Blog Post

Core Infrastructure and Security Blog
11 MIN READ

Use Azure Logic Apps to Notify of Pending AAD Application Client Secrets and Certificate Expirations

Russ_Rimmerman's avatar
Russ_Rimmerman
Icon for Microsoft rankMicrosoft
Nov 29, 2021

Managing the expiration dates of client secrets and certificates for Azure Active Directory (AAD) applications can be challenging, especially for organizations with numerous applications. To address this, leveraging Azure Logic Apps offers an automated solution to proactively monitor and notify administrators and application owners of impending expirations. This approach enhances security and ensures uninterrupted application functionality by providing timely alerts for necessary credential updates.

Disclaimer The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclai...
RussRimmerman_0-1638198579862.png
Updated Jan 29, 2025
Version 5.0
RussRimmerman
DirkHx's avatar
DirkHx
Copper Contributor
Aug 28, 2024

I am experiencing issues since one week, it appears that Microsoft has changed the app registrations for Copilot app registrations.

Problem:

The owner of the app registration is another app registration, which is not having a mail address assigned.

Removing the owners would break the auto secret renewal process on the copilot app registrations but adding userPrincipalName to that registration is impossible.

 

I have tried adding another check with the "OR" to the "condition 5" above, to check whether the value of "userPrincipalName" is empty. But it is still failing.
I tried an integer of "0", "" and filling in nothing.

 

 

Any help is appreciated!

 

UPDATE:

I've added a condition to condition 3: (AND)

Expression: body('Get_Secret_Owner')?['value'][0]?['userPrincipalName']

is not equals to

Expression: null

 

looks like this:

NOTE: you should add this in both the secret and certificate part of the logic app.

It now works, by skipping the send-mail if the owner has no mail/userprincipalname (ie, being another app registration).

 

niro_shan2020's avatar
niro_shan2020
Copper Contributor
Mar 24, 2025

Hi @DirkhxDirkHx , Thank you, We seem to have the same problem since this week, I am not exactly sure where to add above condition, Would it be possible to get a screen grab of your flow and where this needs to be added please. Sorry I am quite new to logic app and cannot work it out. Any help greatly appreciated. This is what we see.