question

howbs2002-5879 avatar image
0 Votes"
howbs2002-5879 asked howbs2002-5879 commented

Azure Enterprise Applications - Configure Notification Email for all apps with SSO/SAML Configuration

Hello,

Is there a way to configure the Notification Email Address for all Azure Enterprise Applications with an SSO/SAML Configuration?

We want an internal sysadmin distribution list notified of all expiring SAML certificates, but this DL was not historically added to most of the Enterprise Apps when they were added. A number of the Enterprise Apps have a specific employee email address set, and some of these employees have left the company.

We have a script to report on all the certs expiring within 30 days (shown below), so we are good there, we just don't want to have to update the email on every single Enterprise App manually.

The setting is located here: Microsoft Azure Home / Enterprise Applications / %App Name% / Single Sign On / SAML Signing Certificate / Notification Email Address

Thank you.

 $daysOut = 30
    
    
 #Main Script#
 $doneID = ""
 $countExpiring = 0
    
 $allSAMLApps = Get-AzureADServicePrincipal -All $true | Where-Object {($_.Tags -contains "WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1") -or ($_.Tags -contains "WindowsAzureActiveDirectoryCustomSingleSignOnApplication")}
    
 Write-Host "Looking for certs that expire by ((Get-Date).AddDays($daysOut))" -ForegroundColor Green
 foreach ($singleApp in $allSAMLApps) {
        
     foreach ($KeyCredential in $singleApp.KeyCredentials) {
            
         if ( $KeyCredential.EndDate -lt (Get-Date).AddDays($daysOut) ) {
             if (($singleApp.ObjectId) -ne $doneID) {
                 Write-Host " Name: " ($singleApp.DisplayName) " - Experation: " $KeyCredential.EndDate
                 $doneID = ($singleApp.ObjectId)
                 $countExpiring = $countExpiring + 1
             }
         }
    
     }
    
 }
    
 Write-Host "There are $countExpiring certs." -ForegroundColor Green
windows-server-powershellazure-ad-enterpriseapps
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars-msft avatar image sikumars-msft ·

Hello @howbs2002-5879,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

0 Votes 0 ·

1 Answer

sikumars-msft avatar image
0 Votes"
sikumars-msft answered howbs2002-5879 commented

Hello @howbs2002-5879,

Thanks for reaching out.

You can either use Microsoft Graph PowerShell as detailed below or Graph API direct endpoint to set "notificationEmailAddresses" for Enterprise application SAML Signing Certificate.

Detailed steps:

Installation:
Install Microsoft Graph PowerShell module using following cmdlet Install-Module Microsoft.Graph -Scope AllUsers

Sign-in:
Use the Connect-MgGraph command to sign in with the required scopes. Example: Connect-MgGraph -Scopes "Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All"

Call Microsoft Graph:
Use the Get-MgServicePrincipal command to get a list of enterprise application's NotificationEmailAddresses, and then create a custom script using your own logic to change email addresses based on conditions in the loop section using 'if' or 'foreach' conditions.

Here are a few examples for your reference:

List all Enterprise applications with NotificationEmailAddresses:
Get-MgServicePrincipal -All |select Id, DisplayName, NotificationEmailAddresses

Update single Enterprise application with new NotificationEmailAddresses:
Update-MgServicePrincipal -ServicePrincipalId 25dbe63f-4386-4dca-8881-5eb3e8e966e9 -NotificationEmailAddresses siva6@ssiva.onmicrosoft.com

Update all Enterprise applications with new NotificationEmailAddresses (Note The cmdlet below replaces all current email addresses for all applications.)
Get-MgServicePrincipal -all |% {Update-MgServicePrincipal -ServicePrincipalId $_.id -NotificationEmailAddresses siva@ssiva.onmicrosoft.com}

Hope this helps.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

howbs2002-5879 avatar image howbs2002-5879 ·

Thank you.

0 Votes 0 ·