We had an issue with event ID 2004 being logged on our Exchange Servers, grumbling about a missing certificate.
Warning Observed
The following error is observed:
Log Name: Application
Source: MSExchange OAuth
Date: 07/07/2026 15:23:12
Event ID: 2004
Task Category: Configuration
Level: Warning
Keywords: Classic
User: N/A
Computer: server1.domain.com
Description:
Unable to find the certificate with thumbprint EF5BB74A1811B457429AE9DC78CEAF20581AE152 in the current computer or the certificate is missing private key. The certificate is needed to sign the outgoing token.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchange OAuth" />
<EventID Qualifiers="32772">2004</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>2</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2026-07-07T14:23:12.4546344Z" />
<EventRecordID>1920928</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>server1.domain.com</Computer>
<Security />
</System>
<EventData>
<Data>EF5BB74A1811B457429AE9DC78CEAF20581AE152</Data>
</EventData>
</Event>
Analysis
It seems to indicate that an expected certificate is missing. Running the “get-authconfig” gives this output, and we can see that the PreviousCertificateThumbprint

Confirm Current Certificate
Confirm that the “Current Certificate” exists and that it exists on all of the Exchange Servers, to do this run the following commands:
$thumb = (Get-AuthConfig).CurrentCertificateThumbprint
Get-ExchangeCertificate -Server server1 | Where-Object Thumbprint -eq $thumb | ft Thumbprint,HasPrivateKey,NotAfter -Auto
We check to see the certificate (current certificate) is present. It should be.
Confirm Previous Certificate
We can then confirm that the Previous Certificate is missing from all Exchange Servers, we already know this however because of the Event Log event being generated!
$prevthumb = (Get-AuthConfig).PreviousCertificateThumbprint
Get-ExchangeCertificate -Server server1 | Where-Object Thumbprint -eq $prevthumb | ft Thumbprint,HasPrivateKey,NotAfter -Auto
We should see nothing, there should be no entry shown, that shows it is not present on any of the Exchange Servers. Which means it can’t possibly be being used, therefore removal of the stale entry is safe.
Resolution
We have confirmed that the previous certificate the one highlighted is not physically present on any of the Exchange Servers, therefore we can remove the stale reference safely.

To remove this therefore we use:
Being this is a global configuration, we only need to run it once, we don’t need to run on each Exchange Server individually.
We can now see that the certificate has been removed:
[PS] C:\Windows\system32>get-authconfig
RunspaceId : 9ae12d86-0bba-4dd6-97aa-ab5ba3b47335
CurrentCertificateThumbprint : 28fe9d0e8a65adxxxxxxxxxxxxxb5373f1fca7
PreviousCertificateThumbprint :
NextCertificateThumbprint :
NextCertificateEffectiveDate :
ServiceName : 00000002-0000-0ff1-ce00-000000000000
Realm :
DeploymentId :
IssuerIdentifier :
Name : Auth Configuration
AdminDisplayName :
ExchangeVersion : 0.20 (15.0.0.0)
DistinguishedName : CN=Auth Configuration,CN=PLACE,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=internal,DC=DOMAIN,DC=COM
Identity : Auth Configuration
Guid : 2526943a-ba1f-4c0d-8d19-476c04a39274
ObjectCategory : DOMAIN.COM/Configuration/Schema/ms-Exch-Auth-Auth-Config
ObjectClass : {top, container, msExchContainer, msExchAuthAuthConfig}
WhenChanged : 16/10/2023 14:58:13
WhenCreated : 21/05/2018 14:46:36
WhenChangedUTC : 16/10/2023 13:58:13
WhenCreatedUTC : 21/05/2018 13:46:36
OrganizationId :
Id : Auth Configuration
OriginatingServer : MYDC.DOMAIN.COM
IsValid : True
ObjectState : Unchanged
You should now no longer see Event ID 2004 appear in the logs, because Exchange is no longer looking for the removed certificate.