup, or run Backup-SPFarm targeting the Search Service Application specifically. Don't skip this.

Pro Tip
Before running any of these commands, confirm you actually have only one Search Service Application in the farm by running Get-SPEnterpriseSearchServiceApplication without assigning it to a variable first. If your farm has multiple SSAs (rare but it happens in large enterprises), you need to target the right one explicitly using the -Identity parameter, otherwise $ssa will grab whichever one comes back first and you may update the wrong proxy.
1
Back Up Your Search Service Application

I can't stress this enough. Before you change any proxy properties in a production farm, create a backup. SharePoint hybrid configuration errors are recoverable, but only if you have a restore point. Modifying the SPPartitionOptions property on a live proxy is a direct write to the configuration database, and if anything goes sideways you want a clean rollback path.

Open SharePoint Central Administration and navigate to Backup and Restore → Perform a Backup. In the component list, expand the farm tree and select your Search Service Application. Set the backup type to Full and point it at a reliable UNC path with enough space. Alternatively, from the SharePoint Management Shell:

Backup-SPFarm -Directory "\\yourserver\backups\ssa-backup" -BackupMethod Full -Item "Search Service Application"

Wait for the backup to complete before proceeding. If you're in a time-critical situation and the farm is non-production, you can move faster, but on a production farm serving real users, the 20 minutes for a backup is non-negotiable. Once the backup is confirmed, you're ready for the next step.

You should see a green success status in the Backup and Restore Job Status page, or a completion message in the PowerShell output. If the backup fails, investigate that issue first, a backup failure often signals underlying health problems with the Search Service Application that could complicate the fix below.

2
Identify Your Search Service Application and Proxy GUIDs

Now let's get oriented. Open the SharePoint Management Shell as Administrator and pull the Search Service Application object. This gives you the SSA instance you'll be working with throughout the rest of the fix:

$ssa = Get-SPEnterpriseSearchServiceApplication
$ssa

You'll see output showing the Name, Status, and other properties of your SSA. Make a note of the name, it's usually something like "Search Service Application" or whatever your farm admin named it during setup.

Next, get the Search Service Application Proxy. The proxy is the connector object that Microsoft 365 communicates through when it sends inbound hybrid search queries to your on-premises farm. This is the object we need to inspect and fix. Run:

$ssaproxy = Get-SPServiceApplicationProxy

This returns all service application proxies in the farm, not just the search proxy. Look through the output for your search proxy; its TypeName will contain "Search Service Application Proxy". Note the GUID in the Id column, it is completely unique to your farm and will not match any documentation or example you find online. That GUID is what you'll use if you need to target the proxy by identity in later steps.

Once you have both objects confirmed, you're ready to inspect the partition state. If you see your search proxy listed, proceed to Step 3.

3
Confirm the Proxy Is Running in Partitioned Mode

This is the diagnostic step that confirms what we suspect. With your $ssaproxy variable set, inspect its Properties collection to see whether partitioned mode is actually enabled. Run:

$proxy = Get-SPEnterpriseSearchServiceApplicationProxy
$proxy.Properties

Look through the output for the key Microsoft.Office.Server.Utilities.SPPartitionOptions. If this property exists and its value is anything other than 0, typically you'll see 1, that confirms your proxy is running in partitioned mode. That single setting is what's blocking inbound hybrid search queries from Microsoft 365.

The Properties collection can look a bit noisy with several key/value pairs. Don't worry about the others for now. The only one we're targeting is SPPartitionOptions. A value of 1 means partitioned (broken for hybrid). A value of 0 means non-partitioned (what we need).

If you don't see SPPartitionOptions in the output at all, that can mean either that it's not set (defaults may still cause issues) or that your proxy isn't the search proxy, double-check you're looking at the right object. Once you confirm the partitioned mode setting is the culprit, move to Step 4 to fix it.

4
Update Proxy Properties to Disable Partitioned Mode

Here's the core fix for SharePoint hybrid configuration errors caused by partitioned mode. You're making two changes: disabling the partition option on the proxy, and telling the Search Service Application itself to stop enforcing tenantization. Both changes are required, making only one of them typically doesn't resolve the issue.

Run the following block in the SharePoint Management Shell:

# Disable partitioned mode on the search proxy
$proxy = Get-SPEnterpriseSearchServiceApplicationProxy
$proxy.Properties["Microsoft.Office.Server.Utilities.SPPartitionOptions"] = 0
$proxy.Update()

# Tell the SSA to ignore tenantization boundaries
$ssa = Get-SPEnterpriseSearchServiceApplication
$ssa.SetProperty("IgnoreTenantization", 1)
$ssa.Update()

After running these commands, wait approximately 5–10 minutes. SharePoint's timer jobs need to propagate the configuration change. You can check whether the timer job has processed the update by going to Central Administration → Monitoring → Review Job Definitions and looking for search-related timer jobs.

Then test from a SharePoint Online site by running a search query that should surface on-premises content. If results from your on-premises content sources appear in SharePoint Online search, the fix worked. Most farms, probably 70–80% in my experience, are resolved at this step without needing to go further.

If you still see the error or get no on-premises results after 15–20 minutes, the proxy properties may not have persisted correctly. That happens occasionally with certain farm configurations. Move to Step 5.

5
Remove and Re-Create the Search Service Application Proxy

If Step 4 didn't fully resolve the SharePoint hybrid access errors, you need to take the more definitive approach: delete the existing proxy and create a fresh one. The fresh proxy will not have partitioned mode enabled by default, which is exactly what we need.

First, make sure you still have your $ssaproxy and $ssa variables set from earlier steps. If your session timed out, re-run the assignment commands before proceeding. Then remove the existing proxy:

# Remove the existing broken proxy
Remove-SPServiceApplicationProxy $ssaproxy

PowerShell will prompt you to confirm the deletion, type Y and press Enter. This step is irreversible within the current session, which is why we took that backup in Step 1.

Now create a new, clean proxy tied to the same Search Service Application:

# Create a new proxy without partitioned mode
New-SPEnterpriseSearchServiceApplicationProxy -SearchApplication $ssa -Name "Search Service Application Proxy"

The name you give the proxy doesn't technically matter for functionality, but keeping it consistent with what was there before avoids confusion in Central Administration and any monitoring scripts you have running. Once the new proxy is created, give SharePoint's timer jobs 10–15 minutes to register the change and re-establish the connection topology with Microsoft 365.

After that window, test your hybrid search again from SharePoint Online. At this point, with a clean proxy and IgnoreTenantization set on the SSA, inbound hybrid search queries should return on-premises results successfully. If you're still hitting issues after this, see the Advanced Troubleshooting section below.

Advanced Troubleshooting for SharePoint Hybrid Search Errors

When the standard proxy fix doesn't fully resolve SharePoint hybrid sync permission errors, there are a few deeper places to look. I'll walk through the most common culprits I've seen in enterprise environments.

The 401 Unauthorized Error in Query Builder

That System.Net.WebException: The remote server returned an error: (401) Unauthorized error you get when opening Query Builder from the result block is a separate, though related, issue. It shows up in the RemoteSharepointProducer.RetrieveDataFromRemoteServer method and typically means the service account used by the on-premises farm to communicate with SharePoint Online doesn't have sufficient permissions, or the OAuth trust between the farms has broken down.

Check your Server-to-Server (S2S) trust configuration. In Central Administration, go to Security → Manage Trust and verify your Microsoft 365 trust is listed and shows as healthy. If it's missing or shows an error, you may need to re-run the Hybrid Configuration Wizard to re-establish the trust relationship.

Also verify that the account listed under your web application's User Policy has the correct permissions. Open Central Administration → Application Management → Manage Web Applications → select your web app → User Policy. The crawl account and the app pool account both need appropriate access.

Checking ULS Logs for Deeper Insight

SharePoint's Unified Logging Service (ULS) logs are where the real detail lives. The on-screen errors are sanitized, ULS gives you the full stack. On your SharePoint server, ULS logs are typically in C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\LOGS\ (adjust 16 to 15 for SP 2013). Filter by Correlation ID, you can grab the correlation ID from the error page SharePoint shows users. Look for entries with category Search and severity Unexpected or Critical.

If you see entries referencing Tenantization, PartitionId, or AccessDenied, those confirm the proxy partition issue. If you see authentication token errors or certificate validation failures, the S2S trust configuration needs attention.

Verifying the Outbound Connectivity Path

For inbound hybrid search to work, your on-premises SharePoint server needs outbound HTTPS connectivity to Microsoft 365 endpoints. Check that your proxy or firewall isn't blocking calls to *.sharepoint.com, login.microsoftonline.com, and the Microsoft 365 IP ranges published in the official Microsoft 365 URL and IP address documentation. Run a quick test from the SharePoint server:

Test-NetConnection -ComputerName login.microsoftonline.com -Port 443

If TcpTestSucceeded comes back as False, your outbound network path is blocked and no amount of PowerShell property changes will fix the search results until that's resolved with your network team.

Re-running the Hybrid Configuration Wizard

If the proxy fix and S2S trust checks don't resolve the SharePoint hybrid access errors, the Hybrid Configuration Wizard in Microsoft 365 admin center can re-establish the full hybrid topology. Go to SharePoint admin center → Settings → Configure hybrid and re-run the wizard. It's non-destructive in most cases, it overwrites configuration rather than duplicating it, but always take a fresh backup before doing so.

When to Call Microsoft Support
If you've completed all five fix steps, verified S2S trust, confirmed outbound connectivity, checked ULS logs, and re-run the Hybrid Configuration Wizard, and hybrid search still isn't working, it's time to open a support case. At that point, the issue is likely in a layer you can't directly inspect: the Microsoft 365 tenant-side configuration, the authentication token pipeline, or a service outage. When you open the ticket, bring your ULS log snippets, the output of Get-SPEnterpriseSearchServiceApplication, Get-SPServiceApplicationProxy, and a screenshot of the Query Builder error. That shortens the diagnosis time significantly. You can reach Microsoft Support directly through the Microsoft 365 admin center under Health → Service support.

Domain-Joined and Hybrid Azure AD Scenarios

In environments where devices are hybrid Azure AD joined, meaning they're registered with both on-premises Active Directory and Azure AD, there's an additional layer to check. The user's claims token presented to SharePoint Online during a search query may not be translating correctly to the on-premises identity. This is especially common in organizations that migrated from ADFS to Pass-through Authentication or seamless SSO after the initial hybrid search setup. If users are getting results in SharePoint Online for their SharePoint Online content but not on-premises content even after the proxy fix, claims translation is worth investigating with your identity team.

Prevention & Best Practices for SharePoint Hybrid Environments

Once you've fixed the immediate SharePoint hybrid search not returning results issue, it's worth taking a few proactive steps to make sure you're not back in this situation six months from now. Hybrid environments are inherently more complex than pure cloud or pure on-premises setups, more moving parts means more maintenance surface area.

The biggest thing I recommend: document your current hybrid configuration state right now, while everything is fresh and working. Run Get-SPEnterpriseSearchServiceApplication | Format-List and Get-SPServiceApplicationProxy | Format-List and save those outputs somewhere accessible, a SharePoint page, a OneNote notebook, a Teams channel. When something breaks six months from now, having a baseline to compare against is invaluable.

Put a recurring calendar reminder, quarterly is reasonable, to verify that hybrid search is returning results. Build a simple test query that you know should return specific on-premises content, and save it as a bookmark. A three-minute check every 90 days can catch drift before it becomes a user-facing outage.

If your organization uses automated farm provisioning scripts, PowerShell DSC, Desired State Configuration, or third-party tools like AutoSPInstaller, audit those scripts to make sure they're not re-enabling partitioned mode on the Search Service Application Proxy during patching or upgrade cycles. That's one of the most common ways this problem recurs: a well-intentioned automation script reinstates a setting that was previously fixed manually.

When applying SharePoint Cumulative Updates or Feature Packs, test hybrid search functionality in a non-production environment first. Some CUs have historically touched the search architecture in ways that affected hybrid behavior. The pattern of "we patched and now hybrid is broken" is a well-known one in the SharePoint admin community.

Quick Wins

Frequently Asked Questions

Why is SharePoint hybrid search showing no results from on-premises even after I set everything up correctly?

The most common cause is that your Search Service Application Proxy is running in partitioned mode, a multi-tenancy setting that Microsoft 365 doesn't support for inbound hybrid search queries. It's not something you'd set intentionally in most deployments; it often gets enabled by automated provisioning scripts or older versions of the Hybrid Configuration Wizard. The fix is to set the Microsoft.Office.Server.Utilities.SPPartitionOptions property on the proxy to 0 and set IgnoreTenantization to 1 on the SSA, both via PowerShell in the SharePoint Management Shell. Follow the step-by-step guide above for the exact commands.

I'm getting a 401 Unauthorized error when I open Query Builder from the result block in SharePoint Online, what does that mean?

That 401 error in the RemoteSharepointProducer.RetrieveDataFromRemoteServer method means SharePoint Online can't authenticate back to your on-premises farm when trying to validate or preview the query result source. It's almost always a Server-to-Server (S2S) trust issue, either the trust has expired, the certificate has been rotated without being updated in both places, or the service account permissions have changed. Go to Central Administration → Security → Manage Trust and verify your Microsoft 365 trust entry is present and healthy. If it looks wrong, re-run the Hybrid Configuration Wizard to re-establish the trust relationship. Also check that the farm's app pool service account has the correct User Policy permissions on the relevant web application.

Do I need to do a full farm backup before running these PowerShell fixes, or is a Search Service Application backup enough?

A Search Service Application-specific backup is sufficient for this particular fix, since we're only modifying search proxy properties. The official Microsoft guidance calls for backing up the Search Service Application before following these steps. That said, if you're on a production farm and you have the window for a full farm backup, it doesn't hurt. The SSA backup is the minimum; the full backup is the safest. Use Backup-SPFarm with the -Item parameter targeting your SSA, and confirm the backup job completes with a success status before touching any proxy settings.

Will this fix work for SharePoint Server 2016 and 2019, or only 2013?

Yes, the proxy partitioned mode fix applies to SharePoint Server 2013, 2016, 2019, and Subscription Edition. The PowerShell cmdlets are the same across all those versions. The official documentation explicitly lists all four server versions plus SharePoint Online as affected products. The underlying architecture of the Search Service Application and its proxy hasn't changed fundamentally between those releases, so the fix, setting SPPartitionOptions to 0 and IgnoreTenantization to 1, is valid across all of them.

After running the proxy property fix, how long does it take for on-premises results to start showing in SharePoint Online?

Typically 10–20 minutes. The SharePoint timer service needs to propagate the configuration changes through the farm, and the hybrid search query pipeline needs to recognize the updated proxy state. If you're still seeing no on-premises results after 20 minutes, don't just wait longer, move on to testing whether the property changes actually persisted by re-running $proxy.Properties and checking that SPPartitionOptions is now 0. If the value has reverted, you likely have an automation script or DSC configuration overwriting your changes, and you'll need to track that down before the fix will stick.

I removed and recreated the Search Service Application Proxy but now Central Administration shows warnings about the search service, is that normal?

Briefly, yes. Right after you delete and recreate the Search Service Application Proxy, Central Administration may show health analyzer warnings about the search service or timer job failures for a short window. Give it 15–30 minutes for the timer jobs to re-associate correctly with the new proxy. Run an IISRESET on all SharePoint servers if the warnings persist longer than 30 minutes, that clears the WCF channel caches that hold references to the old proxy object. If warnings persist after an hour and a full IISRESET cycle across the farm, check ULS logs for specific errors rather than relying on the health dashboard, which can lag behind actual service state.

Related Microsoft Fix Guides

Microsoft Fix
How to Fix Windows Update Errors (Error 0x80070003 & More)
Microsoft Fix
Fix Microsoft 365 Sign-In Problems, Complete Guide
Microsoft Fix
Azure Active Directory Troubleshooting Guide
Browse All
5,000+ Microsoft Fix Guides →
H
Sai Kiran Pandrala
Our team includes certified Microsoft engineers, Azure architects, and system administrators with 10+ years of enterprise IT experience. Every guide is written from hands-on troubleshooting, not guesswork. We test every fix before publishing.