Share via

In Microsoft 365, how to remove an invalid S/MIME configuration

Serge Caron 25 Reputation points
2026-02-27T14:17:33.1666667+00:00

I have a user in a tenant migrated from an On Premises Exchange 2016 that has invalid entries in his mailbox configuration.

How do I remove the certificates (UserSMimeCertificate, UserCertificate) in this mailbox.

For a healthy mailbox I have :

PS C:\Users\ThisUser> Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop

PS C:\Users\ThisUser> Get-MailBox ThisUser | fl *user*

ExchangeUserAccountControl : None

UserPrincipalName : ******@thisdomain.tld

UserSMimeCertificate : {}

UserCertificate : {}

IsAgenticUser : False

UserIdentityParent :

I don't see an interface in Exchange 365 where I can remove the obsolete certificates in my target user.

Microsoft 365 and Office | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-02-27T14:17:45.5833333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Use Exchange PowerShell to clear those attributes; there is no GUI in Exchange Online for this.

    1. Connect to Exchange Online: 
         Connect-ExchangeOnline -ShowBanner:$false
    2. To clear S/MIME certificates on a mailbox (UserSMimeCertificate / UserCertificate): 
         Set-Mailbox -Identity "ThisUser" -UserSMimeCertificate $null -UserCertificate $null
      This sets both multi-valued properties to empty, matching the healthy mailbox output where they show as {}.
    3. If the object is a mail user (no mailbox, only mail-enabled user), use Set-MailUser instead: 
         Set-MailUser -Identity "ThisUser" -UserSMimeCertificate $null -UserCertificate $null
    4. Verify the result: 
         Get-Mailbox "ThisUser" | fl *user*
      or, for a mail user: 
         Get-MailUser "ThisUser" | fl *user*
      The UserSMimeCertificate and UserCertificate fields should now be empty ({}).

    If there are related per-mailbox user configuration items that are corrupted (for example, S/MIME-related user configuration objects), they can be removed and will be recreated automatically when the feature is used again:

    Remove-MailboxUserConfiguration -Identity "<ConfigName>" -Mailbox "ThisUser"

    Use Get-MailboxUserConfiguration first (not shown in context) to discover the exact configuration names to remove.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.