Azure Enterprise Applications - Configure Notification Email for all apps with SSO/SAML Configuration

howbs2002 111 Reputation points
2022-04-20T23:43:41.537+00:00

Hello,

Is there a way to configure the Notification Email Address for all Azure Enterprise Applications with an SSO/SAML Configuration?

We want an internal sysadmin distribution list notified of all expiring SAML certificates, but this DL was not historically added to most of the Enterprise Apps when they were added. A number of the Enterprise Apps have a specific employee email address set, and some of these employees have left the company.

We have a script to report on all the certs expiring within 30 days (shown below), so we are good there, we just don't want to have to update the email on every single Enterprise App manually.

The setting is located here: Microsoft Azure Home / Enterprise Applications / %App Name% / Single Sign On / SAML Signing Certificate / Notification Email Address

Thank you.

$daysOut = 30


#Main Script#
$doneID = ""
$countExpiring = 0

$allSAMLApps = Get-AzureADServicePrincipal -All $true | Where-Object {($_.Tags -contains "WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1") -or ($_.Tags -contains "WindowsAzureActiveDirectoryCustomSingleSignOnApplication")}

Write-Host "Looking for certs that expire by ((Get-Date).AddDays($daysOut))" -ForegroundColor Green
foreach ($singleApp in $allSAMLApps) {

    foreach ($KeyCredential in $singleApp.KeyCredentials) {

        if ( $KeyCredential.EndDate -lt (Get-Date).AddDays($daysOut) ) {
            if (($singleApp.ObjectId) -ne $doneID) {
                Write-Host " Name: " ($singleApp.DisplayName) " - Experation: " $KeyCredential.EndDate
                $doneID = ($singleApp.ObjectId)
                $countExpiring = $countExpiring + 1
            }
        }

    }

}

Write-Host "There are $countExpiring certs." -ForegroundColor Green 
Windows for business | Windows Server | User experience | PowerShell
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,721 Reputation points
    2022-04-22T21:40:22.797+00:00

    Hello @howbs2002 ,

    Thanks for reaching out.

    You can either use Microsoft Graph PowerShell as detailed below or Graph API direct endpoint to set "notificationEmailAddresses" for Enterprise application SAML Signing Certificate.

    Detailed steps:

    Installation:
    Install Microsoft Graph PowerShell module using following cmdlet Install-Module Microsoft.Graph -Scope AllUsers

    Sign-in:
    Use the Connect-MgGraph command to sign in with the required scopes. Example: Connect-MgGraph -Scopes "Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All"

    Call Microsoft Graph:
    Use the Get-MgServicePrincipal command to get a list of enterprise application's NotificationEmailAddresses, and then create a custom script using your own logic to change email addresses based on conditions in the loop section using 'if' or 'foreach' conditions.

    Here are a few examples for your reference:

    List all Enterprise applications with NotificationEmailAddresses:
    Get-MgServicePrincipal -All |select Id, DisplayName, NotificationEmailAddresses

    Update single Enterprise application with new NotificationEmailAddresses:
    Update-MgServicePrincipal -ServicePrincipalId 25dbe63f-4386-4dca-8881-5eb3e8e966e9 -NotificationEmailAddresses ******@ssiva.onmicrosoft.com

    Update all Enterprise applications with new NotificationEmailAddresses (Note The cmdlet below replaces all current email addresses for all applications.)
    Get-MgServicePrincipal -all |% {Update-MgServicePrincipal -ServicePrincipalId $_.id -NotificationEmailAddresses ******@ssiva.onmicrosoft.com}

    Hope this helps.

    -----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    3 people found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.