New feature in M365 to avoid email flow issues

I do remember in the past, when I started having issues with email been rejected, obviously we got a spike on tickets because this problem was affecting the whole company. After checking the NDR (Non-delivery report) and different workarounds, I realize that a certificate for exchange has expired.

There are different approaches to identify whether a certificate is about to expire; in this article, you can find how to use PowerShell to identify proactively if a certificate will expire in a period of time, in my case, I use 30 days in advance, so this script is being executed on weekends. You have plenty of time to renew the certificate before you significantly impact all end users.

Another common issue that affects the email flow is when a domain name is about to expire; sometimes, we get a domain name only for a year, and then when this domain expires, Exchange can’t continue delivering email to those users that contain the specific domain in the email address.

It is common that a user has different SMTP addresses, because those accounts need to receive emails using other domains, the same approach as the certificate, you could create a PowerShell script to validate the expiration date using The Who is information for those domains.

The good news is that Microsoft 365 now has a solution that can help the administrators to proactively identify if a certificate or domain name that is part of the registered domains in M365 is about to expire; this feature is new, and you will be able to see this notification in the insight area.

Also, the administrator will receive an email with this notification. I believe that this is great for all the messaging administrators in the company, because if you are not proactive, there is a high risk of having a problem like everyone can’t send or receive emails, and the business impact could be huge.

Below you can see an example of the domain expiration. You can find this in the exchange ministration console on Office 365, in the inside tab. In the same way, you will find the information about the certificates here. Nonetheless, it is better to have a solution like PowerShell, this is the old school, and pretty much all the Administrators are familiar with this process.

Here you can see the domains that will expire soon

Thanks for reading.

Tony Gonzalez


How to check certificates expiration date using PowerShell

A best practice is having an automate process to check the certificates expiration date, let’s say 60 days before their expiration, in that way proactively you can start the process to request a new certificates, besides of your company request process this article will help you identify those certificates with expiration date before 60 days.

First things first, lets identify where the certificates are located. You can use this cmdlet in PowerShell to see how many containers you have:

PS C:\> Get-ChildItem -Path Cert:\*

At this point we will focus on the LocalMachine because in your servers the most important are the machine certificates.

 PS C:\> Get-ChildItem -Path Cert:\localmachine

As you can see in the list, we have the folder My, here we will find the certificates that we use for different applications, for example SQL, Exchange, Web, Skype for business, etc.

PS C:\> Get-ChildItem -Path Cert:\localmachine\my

And we get the list of certificates

You could use the Format-List option to see all details for these certificates as follow

As you can see in detail, we have the parameter NotAfter, this is the most important for us at this moment because it indicates the expiration date, so let’s get this information for these certificates.

PS C:\> Get-ChildItem -Path Cert:\localmachine\my | select NotAfter

With this line we will see only the expiration date for all certificates

Now let’s filter for the next 60 days using the Get-Date functions as follow

PS C:\> Get-ChildItem -Path Cert:\localmachine\my | ?{$_.NotAfter -lt (get-date).AddDays(60)}

If you remember, I had three certificates but only two have already expired or will expire.

If you want to see all details you can add the Format-List option at the end after a pipe “|”

PS C:\> Get-ChildItem -Path Cert:\localmachine\my | ?{$_.NotAfter -lt (get-date).AddDays(60)} | fl

From here you could automate this process and run every week and send the report to your team, also you can play with the different options to get only the expiration day, subject, Thumbprint, etc.

Thanks for reading

Invite me a beer!

Choose an amount


Your contribution is appreciated.