Azure Enterprise Applications - Configure Notification Email for all apps with SSO/SAML Configuration

howbs2002 106 Reputation points
2022-04-20T23:43:41.537+00:00

Hello,

Is there a way to configure the Notification Email Address for all Azure Enterprise Applications with an SSO/SAML Configuration?

We want an internal sysadmin distribution list notified of all expiring SAML certificates, but this DL was not historically added to most of the Enterprise Apps when they were added. A number of the Enterprise Apps have a specific employee email address set, and some of these employees have left the company.

We have a script to report on all the certs expiring within 30 days (shown below), so we are good there, we just don't want to have to update the email on every single Enterprise App manually.

The setting is located here: Microsoft Azure Home / Enterprise Applications / %App Name% / Single Sign On / SAML Signing Certificate / Notification Email Address

Thank you.

$daysOut = 30


#Main Script#
$doneID = ""
$countExpiring = 0

$allSAMLApps = Get-AzureADServicePrincipal -All $true | Where-Object {($_.Tags -contains "WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1") -or ($_.Tags -contains "WindowsAzureActiveDirectoryCustomSingleSignOnApplication")}

Write-Host "Looking for certs that expire by ((Get-Date).AddDays($daysOut))" -ForegroundColor Green
foreach ($singleApp in $allSAMLApps) {

    foreach ($KeyCredential in $singleApp.KeyCredentials) {

        if ( $KeyCredential.EndDate -lt (Get-Date).AddDays($daysOut) ) {
            if (($singleApp.ObjectId) -ne $doneID) {
                Write-Host " Name: " ($singleApp.DisplayName) " - Experation: " $KeyCredential.EndDate
                $doneID = ($singleApp.ObjectId)
                $countExpiring = $countExpiring + 1
            }
        }

    }

}

Write-Host "There are $countExpiring certs." -ForegroundColor Green 
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,449 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,444 questions
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,601 Reputation points
    2022-04-22T21:40:22.797+00:00

    Hello @howbs2002 ,

    Thanks for reaching out.

    You can either use Microsoft Graph PowerShell as detailed below or Graph API direct endpoint to set "notificationEmailAddresses" for Enterprise application SAML Signing Certificate.

    Detailed steps:

    Installation:
    Install Microsoft Graph PowerShell module using following cmdlet Install-Module Microsoft.Graph -Scope AllUsers

    Sign-in:
    Use the Connect-MgGraph command to sign in with the required scopes. Example: Connect-MgGraph -Scopes "Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All"

    Call Microsoft Graph:
    Use the Get-MgServicePrincipal command to get a list of enterprise application's NotificationEmailAddresses, and then create a custom script using your own logic to change email addresses based on conditions in the loop section using 'if' or 'foreach' conditions.

    Here are a few examples for your reference:

    List all Enterprise applications with NotificationEmailAddresses:
    Get-MgServicePrincipal -All |select Id, DisplayName, NotificationEmailAddresses

    Update single Enterprise application with new NotificationEmailAddresses:
    Update-MgServicePrincipal -ServicePrincipalId 25dbe63f-4386-4dca-8881-5eb3e8e966e9 -NotificationEmailAddresses siva6@ssiva.onmicrosoft.com

    Update all Enterprise applications with new NotificationEmailAddresses (Note The cmdlet below replaces all current email addresses for all applications.)
    Get-MgServicePrincipal -all |% {Update-MgServicePrincipal -ServicePrincipalId $_.id -NotificationEmailAddresses siva@ssiva.onmicrosoft.com}

    Hope this helps.

    -----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful