SMIME not working in OWA

S/MIME in Exchange Online can be tricky because support differs between old Outlook, new Outlook, and OWA. Based on your setup, the main reason you see the “certificate is not trusted by this organization” error is that the new Outlook and OWA only trust certificates if the full issuing chain (root + intermediate) is published correctly in Exchange Online via Set-SmimeConfig and distributed to all clients. Old Outlook works locally because it uses the Windows certificate store, while OWA and new Outlook validate only against what is configured in Exchange Online.

To fix this, make sure the entire chain (root + intermediate CAs) is included in your .sst file and re-upload it with Set-SmimeConfig, then run Get-SmimeConfig to confirm. Also, every recipient’s certificate must be published to the GAL for cross-user encryption to work, including Mac users. At this point, OWA and new Outlook should recognize the certificates properly. If you still face issues, note that new Outlook has limited S/MIME support and Microsoft is gradually rolling it out, so in some cases old Outlook remains the only fully reliable client.