Azure AD Enterprise Apps may be using a custom SSL certificate for Azure App Proxy. The following PowerShell script checks to see if any of the SSL certificate have expired.
# List Azure AD Enterprise Apps with expired SSL certificates
Import-Module AzureAD
try {
$var = Get-AzureADTenantDetail
}
catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] {
Connect-AzureAD
}
$aadapServPrinc = Get-AzureADServicePrincipal -Top 100000 | where-object {$_.Tags -Contains "WindowsAzureActiveDirectoryOnPremApp"}
Write-Host "Reading Azure AD applications..."
$allApps = Get-AzureADApplication -Top 100000
Write-Host "Reading applications..."
$aadapApp = $aadapServPrinc | ForEach-Object { $allApps -match $_.AppId}
$count = $aadapApp.count
Write-Host ("$count apps found")
$expired = 0
foreach ($item in $aadapApp) {
$appname = $item.DisplayName
$tempApps = Get-AzureADApplicationProxyApplication -ObjectId $item.ObjectId
$url = $tempApps.ExternalUrl
$cert = $tempApps.VerifiedCustomDomainCertificatesMetadata
$ssl = $cert.SubjectName
if($cert -ne $null){
$issuedate = $cert.IssueDate
$expirydate = $cert.ExpiryDate
$ed=[Datetime] $expirydate
Write-Host ("")
Write-Host ("App: $appname")
Write-Host ("External Url: $url")
Write-Host ("SSL Name: $ssl")
Write-Host ("Issue Date: $issuedate")
if($ed -lt (Get-Date)) {
Write-Host ("Expiry Date: $expirydate (EXPIRED)") -ForegroundColor "Red"
$expired = $expired + 1
}
else {
Write-Host ("Expiry Date: $expirydate") -ForegroundColor "Green"
}
}
#Write-Host ("$tempapps") -ForegroundColor "Gray"
}
Write-Host ("")
Write-Host ("Finished. $expired expired.")
Write-Host ("")
Then SSL certificates can be replaced if expired.