If you have run the Hybrid Configuration Wizard in your organization, it’s strongly recommended that you remove any custom certificates from the shared “Office 365 Exchange Online” application. This will harden your environment. In this article, you will learn how to clean up certificates from the Office 365 Exchange Online application.
Service Principal clean up
If the organization ever ran and completed the Hybrid Configuration Wizard (HCW) or configured OAuth authentication between Exchange and Exchange Online organizations, the Auth Certificate from your Exchange organization was uploaded to the first-party Service Principal.
This practice is no longer recommended and should not be performed. The Auth Certificate must now be uploaded exclusively to the dedicated Exchange hybrid application. Everything is now integrated in the new Hybrid Configuration Wizard tool.
After running the latest Hybrid Configuration Wizard and ensuring all your Exchange servers are running an Exchange build that supports this feature, you must run the cleanup.
The dedicated Exchange hybrid application feature is supported starting with the following Exchange Server builds:
| Version | Build number |
|---|---|
| Exchange Server SE RTM | 15.2.2562.17 |
| Exchange Server 2019 CU15 with April 2025 HU | 15.2.1748.24 |
| Exchange Server 2019 CU14 with April 2025 HU | 15.2.1544.25 |
| Exchange Server 2016 CU23 with April 2025 HU | 15.1.2507.55 |
Note: This also applies if you have removed your Exchange Server and previously run the Hybrid Configuration Wizard within the organization.
Running the script in cleanup mode does not depend on a specific version of Exchange Server to be installed on-premises (you can run the script in cleanup mode independent of your Exchange Server version and even on a computer other than an Exchange Server).
Important: It’s strongly recommended that you use the provided script to remove any custom certificates from the shared “Office 365 Exchange Online” application.
Step 1. Download Configure Exchange Hybrid Application PowerShell script
- Download ConfigureExchangeHybridApplication.ps1 PowerShell script
- Save it to the C:\scripts folder
Ensure the file is unblocked to prevent errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.
Step 2. Delete all certificates of Office 365 Exchange Online application
The script will delete all certificates of the Office 365 Exchange Online first-party application’s Service Principal. This action ensures that any outdated or unnecessary certificates are removed, maintaining the security and integrity of the application. Use this syntax when you need to clean up the keyCredentials of the first-party Service Principal.
- Run the command below
C:\scripts\.\ConfigureExchangeHybridApplication.ps1 -ResetFirstPartyServicePrincipalKeyCredentials- Confirm with Y
- Sign in with your global administrator credentials
- Verify that the operation is successfully performed
This is what it looks like.
That’s it!
Read more: Renew certificate in Exchange Hybrid »
Conclusion
You learned how to clean up certificates from the Office 365 Exchange Online application. It’s strongly recommended to run this script on every organization that has previously run the Hybrid Configuration Wizard to remove any leftover certificates and harden your environment. If no certificates were found, no action will be taken.
Did you enjoy this article? You may also like Remove Exchange Hybrid Configuration. Don’t forget to follow us and share this article.