Blog Post

Core Infrastructure and Security Blog
11 MIN READ

Use Azure Logic Apps to Notify of Pending AAD Application Client Secrets and Certificate Expirations

Russ_Rimmerman's avatar
Russ_Rimmerman
Icon for Microsoft rankMicrosoft
Nov 29, 2021

Managing the expiration dates of client secrets and certificates for Azure Active Directory (AAD) applications can be challenging, especially for organizations with numerous applications. To address this, leveraging Azure Logic Apps offers an automated solution to proactively monitor and notify administrators and application owners of impending expirations. This approach enhances security and ensures uninterrupted application functionality by providing timely alerts for necessary credential updates.

Disclaimer The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclai...
RussRimmerman_0-1638198579862.png
Updated Jan 29, 2025
Version 5.0
RussRimmerman
erikwold's avatar
erikwold
Copper Contributor
Apr 09, 2025

Hi,

Been running this for a while and it has been working great. However, all of a sudden it stopped working and fails in the step "Foreach - apps", ActionFailed An action failed. No dependent actions succeeded.

Any idea what might be causing this?

Russ_Rimmerman's avatar
Russ_Rimmerman
Icon for Microsoft rankMicrosoft
Apr 09, 2025

Hi erikwold not without some more details, I'd need to see more of the error from the run history assuming more details exist.

  • Nrodriguez79's avatar
    Nrodriguez79
    Copper Contributor
    Apr 14, 2025

    I think I figured this out. I too have been running this for a few months now and recently came across the same issue. It seems the error stems from the logic app reading these Power Apps and seeing an owner of Power Virtual Agents Service and no email address attached to it.


    So when the "Send an Email" task runs and pulls in a null value for the "To:" field. You get a bad request/400 status on the task.


    1 workaround and 2 ways to fix this;
    (Workaround)
    1. Find all the (Microsoft Copilot Studio) app registrations with expired certs and delete the expired cert. the logic app won't pick up those up and won't need to email out. It's not a fix but will let the logic app continue through, until the next app expires that have the same owner and no email address.

    2. Add a valid owner that has an email address to each of these copilot applications. So that the logic app doesn't try to add a null value in the To: field. I believe this can be done systematically via Entra powershell.

    3. Modify the logic app code and add some error/null handling for these types of situations.

    I suspect this won't be the first and last time that we see MS add application with owners that don't have an email address. 

    • erikwold's avatar
      erikwold
      Copper Contributor
      Apr 16, 2025

      Nrodriguez79Thank you, your fix and workaround did the trick 👍

  • erikwold's avatar
    erikwold
    Copper Contributor
    Apr 10, 2025

    Thank you. Really not sure what to show you but from the run details it seems to fail on apps related to "Power Virtual Agents" or "Microsoft Copilot Studio", these names appear in parenthesis on the failed apps. Examples:
    Step: "Foreach - apps" (failed) :
    Customer Service Copilot Bot (Power Virtual Agents)
    Sales Copilot Power Virtual Agents Bot (Power Virtual Agents)
    xxxxxxxxxxV2 (Microsoft Copilot Studio)

    Step: "For each KeyCred"
    ActionFailed
    An action failed. No dependent actions succeeded.

    • Nrodriguez79's avatar
      Nrodriguez79
      Copper Contributor
      Apr 15, 2025

      I posted this to the chat above, but let me post to your question directly.


      I think I figured this out. I too have been running this for a few months now and recently came across the same issue. It seems the error stems from the logic app reading these Power Apps and seeing an owner of Power Virtual Agents Service and no email address attached to it.


      So when the "Send an Email" task runs and pulls in a null value for the "To:" field. You get a bad request/400 status on the task.


      1 workaround and 2 ways to fix this;
      (Workaround)
      1. Find all the (Microsoft Copilot Studio) app registrations with expired certs and delete the expired cert. the logic app won't pick up those up and won't need to email out. It's not a fix but will let the logic app continue through, until the next app expires that have the same owner and no email address.

      2. Add a valid owner that has an email address to each of these copilot applications. So that the logic app doesn't try to add a null value in the To: field. I believe this can be done systematically via Entra powershell.

      3. Modify the logic app code and add some error/null handling for these types of situations.

      I suspect this won't be the first and last time that we see MS add application with owners that don't have an email address.