Important notice about certificate expiration if you have an Exchange 2013 hybrid deployment with Office 365

If you're running Exchange Server 2013 and you've set up a hybrid deployment with Office 365, this article contains important information that might affect you. Please review this information and take any necessary action before April 15, 2016.

On April 15, 2016, the Office 365 Transport Layer Security (TLS) certificate will be renewed. This certificate is used by Office 365 to provide TLS encryption between Office 365 and external Simple Mail Transfer Protocol (SMTP) servers. The new certificate, which will help improve the security of mail that's sent to and from Office 365, will be issued by a new certification authority, and it will have a new Issuer and Subject.

Note This applies only to Exchange 2013. It doesn't affect on-premises Exchange servers that are running Exchange 2010.

This change may stop hybrid mail flow between Office 365 and your on-premises Exchange servers if one of the following conditions applies to you:
  • Your on-premises Exchange servers are running Exchange 2013 Cumulative Update 8 (CU8) or earlier.
  • You've upgraded the Exchange 2013 servers that handle hybrid mail flow to Exchange 2013 Cumulative Update 9 (CU9) or later. However, after upgrading to Exchange 2013 CU9, you have not rerun the Hybrid Configuration Wizard (either from the Exchange admin center or through the direct download link at
If one of these conditions applies to your organization, hybrid mail flow between Office 365 and your organization will stop working after April 15, 2016 unless you complete these steps in this article.

Note This only affects hybrid mail flow. Regular mail flow and TSL encryption is not affected.

How to keep hybrid mail flowing

To keep hybrid mail flowing, use one of these following methods. You must complete these steps before April 15, 2016.

Method 1: Let the Office 365 Hybrid Configuration Wizard do it for you

Use the Office 365 Hybrid Configuration Wizard (HCW) to configure the Exchange 2013 servers to work with the new TLS certificate. To do this, follow these steps:
  1. If the Exchange 2013 servers that are handling hybrid mail flow are running Exchange 2013 Cumulative Update 8 (CU8) or earlier, follow the instructions at Updates for Exchange 2013 to install the latest cumulative update on at least one server.
  2. After you install the latest cumulative update, download the Office 365 Hybrid Configuration Wizard from, and then run it by following the instructions at Introducing the Microsoft Office 365 Hybrid Configuration Wizard.
For information about the releases of Exchange that are supported in Office 365, see Hybrid deployment prerequisites.

Method 2: Manually configure the servers

If you can't upgrade Exchange 2013 to the latest cumulative update now (as a reminder, see the support policy), you can manually configure the servers to work with the new TLS certificate.

To do this, on each Exchange 2013 server that's used for hybrid mail flow, open the Exchange Management Shell, and then run the following commands:
$rc=Get-ReceiveConnector |where {$_.TlsDomainCapabilities -like "*MSIT Machine Auth CA 2*"}
$rc | foreach {Set-ReceiveConnector -Identity $_.identity -TlsDomainCapabilities "”}

Article ID: 3145044 - Last Review: 08/10/2016 05:14:00 - Revision: 27.0

Microsoft Exchange Online, Microsoft Exchange Server 2013 Enterprise

  • o365022013 o365 o365a o365e o365m hybrid KB3145044