How to Fix SharePoint Hybrid TOC Errors

Microsoft Fix Intermediate 18 min read Official Docs Grounded Updated April 20, 2026
What's in This Guide
  1. Why This Happens
  2. The Quick Fix
  3. Step-by-Step Solution
  4. Advanced Troubleshooting
  5. Prevention & Best Practices
  6. FAQ

Why Your SharePoint Hybrid TOC Is Breaking

I've seen this exact scenario play out on dozens of enterprise deployments: everything looks fine in the SharePoint admin center, your hybrid wizard ran without errors, and then your SharePoint Hybrid TOC , the taxonomy term store replication or hybrid navigation Table of Contents , silently stops working. Pages load, but your managed navigation is missing, term groups aren't syncing between on-premises and SharePoint Online, or the entire hybrid navigation tree collapses with a generic "Something went wrong" banner.

The SharePoint Hybrid TOC is the mechanism that bridges on-premises SharePoint Server (2016, 2019, or Subscription Edition) term stores and navigation structures with SharePoint Online. It depends on a chain of interdependent components: the Server-to-Server (S2S) OAuth trust between your farm and Azure Active Directory, the Hybrid Sites Timer Job, the User Profile Application (UPA), the Managed Metadata Service Application proxy, and a correctly registered Azure AD app principal. If any single link in that chain breaks, and they do, constantly, your hybrid TOC fails.

Here's what makes SharePoint Hybrid TOC troubleshooting uniquely painful. The error messages you get are almost never helpful. You might see Access Denied (401), or a correlation ID that traces back to a token validation failure, or just a blank navigation panel. Microsoft's own error surface doesn't distinguish between "your S2S certificate expired" and "your term store proxy is misconfigured." Both show the same vague failure.

The root causes I see most often, roughly in order of frequency:

  • Expired STS certificate, The on-premises Security Token Service certificate used for S2S trust has a limited lifespan. When it expires, all hybrid OAuth flows break silently.
  • Broken or missing App Principal registration, The SharePoint Online app principal (00000003-0000-0ff1-ce00-000000000000) loses its trust relationship with your on-premises farm after tenant changes or admin turnover.
  • Hybrid Taxonomy Replication Timer Job failures, The timer job responsible for syncing term groups between on-premises and SharePoint Online gets stuck, throttled, or simply disabled after a farm update.
  • UPA connectivity issues, If your User Profile Application service can't reach SharePoint Online endpoints, the hybrid TOC navigation can't resolve user context, breaking personalized navigation.
  • Reverse proxy misconfiguration, Enterprise deployments using F5, Citrix ADC, or Web Application Proxy for hybrid connectivity often have SSL offloading rules that strip the Authorization header, killing the OAuth handshake.
  • Azure AD token endpoint changes, Microsoft periodically updates the Azure AD v2.0 token endpoint format. Older hybrid configurations still point to the v1.0 endpoint and fail post-tenant migration.

I know this is frustrating, especially when it blocks your entire intranet navigation or taxonomy governance workflow. The good news is that once you understand which layer is broken, the fixes are straightforward. Let's work through them systematically. Browse all Microsoft fix guides →

The Quick Fix, Try This First

Before going deep into diagnostics, there's one fix that resolves about 40% of SharePoint Hybrid TOC failures I encounter. The Hybrid Timer Job and the associated Managed Metadata service connection get into a bad state and simply need a reset. Here's the fastest path to recovery.

Open the SharePoint Management Shell on your on-premises SharePoint server, right-click it, choose Run as administrator. Then run this sequence:

# Step 1: Restart the SharePoint Timer Service
Stop-Service SPTimerV4
Start-Service SPTimerV4

# Step 2: Force the Hybrid Timer Job to run immediately
$job = Get-SPTimerJob | Where-Object {$_.Name -like "*HybridTaxonomy*" -or $_.Name -like "*HybridSites*"}
$job | ForEach-Object { $_.RunNow() }

# Step 3: Check the job status after ~2 minutes
Get-SPTimerJob | Where-Object {$_.Name -like "*Hybrid*"} | Select Name, LastRunTime, Status

Wait about two minutes, then check your SharePoint site's navigation or term store. If your hybrid TOC was failing because of a stuck timer job, it should now show the correct term groups and navigation nodes.

If that didn't fix it, check your STS certificate right now, this is the second most common quick win:

# Check the on-premises STS certificate expiry
$sts = Get-SPSecurityTokenServiceConfig
$sts.LocalLoginProvider.SigningCertificate | Select Subject, NotAfter

# Also check the root certificate
Get-SPTrustedRootAuthority | Select Name, Certificate | Format-List

If NotAfter is in the past or within the next 30 days, your certificate is expired or expiring, jump to Step 3 in the step-by-step section below. That's your culprit.

Pro Tip
Always run SharePoint PowerShell commands from the same server that hosts your Central Administration site. Running them from an application server that doesn't host Central Admin can return stale or partial data, I've been burned by this more than once when chasing hybrid TOC failures that were "already fixed" according to the wrong server.
1
Verify the Server-to-Server Trust Is Valid

The S2S trust is the foundation of every SharePoint hybrid feature, including your hybrid TOC. Without a valid trust, no token exchange happens and everything downstream fails. Go to Central AdministrationSecurityManage trust. You should see an entry for SharePoint Online, if it's missing entirely, your hybrid configuration was never completed or was deleted.

To validate it properly from PowerShell, run:

# List all trusted service token issuers
Get-SPTrustedSecurityTokenIssuer | Select Name, RegisteredIssuerName, IsSelfIssuer | Format-Table -AutoSize

# Specifically look for the SharePoint Online issuer
Get-SPTrustedSecurityTokenIssuer | Where-Object {$_.RegisteredIssuerName -like "*00000001-0000-0000-c000*"}

You should see an entry with a RegisteredIssuerName containing your tenant GUID. If the output is empty, the trust is broken. To re-establish it, you'll need your SharePoint Online tenant ID. Get it from the Azure portal under Azure Active DirectoryPropertiesTenant ID.

# Re-establish S2S trust (replace YOUR-TENANT-ID with actual GUID)
$tenantId = "YOUR-TENANT-ID"
$stsMetadata = Invoke-WebRequest "https://accounts.accesscontrol.windows.net/$tenantId/metadata/json/1"
New-SPTrustedSecurityTokenIssuer -Name "SharePoint Online" -IsTrustBroker -MetadataEndPoint "https://accounts.accesscontrol.windows.net/$tenantId/metadata/json/1"

If the trust exists but looks wrong, remove and re-create it rather than trying to patch it, partial trusts cause intermittent hybrid TOC failures that are maddening to debug. After creating the trust, run an IIS Reset across all servers in the farm: iisreset /noforce. Give it five minutes, then check your hybrid navigation again.

2
Renew or Replace the STS Signing Certificate

This is the fix that enterprise admins forget until it bites them. The Security Token Service certificate used for hybrid OAuth has an expiry date. When it expires, your hybrid TOC stops working with no obvious error, it just silently breaks. Check it right now:

# Check current STS certificate details
$sts = Get-SPSecurityTokenServiceConfig
$cert = $sts.LocalLoginProvider.SigningCertificate
Write-Host "Subject: $($cert.Subject)"
Write-Host "Thumbprint: $($cert.Thumbprint)"
Write-Host "Expires: $($cert.NotAfter)"
Write-Host "Days remaining: $(($cert.NotAfter - (Get-Date)).Days)"

If days remaining is under 30, or negative, you need to renew it. SharePoint can generate a new self-signed STS certificate, but you also need to update SharePoint Online's trust with the new certificate. Here's the process:

# Generate a new STS certificate
$newCert = New-SPSelfSignedCertificate -FriendlyName "SharePoint STS" -CommonName "SharePoint STS" -AlternativeNames @() -OrganizationalUnit "IT" -Organization "Contoso" -Locality "Redmond" -State "WA" -Country "US" -Exportable -HashAlgorithm SHA256 -KeySize 2048 -KeyUsage None

# Assign it to STS
Set-SPSecurityTokenServiceConfig -SigningCertificateThumbprint $newCert.Thumbprint
iisreset /noforce

After updating the certificate on-premises, go to SharePoint Online admin centerSettingsHybrid picker and re-run the hybrid configuration wizard. It will pick up the new certificate and update the trust. Alternatively, use the SharePoint Online Management Shell to update the trusted certificate directly. Once done, restart the timer service and give the hybrid TOC five minutes to re-establish. You should see your navigation tree populate correctly.

3
Fix the Managed Metadata Service Connection for Hybrid Taxonomy

Your SharePoint Hybrid TOC taxonomy sync depends on the Managed Metadata Service Application being properly connected and having the right proxy configuration. I've seen setups where an upgrade or migration left the MMS proxy pointing to the old service application instance, silently breaking all term group replication.

Navigate to Central AdministrationApplication ManagementManage service applications. Find your Managed Metadata Service. Click on its connection (proxy), then check the properties, you should see a checkbox for "This service application is the default storage location for column specific term sets" and "This service application is the default storage location for site collection specific term sets." Both should be checked.

Now verify the hybrid term group replication is actually configured:

# Check the Managed Metadata service application
$mms = Get-SPServiceApplication | Where-Object {$_ -is [Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplication]}
$mms | Select Name, Status, Id

# Check which term groups are marked for replication
Add-PSSnapin Microsoft.SharePoint.PowerShell -EA SilentlyContinue
$session = New-PSSession -ConnectionUri https://yourtenantname.sharepoint.com -Authentication Kerberos
# Note: for the term store, check via the UI in SharePoint Online Term Store Management

In SharePoint Online, go to SharePoint Admin CenterTerm store. Look for any term groups that should be replicated from on-premises. If they're missing or stale, the replication timer job is failing. In Central Administration on-premises, navigate to MonitoringTimer JobsReview job definitions, search for "Taxonomy," and check the Taxonomy Groups Replication job. Its last run time and status will tell you whether it's running at all. If the status shows Failed, check the ULS logs at the time of its last run, look for event category Taxonomy or Hybrid in the SharePoint ULS log viewer.

4
Diagnose and Fix User Profile Application Connectivity

The hybrid TOC uses the User Profile Application to resolve user identity across the on-premises/cloud boundary. When UPA can't reach SharePoint Online, which happens after firewall rule changes, proxy updates, or expired credentials, your hybrid navigation personalization breaks and the TOC can't render user-specific navigation nodes correctly.

First, verify the UPA service is running:

# Check UPA service status
Get-SPServiceInstance | Where-Object {$_.TypeName -like "*User Profile*"} | Select Server, Status, TypeName

# Check the actual service application
Get-SPServiceApplication | Where-Object {$_ -is [Microsoft.Office.Server.Administration.UserProfileApplication]} | Select Name, Status

If those look healthy, test whether your on-premises farm can actually reach SharePoint Online endpoints. From your SharePoint application server, open PowerShell and run:

# Test connectivity to SharePoint Online
$testUri = "https://login.microsoftonline.com"
$result = Invoke-WebRequest -Uri $testUri -UseBasicParsing -TimeoutSec 10
Write-Host "Status: $($result.StatusCode)"

# Test the specific token endpoint
$tenantId = "YOUR-TENANT-ID"
$tokenEndpoint = "https://accounts.accesscontrol.windows.net/$tenantId/tokens/OAuth/2"
try {
    $ping = Invoke-WebRequest -Uri $tokenEndpoint -Method HEAD -UseBasicParsing -TimeoutSec 10
    Write-Host "Token endpoint reachable: $($ping.StatusCode)"
} catch {
    Write-Host "Token endpoint FAILED: $($_.Exception.Message)"
}

If either of those fails, you have a network-level block. Check your proxy server settings. SharePoint on-premises needs to reach *.microsoftonline.com, *.sharepoint.com, accounts.accesscontrol.windows.net, and login.windows.net without SSL inspection breaking the certificate chain. If your proxy is doing SSL inspection, you need to whitelist those endpoints with passthrough.

To configure SharePoint to use a proxy for outbound connections:

# Set proxy for SharePoint outbound connections
$webProxy = New-Object System.Net.WebProxy("http://yourproxy.contoso.com:8080")
[System.Net.WebRequest]::DefaultWebProxy = $webProxy

# Or configure it in Central Admin:
# Central Admin → Security → Configure web proxy settings
5
Re-Register the SharePoint Online App Principal

Every SharePoint hybrid deployment relies on a specific Azure AD app principal with ID 00000003-0000-0ff1-ce00-000000000000 (SharePoint Online) being trusted on-premises. After tenant migrations, Azure AD conditional access policy changes, or accidental deletion by another admin, this app principal registration breaks, and your hybrid TOC fails with 401 errors that are incredibly hard to trace back to this cause.

To check and fix the app principal registration, open the SharePoint Management Shell as administrator and run:

# Check existing app principal registrations
Get-SPAppPrincipal -Site https://yourintranet.contoso.com -NameIdentifier "00000003-0000-0ff1-ce00-000000000000@YOUR-TENANT-ID"

# If the above returns nothing or an error, register it fresh
$site = Get-SPSite "https://yourintranet.contoso.com"
$tenantId = "YOUR-TENANT-ID"
$appPrincipal = Register-SPAppPrincipal -Site $site.RootWeb -NameIdentifier "00000003-0000-0ff1-ce00-000000000000@$tenantId" -DisplayName "SharePoint Online"

# Grant it the right permissions
Set-SPAppPrincipalPermission -Site $site.RootWeb -AppPrincipal $appPrincipal -Scope SiteSubscription -Right FullControl

After running this, you need to do an IIS reset across all servers in your farm and then restart the SharePoint Timer Service. Navigate back to a SharePoint site that should show the hybrid TOC navigation and do a hard refresh (Ctrl+Shift+R). If the app principal was the issue, you'll see the navigation populate within about 60 seconds as the new trust propagates. If you see error code AADSTS700016 or AADSTS90019 in your ULS logs, that confirms this is exactly the problem, the app wasn't found in the directory, and re-registering it is the correct fix.

Advanced Troubleshooting for SharePoint Hybrid TOC

Reading ULS Logs for Hybrid TOC Errors

The SharePoint Unified Logging System (ULS) is your best friend for deep hybrid TOC diagnostics. Generic browser errors tell you nothing. ULS tells you exactly which component failed and why. Enable verbose logging temporarily:

# Enable verbose logging for hybrid-related categories
Set-SPLogLevel -TraceSeverity Verbose -EventSeverity Information -Identity "SharePoint Server","Authentication Authorization","Topology"

# Then tail the log file in real-time (replace with your actual ULS log path)
Get-SPLogEvent -StartTime (Get-Date).AddMinutes(-5) | Where-Object {$_.Category -like "*Hybrid*" -or $_.Category -like "*Taxonomy*" -or $_.Category -like "*Authentication*"} | Select TimeStamp, Category, Level, Message | Format-List

Key event IDs to look for in the Windows Application Event Log (open Event ViewerWindows LogsApplication):

  • Event ID 8321, SharePoint Security Token Service authentication failure. Usually certificate-related.
  • Event ID 5214, User Profile synchronization failure with SharePoint Online.
  • Event ID 6398, Timer job execution failure. Check the job name in the details, if it contains "Hybrid" or "Taxonomy," that's your replication job failing.
  • Event ID 8073, OAuth token validation error. Correlates to S2S trust problems.

Group Policy and Firewall Conflicts

In enterprise domain-joined environments, Group Policy can silently break hybrid TOC connectivity. The most common culprit is Internet Explorer Enhanced Security Configuration or TLS version enforcement policies. SharePoint's .NET components need TLS 1.2 minimum for SharePoint Online connections. Check your farm servers:

# Verify TLS 1.2 is enabled in the registry
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "Enabled" -ErrorAction SilentlyContinue

# If not present or set to 0, enable it:
New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Force
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "Enabled" -Value 1 -Type DWord
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "DisabledByDefault" -Value 0 -Type DWord

Also check whether your domain's Group Policy has a Windows Firewall with Advanced Security rule blocking outbound 443 traffic to non-approved destinations. Your SharePoint servers need outbound 443 to the Microsoft 365 endpoint ranges listed in Microsoft's official IP/URL list (ID categories 1-4 for SharePoint Online). Work with your network team to verify those are whitelisted.

Hybrid Picker Re-Run Checklist

Sometimes the most efficient path is to re-run the Microsoft Support-recommended Hybrid Picker tool. Before you do, make sure: your account has Global Administrator in Microsoft 365, Farm Administrator rights on-premises, and shell access on the Central Admin server. The Hybrid Picker sits at SharePoint Admin CenterSettingsConfigure hybrid. Run it and specifically re-enable "Hybrid Sites Features" and "Hybrid Taxonomy and Content Types", these are the features that power hybrid TOC navigation.

When to Call Microsoft Support
If you've worked through every step here and your SharePoint Hybrid TOC is still broken, it's time to escalate. Specifically, call Microsoft if: your correlation IDs from ULS logs contain AADSTS error codes you can't resolve through app principal re-registration, your farm is on SharePoint Server 2016 with RTM build (no service packs applied) and hybrid features simply never worked, or if you suspect your Azure AD tenant has a broken trust configuration that requires Microsoft backend access to fix. Open a ticket at Microsoft Support and include your correlation IDs, ULS log snippets, and the output of Get-SPTrustedSecurityTokenIssuer, that gives them an instant head start.

Enterprise Reverse Proxy Fixes

If your hybrid deployment routes through a reverse proxy (F5 BIG-IP, Citrix ADC, Azure App Proxy, or Web Application Proxy on Windows Server), SSL offloading is a major cause of hybrid TOC failures. The proxy terminates SSL and re-encrypts traffic, which can strip or modify the Authorization Bearer token header that OAuth requires. Configure your reverse proxy to pass the Authorization, X-FORMS_BASED_AUTH_ACCEPTED, and MicrosoftSharePointTeamServices headers through untouched. On F5, this is a STREAM profile setting. On Citrix ADC, disable SSL rewrite policies for the SharePoint farm's VIPs and configure header preservation explicitly.

Prevention & Best Practices for SharePoint Hybrid TOC

Once you've fixed your SharePoint Hybrid TOC, you want to keep it working. The biggest issue I see is that hybrid configurations get set and forgotten, no one monitors them until users start complaining. Here's how to stay ahead of it.

Set up certificate expiry monitoring. The STS certificate is the most common cause of sudden hybrid TOC failures, and it always expires on a weekend. Write a simple scheduled PowerShell script that emails your team when the certificate is within 60 days of expiry. Run it weekly as a Windows Scheduled Task on your Central Admin server. Thirty days is too late, certificate renewal requires coordination between on-premises and SharePoint Online, and that takes time.

Monitor the hybrid timer jobs. The Taxonomy Groups Replication timer job should run successfully on a regular cadence. Set up an alert in your monitoring platform (SCOM, Nagios, whatever you use) that fires if the job's last successful run time is more than 48 hours in the past. In SharePoint itself, go to Central AdminMonitoringCheck job status and bookmark that page, it's your fastest health check for hybrid TOC replication.

Document your hybrid configuration. Write down your tenant ID, the thumbprints of all certificates involved in your S2S trust, the app principal registration details, and the network firewall rules that allow hybrid connectivity. The admin who set it up might not be around when it breaks 18 months later. A single page in your IT wiki saves hours of archaeology when things go wrong.

Test after every Windows Update cycle. Windows Server updates, particularly those touching the .NET Framework, Schannel, or security providers, can subtly break hybrid TOC connectivity by changing TLS negotiation behavior or invalidating cached tokens. After every Patch Tuesday cycle, do a quick smoke test of your hybrid navigation and term store replication before declaring the patching window closed.

Keep SharePoint Server patched. This sounds obvious, but I regularly encounter farms running years-old CUs where hybrid features had bugs that were fixed in a later cumulative update. Before spending hours debugging, check whether your SharePoint build number is current. Run (Get-SPFarm).BuildVersion and compare it against the SharePoint Updates page.

Quick Wins

Frequently Asked Questions

My hybrid TOC navigation shows on some sites but not others, why?

This usually means your Managed Metadata Service proxy isn't connected to all your web applications. Go to Central AdministrationApplication ManagementConfigure service application associations, switch the dropdown to Web Applications, and check each web application's service connections. Any web app missing the MMS connection won't participate in hybrid TOC replication. Also check whether those specific sites have the SharePoint Server Publishing feature activated, hybrid navigation requires it at the site collection level.

Error: "The remote server returned an error: (401) Unauthorized" in the ULS logs, how do I fix it?

A 401 in the context of SharePoint hybrid TOC almost always means the S2S OAuth token is invalid, expired, or the receiving party doesn't trust the issuer. Start by checking your STS certificate expiry using Get-SPSecurityTokenServiceConfig as shown in Step 2. If the certificate is fine, run Get-SPTrustedSecurityTokenIssuer and verify the RegisteredIssuerName matches your actual tenant ID exactly, a transposed character in the GUID will cause persistent 401s. Finally, do an IIS reset and clear the token cache by restarting the SPTimerV4 service before retesting.

After running the Hybrid Picker, term groups still aren't showing up in SharePoint Online, what now?

The Hybrid Picker configures the connection, but it doesn't immediately trigger replication. After running the picker, go to Central AdminMonitoringReview job definitions, find the Taxonomy Groups Replication timer job, and click Run Now. Then wait five to ten minutes and check SharePoint Online's Term Store management page. If groups still don't appear, check the ULS logs from the time you ran the job for errors in the Taxonomy category, most commonly you'll find an authentication failure or a network timeout pointing you to the next fix.

Can I use SharePoint Hybrid TOC with SharePoint Server 2019 and SharePoint Online at the same time?

Yes, SharePoint Server 2019 has full hybrid TOC support and it's actually more stable than the 2016 implementation because of improved OAuth token handling and better TLS 1.2 enforcement. Make sure you're running at least the November 2019 CU or later, earlier builds have a known bug where the taxonomy replication timer job fails silently when the on-premises term store contains more than 5,000 terms. The fix is in the CU, not a configuration change, so patching is non-negotiable here.

Is there a way to test the hybrid trust without breaking anything in production?

Yes, and you should absolutely do this before touching production. Use the Test-SPO-Authentication pattern: from your SharePoint server, run a PowerShell web request to your SharePoint Online tenant's /_api/web/title endpoint with a bearer token obtained using your on-premises STS. If it returns the site title, your trust works. If it returns 401, your trust is broken. This is completely read-only and non-destructive. I always run this test before and after any hybrid maintenance to confirm the baseline didn't change.

We migrated to a new tenant and now the hybrid TOC is completely broken, do I have to reconfigure everything from scratch?

Unfortunately, yes, a tenant migration changes your tenant ID, which invalidates every component of your hybrid trust: the registered issuer name in your trusted token issuers, the app principal registration, and the audience URIs in your S2S trust configuration. You need to remove all existing hybrid trust configuration, then re-run the Hybrid Picker against the new tenant. Before you do, document your existing term group structure from the old tenant, term groups configured for hybrid replication will need to be re-designated in the new tenant's Term Store management. Budget about half a day for a clean re-configuration, and test in a dev farm against a trial tenant first if you can.

Related Microsoft Fix Guides

Microsoft Fix
How to Fix Windows Update Errors (Error 0x80070003 & More)
Microsoft Fix
Fix Microsoft 365 Sign-In Problems, Complete Guide
Microsoft Fix
Azure Active Directory Troubleshooting Guide
Browse All
5,000+ Microsoft Fix Guides →
H
Sai Kiran Pandrala
Our team includes certified Microsoft engineers, Azure architects, and system administrators with 10+ years of enterprise IT experience. Every guide is written from hands-on troubleshooting, not guesswork. We test every fix before publishing.