How to Troubleshoot Missing Search Item Results Crawled by the Cloud Hybrid Search Service Application

While working on a large Cloud Hybrid Search implementation for one of our enterprise customers, we ran into an issue where users can’t find certain items and documents when submitting search queries from SharePoint Online!! We have confirmed the users had permissions to these items from the on-premises SharePoint farms and we also have confirmed these individual missing documents have been crawled successfully by the Cloud Hybrid Search Service Application by reviewing the search crawl logs, yet those items still didn’t show up when querying from the search center on SharePoint online!!

One fact to point out is, when reviewing the crawl logs for the Cloud Hybrid Search Service Application, if an item shows as successfully crawled, then it is. Meaning, we do send an acknowledgement back to the Hybrid Search Service when the item has successfully been added to the SPO index.

Best method to confirm the item is actually in the SPO index is to use the Content Search (FKA, Compliance Search) through the Security and Compliance center, that is because the way queries are handled by eDiscovery or Compliance Search are different than just submitting it through the regular search center. We indeed were able to see the missing documents/items through Compliance Search. This confirms the items are for sure in the SPO index, however, users still can’t find it through the search center.

It became obvious at this point that we are dealing with a security trimming issue, working with my colleague Manas Biswas, we dumped the ACLs for some of these items we have found two issues:

1. An Active Directory group securing some of the items has not been synced to Azure AD through the AD Connect Tool. To solve this issue we have instructed the customer to make changes to their sync process and make sure the AD group is synced.
2. Some other items were secured by a Web Application Policy using an AD group that has been Synced, this one was lil challenging as you would assume since the AD Group is synced we shouldn’t have an issue, right!! Well, the fact the users have permissions to the documents through a Web Application Policy on the on-prem farms, synchronizing the AD Group was not enough, You still have to add the Active Directory Group to the Root Site of the Tenant with similar permissions giving to it through the Web Application policy on-prem.

Hope this helps anyone that runs through these issues.

Happy SharePointing

Sammy Kailini | Premier Field Engineer | Microsoft