Enterprise applications in Microsoft Entra ID (formerly Azure AD) use SAML certificates for secure authentication. These certificates have expiration dates, and it's crucial to receive timely notifications before they expire to prevent service disruptions. In this post, I'll walk you through how to configure notification email addresses for your Enterprise application SAML signing certificates using Microsoft Graph PowerShell.
When SAML certificates expire unexpectedly, it can lead to:
- Authentication failures
- Service outages
- Frustrated users
- Emergency remediation work
By setting up proper notification emails, you'll receive advance warnings about upcoming expirations, giving you time to renew certificates before they cause problems.
Prerequisites
Before you begin, make sure you have:
- Microsoft Graph PowerShell modules installed
- Appropriate permissions to manage service principals
- Global Administrator, Application Administrator, or Cloud Application Administrator role
Setting Up Microsoft Graph PowerShell
If you haven't installed the Microsoft Graph PowerShell SDK yet, you can do so with:
Install-Module Microsoft.Graph -Scope CurrentUser
Connect to Microsoft Graph
First, connect to Microsoft Graph with the required permissions:
Connect-MgGraph -Scopes
"Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All"
You'll be prompted to sign in with your admin credentials and authorize the requested permissions.
List Enterprise Applications with Current Notification Emails
To see your current configuration, run:
Get-MgServicePrincipal -All | Select-Object Id, DisplayName, NotificationEmailAddresses
This will show you which applications already have notification emails configured and which ones need attention.
Update a Single Application
If you need to update just one application, use:
Update-MgServicePrincipal -ServicePrincipalId "25dbe63f-2356-4dca-9911-5eb3e8e966e9"
-NotificationEmailAddresses "lee@bythepowerofgreyskull.com"
Replace the GUID with your application's service principal ID and use your actual notification email address.
Update All Applications at Once
To set the same notification email for all enterprise applications:
Get-MgServicePrincipal -All | ForEach-Object {
Update-MgServicePrincipal
-ServicePrincipalId $_.Id -NotificationEmailAddresses "lee@bythepowerofgreyskull.com"
}
Conditional Updates (by Application Name)
For more granular control, you might want to update only specific applications:
Get-MgServicePrincipal -All | ForEach-Object {
# Only update applications with "Bear" in their name
if ($_.DisplayName -like "*Bear*") {
Update-MgServicePrincipal
-ServicePrincipalId $_.Id -NotificationEmailAddresses "lee@bythepowerofgreyskull.com"
}
}