SOLVED: What is MS-Organization-P2P-Access [2021] Certificate?

One of client had Logic Monitor kick off the following ticket:

Eventsource: Windows Exchange EventsWindows
Event ID: 25
Message: The Exchange certificate [Subject] CN=11f90176-4bca-4cec-90fa-2a7bdc7b5181
DC=88467e97-b67a-4906-983f-c201d2100bc8
[Issuer] CN=MS-Organization-P2P-Access [2021]
[Serial Number] 128616464061E8F328FAE2380BB88E82
[Not Before] 7/1/2022 5:46:40 PM
[Not After] 7/2/2022 5:51:40 PM
[Thumbprint] 8E1AA568E95C7BAE26E1BCEB8728E2D43D54DD21 will expire very soon on 7/2/2022 5:51:40 PM.

The certificate in question looks like:

What is a AD Service Principal “P2P Server” Certificate?

A MS-Organization-P2P-Access certificate is:

• valid for only 24 hours
• generated by Azure and issued to an on-premise server
• enables Azure AD credentials to be used in an RDP session

It only has a one day life because the MS-Organization-P2P-Access is not generally needed for longer. You will notice that is starts appearing in Windows logs after AD FS Device Registration has been enabled.

These MS-Organization-P2P-Access certificates are NOT automatically renewed when they expire; they are automatically replaced only when they are needed again.

You can safely ignore them and the fact that they are expiring.

Who Issues MS-Organization-P2P-Access Certificates?

Look in Local Computer\AAD Token Issuer\Certificates and you will see your own on-premise computer issues the MS-Organization-P2P-Access certificates.

The certs are issued to both the user and the computer so they are present in both:

• Local Computer\Personal\Certificates
• Current User\Personal\Certificates

---