Azure Enterprise Applications - Configure Notification Email for all apps with SSO/SAML Configuration

Question

Hello,

Is there a way to configure the Notification Email Address for all Azure Enterprise Applications with an SSO/SAML Configuration?

We want an internal sysadmin distribution list notified of all expiring SAML certificates, but this DL was not historically added to most of the Enterprise Apps when they were added. A number of the Enterprise Apps have a specific employee email address set, and some of these employees have left the company.

We have a script to report on all the certs expiring within 30 days (shown below), so we are good there, we just don't want to have to update the email on every single Enterprise App manually.

The setting is located here: Microsoft Azure Home / Enterprise Applications / %App Name% / Single Sign On / SAML Signing Certificate / Notification Email Address

Thank you.

$daysOut = 30


#Main Script#
$doneID = ""
$countExpiring = 0

$allSAMLApps = Get-AzureADServicePrincipal -All $true | Where-Object {($_.Tags -contains "WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1") -or ($_.Tags -contains "WindowsAzureActiveDirectoryCustomSingleSignOnApplication")}

Write-Host "Looking for certs that expire by ((Get-Date).AddDays($daysOut))" -ForegroundColor Green
foreach ($singleApp in $allSAMLApps) {

    foreach ($KeyCredential in $singleApp.KeyCredentials) {

        if ( $KeyCredential.EndDate -lt (Get-Date).AddDays($daysOut) ) {
            if (($singleApp.ObjectId) -ne $doneID) {
                Write-Host " Name: " ($singleApp.DisplayName) " - Experation: " $KeyCredential.EndDate
                $doneID = ($singleApp.ObjectId)
                $countExpiring = $countExpiring + 1
            }
        }

    }

}

Write-Host "There are $countExpiring certs." -ForegroundColor Green 

Answer 1

Hello @howbs2002 ,

Thanks for reaching out.

You can either use Microsoft Graph PowerShell as detailed below or Graph API direct endpoint to set "notificationEmailAddresses" for Enterprise application SAML Signing Certificate.

Detailed steps:

Installation:
Install Microsoft Graph PowerShell module using following cmdlet Install-Module Microsoft.Graph -Scope AllUsers

Sign-in:
Use the Connect-MgGraph command to sign in with the required scopes. Example: Connect-MgGraph -Scopes "Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All"

Call Microsoft Graph:
Use the Get-MgServicePrincipal command to get a list of enterprise application's NotificationEmailAddresses, and then create a custom script using your own logic to change email addresses based on conditions in the loop section using 'if' or 'foreach' conditions.

Here are a few examples for your reference:

List all Enterprise applications with NotificationEmailAddresses:
Get-MgServicePrincipal -All |select Id, DisplayName, NotificationEmailAddresses

Update single Enterprise application with new NotificationEmailAddresses:
Update-MgServicePrincipal -ServicePrincipalId 25dbe63f-4386-4dca-8881-5eb3e8e966e9 -NotificationEmailAddresses siva6@ssiva.onmicrosoft.com

Update all Enterprise applications with new NotificationEmailAddresses (Note The cmdlet below replaces all current email addresses for all applications.)
Get-MgServicePrincipal -all |% {Update-MgServicePrincipal -ServicePrincipalId $_.id -NotificationEmailAddresses siva@ssiva.onmicrosoft.com}

Hope this helps.

-----
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.