Anavem
EnglishFrancais
Anavem
Languagefr
How to Clean Up Certificates from Office 365 Exchange Online Hybrid Application

How to Clean Up Certificates from Office 365 Exchange Online Hybrid Application

Remove outdated certificates from Office 365 Exchange Online application using PowerShell scripts to secure your hybrid Exchange environment and prevent authentication issues.

Evan MaelEvan Mael
March 17, 2026 12 min
hardexchange-online 8 steps 12 min

Why Clean Up Office 365 Exchange Online Application Certificates?

In hybrid Exchange environments, certificate accumulation in the Office 365 Exchange Online application is a common security and maintenance issue. Each time you run the Hybrid Configuration Wizard or update certificates, new certificate credentials get added to the shared Exchange Online service principal, but old ones rarely get removed automatically.

This certificate buildup creates several problems: increased attack surface from expired certificates, confusion during troubleshooting, and potential authentication conflicts. With Microsoft's deprecation of the Credential parameter in Exchange Online PowerShell (effective June 2026), proper certificate management has become even more critical for hybrid deployments.

What Certificate Types Need Regular Cleanup?

The Exchange Online application typically accumulates three types of certificates: OAuth authentication certificates used for server-to-server communication, legacy S2S token certificates from older hybrid configurations, and expired certificates from previous Hybrid Configuration Wizard runs. Each serves a specific purpose, but expired or unused certificates should be removed to maintain security hygiene.

The ConfigureExchangeHybridApplication.ps1 script, available from Microsoft's CSS-Exchange repository, provides the safest method to identify and remove these certificate credentials. This PowerShell script directly interacts with Azure AD to manage the Exchange Online service principal's certificate store, ensuring proper cleanup without disrupting active hybrid services.

Implementation Guide

Full Procedure

01

Connect to Exchange Online PowerShell with Certificate Authentication

Since Microsoft deprecated the Credential parameter in Exchange Online PowerShell versions released after June 2026, we'll use certificate-based authentication. First, connect to Exchange Online using your application certificate.

Import-Module ExchangeOnlineManagement

# Connect using certificate-based authentication
Connect-ExchangeOnline -CertificateThumbprint "YOUR_CERT_THUMBPRINT" -AppId "YOUR_APP_ID" -Organization "yourtenant.onmicrosoft.com"

Replace YOUR_CERT_THUMBPRINT with your certificate's thumbprint and YOUR_APP_ID with your registered application ID.

Pro tip: Use Get-ChildItem Cert:\CurrentUser\My to list available certificates and their thumbprints if you're unsure which certificate to use.

Verification: Run Get-OrganizationConfig | Select-Object Name to confirm successful connection.

02

Identify Current Certificates in the Exchange Online Application

Before removing certificates, identify which certificates are currently registered with the Office 365 Exchange Online application. We'll examine the service principal to see all associated certificates.

# Connect to Azure AD PowerShell
Connect-AzureAD

# Find the Exchange Online service principal
$ExchangeOnlineSP = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Exchange Online'"

# List all certificates associated with the service principal
$ExchangeOnlineSP.KeyCredentials | Select-Object KeyId, Type, Usage, StartDate, EndDate | Format-Table -AutoSize

This command displays all certificates, including their KeyId (which we'll need for removal), expiration dates, and usage types.

Warning: Never remove certificates that are still within their valid date range and actively used by services. Always verify certificate usage before removal.

Verification: Note down the KeyId values of expired or unused certificates that need removal.

03

Download and Prepare the ConfigureExchangeHybridApplication.ps1 Script

Microsoft provides the ConfigureExchangeHybridApplication.ps1 script to manage certificates in hybrid environments. Download this script from the official Microsoft repository.

# Create a working directory
New-Item -ItemType Directory -Path "C:\ExchangeHybridScripts" -Force
Set-Location "C:\ExchangeHybridScripts"

# Download the script (replace with current Microsoft URL)
Invoke-WebRequest -Uri "https://github.com/microsoft/CSS-Exchange/raw/main/Hybrid/ConfigureExchangeHybridApplication.ps1" -OutFile "ConfigureExchangeHybridApplication.ps1"

# Verify the script downloaded successfully
Get-ChildItem -Name "ConfigureExchangeHybridApplication.ps1"

The script should be approximately 15-20KB in size. If the download fails, check your internet connection and ensure the URL is current.

Verification: Run Get-FileHash .\ConfigureExchangeHybridApplication.ps1 -Algorithm SHA256 to verify file integrity.

04

Run the Script to List Current Certificate Credentials

Before making any changes, use the script to audit current certificate credentials in the Exchange Online application. This provides a baseline of what certificates exist.

# Set execution policy if needed
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force

# Run the script in audit mode to list current certificates
.\ConfigureExchangeHybridApplication.ps1 -ListCredentials

# Alternative: Run with specific tenant information
.\ConfigureExchangeHybridApplication.ps1 -TenantId "your-tenant-id" -ListCredentials

The script will display all certificate credentials currently associated with the Exchange Online application, including their creation dates, expiration dates, and key identifiers.

Pro tip: Pipe the output to a text file for record-keeping: .\ConfigureExchangeHybridApplication.ps1 -ListCredentials | Out-File "certificates-before-cleanup.txt"

Verification: Review the output to identify which certificates are expired or no longer needed.

05

Remove Specific Certificate Credentials from Exchange Online Application

Now remove the identified outdated certificates using the script. You'll need the KeyId values from the previous step.

# Remove a specific certificate by KeyId
.\ConfigureExchangeHybridApplication.ps1 -RemoveCredential -KeyId "12345678-1234-1234-1234-123456789012"

# Remove multiple certificates (replace with actual KeyIds)
$CertsToRemove = @(
    "12345678-1234-1234-1234-123456789012",
    "87654321-4321-4321-4321-210987654321"
)

foreach ($KeyId in $CertsToRemove) {
    Write-Host "Removing certificate with KeyId: $KeyId"
    .\ConfigureExchangeHybridApplication.ps1 -RemoveCredential -KeyId $KeyId
    Start-Sleep -Seconds 2
}

The script will connect to Azure AD, locate the Exchange Online service principal, and remove the specified certificate credentials.

Warning: Removing active certificates can break hybrid connectivity. Only remove certificates you've confirmed are no longer in use.

Verification: Run the script with -ListCredentials again to confirm the certificates were removed.

06

Clean Up On-Premises Exchange Server Certificates

Remove corresponding certificates from your on-premises Exchange servers. Connect to Exchange Management Shell on your hybrid server.

# Open Exchange Management Shell and list current certificates
Get-ExchangeCertificate | Where-Object {$_.Status -eq "Valid"} | Select-Object Thumbprint, Subject, NotAfter, Services

# Remove expired certificates (replace thumbprint with actual values)
$ExpiredCerts = Get-ExchangeCertificate | Where-Object {$_.NotAfter -lt (Get-Date)}

foreach ($Cert in $ExpiredCerts) {
    Write-Host "Removing expired certificate: $($Cert.Subject)"
    Remove-ExchangeCertificate -Thumbprint $Cert.Thumbprint -Confirm:$false
}

# Remove specific certificate by thumbprint
Remove-ExchangeCertificate -Thumbprint "A1B2C3D4E5F6789012345678901234567890ABCD" -Confirm:$false

This removes certificates from the local certificate store on your Exchange server.

Verification: Run Get-ExchangeCertificate to confirm the certificates are no longer listed.

07

Test Hybrid Connectivity After Certificate Cleanup

After removing certificates, test your hybrid configuration to ensure mail flow and other hybrid features still work correctly.

# Test hybrid connectivity from Exchange Online
Test-MigrationServerAvailability -ExchangeRemoteMove -RemoteServer "your-hybrid-server.domain.com" -Credentials (Get-Credential)

# Test mail flow from on-premises
Test-MailFlow -TargetEmailAddress "testuser@yourdomain.com" -TargetDatabase "Mailbox Database 01"

# Check hybrid configuration status
Get-HybridConfiguration | Select-Object *Domain*, *Certificate*

# Verify OAuth authentication is working
Test-OAuthConnectivity -Service EWS -TargetUri "https://outlook.office365.com/ews/exchange.asmx" -Mailbox "testuser@yourdomain.com"

These tests verify that certificate removal hasn't broken your hybrid deployment.

Pro tip: Run these tests during a maintenance window when mail flow interruption would have minimal impact.

Verification: All tests should return successful results. If any fail, check certificate configurations and hybrid settings.

08

Update Certificate Monitoring and Documentation

Document the certificate cleanup and establish monitoring to prevent future certificate accumulation issues.

# Create a certificate monitoring script
$MonitoringScript = @'
# Certificate monitoring script - save as Monitor-HybridCertificates.ps1
Connect-ExchangeOnline -CertificateThumbprint "YOUR_CERT_THUMBPRINT" -AppId "YOUR_APP_ID" -Organization "yourtenant.onmicrosoft.com"
Connect-AzureAD

$ExchangeOnlineSP = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Exchange Online'"
$ExpiringCerts = $ExchangeOnlineSP.KeyCredentials | Where-Object {$_.EndDate -lt (Get-Date).AddDays(30)}

if ($ExpiringCerts) {
    Write-Warning "Found $($ExpiringCerts.Count) certificates expiring within 30 days"
    $ExpiringCerts | Select-Object KeyId, EndDate | Format-Table
}
'@

$MonitoringScript | Out-File "Monitor-HybridCertificates.ps1"

# Create documentation of current state
$Documentation = @"
Certificate Cleanup Completed: $(Get-Date)
Certificates Removed: $($CertsToRemove.Count)
Next Review Date: $((Get-Date).AddMonths(3).ToString('yyyy-MM-dd'))
"@

$Documentation | Out-File "Certificate-Cleanup-Log.txt" -Append

This creates a monitoring script you can run monthly to check for expiring certificates.

Verification: Schedule the monitoring script to run monthly via Task Scheduler or your preferred automation platform.

Frequently Asked Questions

What happens if I remove an active certificate from Exchange Online application?+
Removing an active certificate will immediately break hybrid connectivity and authentication between your on-premises Exchange and Office 365. Mail flow will stop, and users may lose access to shared calendars and other hybrid features. Always verify certificates are expired or unused before removal, and test connectivity after any certificate changes.
How often should I clean up certificates in Exchange Online hybrid environments?+
Microsoft recommends reviewing certificates quarterly and removing expired ones immediately. Set up automated monitoring to alert you 30 days before certificate expiration. After running the Hybrid Configuration Wizard, always audit and remove old certificates within a week to prevent accumulation.
Can I use the old Credential parameter instead of certificate authentication in 2026?+
No, Microsoft deprecated the Credential parameter in Exchange Online PowerShell versions released after June 2026. You must migrate to certificate-based authentication using the client credentials flow. This change affects all automated scripts and requires updating your authentication methods before the deprecation takes effect.
What's the difference between removing certificates from Exchange Online vs on-premises Exchange?+
Exchange Online certificate removal affects the Azure AD service principal and impacts cloud-side authentication, while on-premises removal affects local certificate stores and server-side authentication. Both are necessary for complete cleanup. Use the ConfigureExchangeHybridApplication.ps1 script for Exchange Online and Remove-ExchangeCertificate cmdlet for on-premises servers.
How do I recover if I accidentally remove the wrong certificate from Exchange Online?+
If you remove an active certificate, immediately re-run the Hybrid Configuration Wizard to restore connectivity. The wizard will create new certificates and re-establish authentication. For faster recovery, you can manually upload a valid certificate to the Exchange Online service principal using Azure AD PowerShell, but this requires the certificate's private key and proper configuration.
Evan Mael
Written by

Evan Mael

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#exchange-online#hybrid-exchange#certificate-management

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Deploy Network Locations via Group Policy in Windows Server 2025
tutorial
Networking

How to Deploy Network Locations via Group Policy in Windows Server 2025

Deep Dive
How to Configure Default Inbound Action for Public Profile in Windows Defender
tutorial
Cybersecurity

How to Configure Default Inbound Action for Public Profile in Windows Defender

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account