Blog Post

Core Infrastructure and Security Blog
11 MIN READ

Use Azure Logic Apps to Notify of Pending AAD Application Client Secrets and Certificate Expirations

Russ_Rimmerman's avatar
Russ_Rimmerman
Icon for Microsoft rankMicrosoft
Nov 29, 2021

Managing the expiration dates of client secrets and certificates for Azure Active Directory (AAD) applications can be challenging, especially for organizations with numerous applications. To address this, leveraging Azure Logic Apps offers an automated solution to proactively monitor and notify administrators and application owners of impending expirations. This approach enhances security and ensures uninterrupted application functionality by providing timely alerts for necessary credential updates.

Disclaimer The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclai...
RussRimmerman_0-1638198579862.png
Updated Jan 29, 2025
Version 5.0
RussRimmerman
Russ_Rimmerman's avatar
Russ_Rimmerman
Icon for Microsoft rankMicrosoft
Apr 09, 2025

Hi erikwold not without some more details, I'd need to see more of the error from the run history assuming more details exist.

Nrodriguez79's avatar
Nrodriguez79
Copper Contributor
Apr 14, 2025

I think I figured this out. I too have been running this for a few months now and recently came across the same issue. It seems the error stems from the logic app reading these Power Apps and seeing an owner of Power Virtual Agents Service and no email address attached to it.


So when the "Send an Email" task runs and pulls in a null value for the "To:" field. You get a bad request/400 status on the task.


1 workaround and 2 ways to fix this;
(Workaround)
1. Find all the (Microsoft Copilot Studio) app registrations with expired certs and delete the expired cert. the logic app won't pick up those up and won't need to email out. It's not a fix but will let the logic app continue through, until the next app expires that have the same owner and no email address.

2. Add a valid owner that has an email address to each of these copilot applications. So that the logic app doesn't try to add a null value in the To: field. I believe this can be done systematically via Entra powershell.

3. Modify the logic app code and add some error/null handling for these types of situations.

I suspect this won't be the first and last time that we see MS add application with owners that don't have an email address. 

  • erikwold's avatar
    erikwold
    Copper Contributor
    Apr 16, 2025

    Nrodriguez79Thank you, your fix and workaround did the trick 👍