Azure AD Enterprise Apps may be using a custom SSL certificate for Azure App Proxy. The following PowerShell script checks to see if any of the SSL certificate have expired.

# List Azure AD Enterprise Apps with expired SSL certificates

Import-Module AzureAD

try { 
    $var = Get-AzureADTenantDetail 
   } 
   catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] { 
    Connect-AzureAD
   }

$aadapServPrinc = Get-AzureADServicePrincipal -Top 100000 | where-object {$_.Tags -Contains "WindowsAzureActiveDirectoryOnPremApp"}  

Write-Host "Reading Azure AD applications..."
$allApps = Get-AzureADApplication -Top 100000 

Write-Host "Reading applications..."
$aadapApp = $aadapServPrinc | ForEach-Object { $allApps -match $_.AppId} 
$count = $aadapApp.count
Write-Host ("$count apps found")

$expired = 0
foreach ($item in $aadapApp) {
    $appname = $item.DisplayName	
    $tempApps = Get-AzureADApplicationProxyApplication -ObjectId $item.ObjectId
    $url = $tempApps.ExternalUrl
	$cert = $tempApps.VerifiedCustomDomainCertificatesMetadata
    $ssl = $cert.SubjectName
	if($cert -ne $null){
       $issuedate = $cert.IssueDate
       $expirydate = $cert.ExpiryDate
	   $ed=[Datetime] $expirydate
       Write-Host ("")
       Write-Host ("App: $appname")
       Write-Host ("External Url: $url")
       Write-Host ("SSL Name: $ssl")
       Write-Host ("Issue Date: $issuedate")
	   if($ed -lt (Get-Date)) {
          Write-Host ("Expiry Date: $expirydate (EXPIRED)") -ForegroundColor "Red"
		  $expired = $expired + 1
	   }
	   else {
          Write-Host ("Expiry Date: $expirydate") -ForegroundColor "Green"
	   }
	}
    #Write-Host ("$tempapps") -ForegroundColor "Gray"
}
Write-Host ("")
Write-Host ("Finished. $expired expired.")
Write-Host ("")

Then SSL certificates can be replaced if expired.