Sync user certificates to Office 365 for S/MIME

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Before anyone can send S/MIME-protected messages in Exchange Online, the appropriate certificates must be set up. To send encrypted messages through Exchange Online, the sender's email app uses the public certificate of the recipient to encrypt the message. This public X.509 certificate has to be published to Office 365.

To Sync certificates that support S/MIME

Begin setting up S/MIME by issuing certificates and publishing them in your local Active Directory Domain Service. For more information, see Active Directory Certificate Services Overview.

After your certificates are published, use the Azure AD Connect tool to synchronize user data from your on-premises Exchange environment to Office 365. For more information on this process, see Azure AD Connect sync: Understand and customize synchronization.

Along with synchronizing other directory data, for S/MIME purposes, the tool will synchronize the userCertificate and userSMIMECertificate attributes for each user object so the data can be used to sign and encrypt messages.

More Information

S/MIME for message signing and encryption

What is Azure AD Connect?