Kumaran – A Cloud Guy

Microsoft 365 Admins: June 2025 Brings Major Updates, Retirements & Action Items — Here’s Your Definitive Guide

June 2, 2025 by Kumaran

Buckle up, admins! June’s heating up with a fresh wave of Microsoft 365 changes. Whether you manage identity, information protection, collaboration, or compliance, there’s something here that will nudge your daily workflow—or bulldoze it if you’re not paying attention.

Let’s cut through the clutter. Below is your clear, actionable roundup of what’s coming, what’s going, and what needs your immediate attention across the Microsoft 365 landscape.

In the Spotlight

Smoother OneDrive File Transfers

Say goodbye to clunky cleanup processes when employees leave. Microsoft’s new “Move and keep sharing” feature lets you transfer ownership while preserving existing sharing permissions. Combine that with new filters to zero in on important files and clearer notification emails, and you’ve got an admin’s dream come true.

Shared Mailboxes in New Outlook (Finally!)

The New Outlook for Windows now lets you add shared mailboxes like real accounts—no more backflips to get the same experience your users are used to. Easier management, better UX, happier end users.

Non-Profit Grant Offers Retiring

Heads up for non-profit orgs: Microsoft is retiring Microsoft 365 Business Premium and Office 365 E1 grant offers. If your licensing strategy includes these grants, now’s the time to rethink and re-budget.

June at a Glance

Category	Count
Retirements	4
New Features	10
Enhancements	9
Changes in Functionality	5
Action Needed	2

Retirements: What’s Going Away

Meeting Details in OneNote for Windows 10 – Poof, gone starting June 2025.
Private Content Mode in Viva Engage – Say farewell by June 30, 2025.
Teams Recording Initiator Policy – Both the MeetingInitiator value and MeetingRecordingOwnership setting will be retired by June 30, 2025.
Sports Calendars in Outlook – “Interesting Calendars” will vanish starting early June 2025.

New Features: What You’ll Want to Try First

Copilot Troubleshooter in Power Automate – Diagnose and resolve flow errors with a few clicks inside the designer.
Copilot for Security in Purview Insider Risk Management – Contextual alerts and smarter investigations—yes, please.
Data-at-Rest Scanning in SharePoint/OneDrive – Finally scan previously untouched files for sensitive info and apply sensitivity labels.
Microsoft Backup Enhancements – Define backup policies that automatically cover all Exchange, OneDrive, and SharePoint users—even new ones.
Automated Retention Actions in Gov Cloud – US government tenants can now use Power Automate to act on expired items.
50+ Modern SharePoint Page Templates – No more pixel-pushing—get sleek, branded designs in a click.
New Insider Risk Email Indicators – Spot emails with attachments sent to free public domains or to oneself—cue the red flags.
Risky AI Activity Detection – Admins can now monitor for sensitive prompt usage and sketchy AI behavior.
Microsoft Defender XDR Integration – Insider Risk data will now flow into XDR for unified investigations.
Fabric Network Enhancements (Preview) – Private links and outbound access controls to lock down Fabric workspaces like Fort Knox.

Enhancements: Refinements You’ll Appreciate

HR Connector in Insider Risk Management – Apply the updated PowerShell script or risk issues.
Exclude Folders from OneDrive Sync – Control bloat and protect endpoints.
Reduce Noise in Communication Compliance – Filter out newsletters and spam to surface real threats.
On-Demand Classification – Retroactively classify sensitive content in SharePoint/OneDrive.
New Teams Role: Teams Reader – View-only access in the admin center. Great for auditors or curious execs.
View and Upload Anyone Links – Strike a balance between accessibility and control.
Global Exclusions in Insider Risk – Now supports more logical rules to cut alert fatigue.
DLP + Administrative Units – SharePoint DLP policies can now be scoped by administrative units. Finally.
Targeted IRM Policies – Use combinations of users, groups, and adaptive scopes for laser-focused risk management.

Functional Changes: What’s Evolving

SharePoint Online CDN Migration – Allow public-cdn.sharepointonline.com and stop relying on hardcoded links.
Teams DLP Reports – Incident notifications now come from both old and new sender addresses.
Exchange Federation Cmdlet Changes – Get-FederationInformation is being scoped down.
Audit Log Cmdlets Go Read-Only – No changes/downloads after June for Search-MailboxAuditLog and New-MailboxAuditLogSearch.
Separate Policy Tip Settings – Customize email notifications separately for SharePoint and OneDrive DLP.

Action Needed: Do This Now

Viva Engage External Networks – Legacy networks will be retired June 1, 2025. Transition to modern external networks now to avoid disruption.
Microsoft Defender SIEM Agents – After June 19, 2025, no new agents can be configured. Move to supported APIs to future-proof your integration.

Final Thoughts

If you’re managing Microsoft 365 in an enterprise setting, June is a no-joke month for updates. With new features that improve automation, security, and governance—and retirements that could leave gaps if ignored—it’s vital to stay proactive.

Bookmark this post, forward it to your team, and prep your change calendar. Because in IT, those who fail to plan… usually end up on a 2 a.m. call with their CISO.

Stay sharp, stay current—and keep your tenant tight.

Thank you for stopping by. ✌️

Microsoft SharePoint Premium: Getting the Most Out of SharePoint Advanced Management

April 5, 2025January 18, 2025 by Kumaran

Let’s be real—managing SharePoint at scale is no walk in the park. When you’ve got thousands of users, sprawling document libraries, and security risks lurking around every corner, the last thing you need is more complexity. Enter Microsoft SharePoint Premium, specifically its SharePoint Advanced Management capabilities, designed to bring order to the chaos.

But is it just another fancy add-on, or does it actually make your life easier? Let’s break it down.

Site Lifecycle Policies: Keeping SharePoint Tidy

Without oversight, SharePoint sites tend to pile up like old emails in an unchecked inbox. That’s where Site Lifecycle Policies come in.

Inactive SharePoint Sites Policy – Automatically detects and archives (or deletes) sites that haven’t been used in a while. Think of it as digital housekeeping that prevents clutter.
Site Ownership Policy – Ever had a SharePoint site where no one knows who’s in charge? This policy ensures every site has a designated owner—and prompts them to confirm ownership periodically.

These policies save IT teams from sifting through forgotten sites and guessing which ones are still relevant.

Data Access Governance (DAG) Insights: Who’s Seeing What?

Ever worry that sensitive data is floating around where it shouldn’t be? DAG Insights help IT admins spot and control broad access issues.

“Everyone Except External Users” (EEEU) Insights – This permission group sounds harmless, but it can sometimes overexpose data internally. DAG Insights help admins quickly identify and correct these cases.
Sharing Links & Sensitivity Labels – Visibility into which files are shared externally (and with what sensitivity labels) ensures sensitive documents don’t end up in the wrong hands.
PowerShell: Permission State Report – Need an exhaustive report on who has access to what? This PowerShell tool provides a deep dive across SharePoint, OneDrive, and specific files.
Sharing Links Report – Helps admins monitor and manage shared links across the organization, reducing unnecessary exposure.

Site Access Reviews: Keeping Permissions in Check

Permissions in SharePoint can get complicated fast. The Site Access Review feature ensures that access stays intentional and secure. Admins can set up periodic reviews, prompting site owners to confirm who still needs access—and who doesn’t.

It’s like a spring cleaning for permissions, reducing security risks and keeping data locked down to the right people.

PowerShell: Restricted Content Discovery (RCD)

Sometimes, sensitive data ends up where it shouldn’t be. With Restricted Content Discovery (RCD), admins can scan SharePoint and OneDrive for files that shouldn’t be widely accessible. This helps with compliance and security audits—before problems arise.

Restricted Access Control (RAC): Locking Down Sensitive Sites

Some SharePoint sites contain data that only a select few should ever see. Restricted Access Control (RAC) ensures that even if a user has general access to SharePoint, they won’t automatically see certain sensitive sites.

This applies to both SharePoint and OneDrive, providing an extra layer of control where it’s needed most.

Recent Admin Actions & Change History: Who Did What?

Admins make changes all the time—adjusting permissions, creating new policies, modifying access levels. Recent Admin Actions and Change History provide a log of what’s been modified, making it easier to track down unexpected issues or roll back unintended changes.

Block Download Policy: Extra Security for Sensitive Content

Not all files should be downloadable—especially sensitive reports or confidential recordings. The Block Download Policy lets admins restrict downloads from SharePoint, OneDrive, and even Teams recordings. Users can still view the content online but can’t save a local copy, reducing the risk of data leaks.

Should You Upgrade?

If you’re a small team with a handful of SharePoint sites, Advanced Management might feel like overkill. But for organizations juggling hundreds (or thousands) of users, it’s the difference between smooth operations and constant headaches.

So, if your team is spending way too much time managing permissions, cleaning up inactive sites, or chasing security risks, upgrading to SharePoint Premium’s Advanced Management might just be the smartest move you make.

At the very least, it’s worth a test drive—because who doesn’t want a smoother, safer, and smarter SharePoint experience?

Thanks for stopping by. ✌

How SharePoint Advanced Management Prepares Your Organization for Microsoft Copilot

April 4, 2025January 11, 2025 by Kumaran

Introduction

Microsoft Copilot is revolutionizing the way organizations interact with data, leveraging AI to deliver intelligent insights and automation. However, for Copilot to function effectively, it requires a well-structured and secure data environment. SharePoint Advanced Management (SAM) provides essential tools to optimize, secure, and manage SharePoint content, ensuring your organization is Copilot-ready. This blog explores how SAM enhances permissions management, content governance, data accuracy, privacy, and security to maximize the benefits of Microsoft Copilot.

Accidental Oversharing – Taming the Wild West of Permissions

One of the biggest risks in any SharePoint environment is accidental oversharing of sensitive information. SAM helps organizations identify and remediate these risks through features such as:

Access Reviews: Automated reports highlight excessive or outdated permissions, enabling administrators to take corrective action.
Sharing Controls: Policies can be enforced to restrict sharing of certain file types or limit external sharing.
Auditing and Reporting: Advanced logging provides visibility into sharing activities, ensuring compliance with security policies.

By leveraging these tools, organizations can mitigate security risks, ensuring that only the right users have access to the right content—an essential step before enabling Copilot.

Minimize Your Content Governance Footprint – Streamlining for Efficiency

Microsoft Copilot’s efficiency is directly tied to the quality and relevance of the data it processes. Organizations with cluttered SharePoint environments may experience degraded performance and unnecessary costs. SAM offers capabilities to reduce redundant, obsolete, and trivial (ROT) content through:

Data Lifecycle Management: Policies that automate archiving or deletion of outdated content.
Content Insights: Identifies and flags low-value content, enabling administrators to focus on high-priority data.
Retention Labels: Ensures only necessary content is retained, reducing Copilot’s processing burden.

A leaner, well-structured SharePoint environment not only improves Copilot’s efficiency but also enhances its ability to provide accurate and relevant responses.

Improve Copilot Response Quality – Feeding Copilot the Right Data

Copilot’s output quality depends on the integrity of the data it analyzes. SAM helps improve content relevance and accuracy through:

Metadata Enrichment: Standardizes data classification, making it easier for Copilot to extract meaningful insights.
Duplicate Content Detection: Reduces information overload by identifying and consolidating redundant documents.
Content Curation Tools: Helps teams maintain well-organized libraries, ensuring Copilot pulls from authoritative and up-to-date sources.

By cleaning up SharePoint content, organizations can ensure Copilot provides more precise, actionable responses to users.

Control Content Access by Copilot – Ensuring Data Privacy and Compliance

As organizations integrate Copilot into their workflows, maintaining control over which content Copilot can access is crucial for privacy and regulatory compliance. SAM provides several features to manage Copilot’s data access:

Sensitivity Labels: Prevents Copilot from analyzing or referencing classified documents.
Conditional Access Policies: Restricts Copilot’s access based on location, device, or role.
Permissions Management: Ensures that Copilot can only interact with approved datasets, reducing the risk of data leakage.

These tools help organizations align Copilot usage with internal and external compliance requirements, protecting sensitive business information.

Ensure Data Safety for Business-Critical Sites – Protecting Your Crown Jewels

Certain SharePoint sites contain mission-critical data that require enhanced security and governance. SAM enables organizations to fortify these high-value sites by:

Access Reviews for Critical Sites: Periodically verifies that only authorized users retain access.
Advanced Threat Protection: Detects and prevents unauthorized access attempts.
Lifecycle Management: Ensures outdated or irrelevant data is systematically archived or deleted.

By implementing these controls, organizations can protect their most valuable digital assets while maintaining Copilot readiness.

Conclusion

Preparing for Microsoft Copilot requires more than just enabling AI-powered tools—it demands a well-governed, secure, and optimized SharePoint environment. SharePoint Advanced Management provides the essential capabilities to streamline content, secure sensitive data, and enhance permissions management, ensuring Copilot delivers accurate and efficient insights. By leveraging SAM, organizations can maximize the value of Copilot while maintaining security and compliance.

Start preparing your SharePoint environment today to unlock the full potential of Microsoft Copilot!

Thanks for stopping by. ✌

Understanding billing account for Microsoft Customer Agreement (MCA)

March 16, 2025May 18, 2024 by Kumaran

Let’s be honest—cloud billing isn’t exactly the most exciting topic. But do you know what’s worse? Opening your Azure bill and feeling like you need a detective’s magnifying glass to figure out what’s going on. 🤯

If you’ve got a Microsoft Customer Agreement (MCA), understanding your billing account is key to keeping your cloud costs in check and avoiding any surprise charges. So, grab a coffee, and let’s break it down in a way that actually makes sense. ☕

What is an MCA Billing Account (And Why Should You Care)?

Think of your MCA billing account as the command center for all your Azure charges. It’s where you manage invoices, payments, and who gets to see (or mess with) your billing details. If Azure billing were a Netflix account, your billing account would be the primary profile—the one that controls everything.

Key Things Your MCA Billing Account Lets You Do:

View and manage invoices and payment methods 🧾
Set up multiple billing profiles for different teams or departments 🏢
Assign roles and permissions (so not everyone can max out the budget!)
Track spending across subscriptions 💰

If you’re managing an MCA billing account, congrats! You’ve got the keys to the financial kingdom—use them wisely.

Azure Billing Account: The Big Picture 🎯

Your Azure Billing Account is the home base for all things billing-related in your MCA. It’s where invoices, payments, and spending details live. If you think of Azure like a streaming service, your billing account is your main subscription—everything starts from here.

What You Can Do with an Azure Billing Account:

View and manage invoices 🧾
Set up and control billing profiles 💳
Assign billing roles to different users 👥
Track spending across all subscriptions 💰

This is your financial cockpit—control it wisely!

Billing Profiles: Keeping Budgets Organized 🏢

A Billing Profile is like a separate tab on your credit card statement for different teams, projects, or departments. Instead of one giant invoice that makes your head spin, you can split up costs for better organization.

Why Billing Profiles Matter:

They generate separate invoices for different teams.
You can set up different payment methods for each profile.
They help track spending more effectively.

So, if your company has an AI research team and a DevOps team, they can each have their own billing profile—no messy financial mix-ups!

Invoice Sections: Breaking Down Costs Clearly 📄

Under each Billing Profile, you have Invoice Sections. Think of these as subfolders inside your billing profiles—perfect for breaking down costs by project, department, or even specific environments (like Dev vs. Production).

How Invoice Sections Help:

You can group charges logically (e.g., marketing vs. engineering).
It makes cost tracking super clear.
Helps with financial reporting—no more guessing where money went!

If Billing Profiles are the different tabs on your statement, Invoice Sections are like itemized charges—they give you a clearer breakdown.

Subscriptions: Where the Magic Happens ✨

Your Azure Subscriptions are where your actual cloud services live—virtual machines, databases, AI services, you name it. But each subscription needs to be linked to a Billing Profile to be paid for.

Key Things to Know About Subscriptions:

They inherit billing settings from their assigned billing profile.
You can have multiple subscriptions under one billing account.
Each subscription can be assigned to an Invoice Section for better tracking.

Think of it like multiple mobile lines on a family plan. Each line (subscription) has its own usage, but they all roll up into the main bill (billing profile).

Optimizing and Tracking Azure Costs

To effectively manage and optimize your Azure expenditures, consider the following practices:

Strategic Structuring: Align your billing profiles and invoice sections with your organization’s hierarchy or project structure. This alignment ensures that invoices reflect your internal financial organization, simplifying reconciliation and reporting.
Role-Based Access Control: Assign appropriate roles to team members based on their responsibilities. Azure offers various billing roles, such as Billing Account Owner, Billing Profile Owner, and Invoice Section Owner, each with specific permissions. Implementing role-based access ensures that individuals have the necessary access to perform their tasks without compromising security.
- Billing Account Owner – The supreme leader of the billing universe. Full access.
- Billing Profile Owner – Controls billing for one profile (but not the entire account).
- Billing Profile Contributor – Can manage invoices and payments but not assign roles.
- Billing Reader – Can see invoices but can’t touch them (great for finance teams!).
Regular Monitoring: Utilize Azure’s cost management tools to monitor spending across different billing profiles, invoice sections, and subscriptions. Regular analysis helps in identifying trends, detecting anomalies, and making data-driven decisions to optimize costs.
Budgeting and Alerts: Set up budgets and configure alerts for your billing profiles and invoice sections. Proactive notifications enable you to address potential overspending promptly, ensuring adherence to financial plans.

Pro Tips to Avoid Billing Headaches

Assign Roles Wisely – Not everyone needs full access! Keep spending power in the right hands.
Use Billing Profiles for Better Organization – Split billing by department or project to track spending easily.
Enable Cost Management Tools – Azure has built-in cost tracking to help you avoid end-of-month surprises.
Regularly Review Invoices – Set up a habit of checking your invoices to catch any unexpected charges.

Final Thoughts: Take Control of Your Azure Billing 💡

Understanding your MCA Billing Account isn’t just about paying bills—it’s about controlling costs, organizing expenses, and making sure your finance team doesn’t hunt you down. 😅

So next time you log into Azure, don’t panic at your invoice. Instead, think:

Is my billing organized?
Am I using Billing Profiles and Invoice Sections properly?
Do I need to adjust roles to keep spending in check?

Thanks for stopping by. ✌

Avoid the Oops: Proactively Monitor Entra Application Secret Expirations with Automation

June 5, 2025January 21, 2024 by Kumaran

In the fast-paced world of enterprise IT, even small oversights can lead to major disruptions. One of those easily overlooked, yet critically important tasks is, monitoring Microsoft Entra (formerly Azure AD) application secret expirations.

Imagine this: everything is running smoothly in production until — bam! — an app suddenly fails because its secret expired. No alerts, no heads-up, just user complaints and a flurry of incident reports. Sound familiar?

Why Monitoring Application Secrets Matters

At its core, application secrets are credentials that apps use to authenticate themselves with Microsoft Entra ID. But unlike passwords, secrets come with an expiration date. If they aren’t renewed in time, the app’s authentication fails and with it, the business processes it supports.

For organizations running dozens (or hundreds) of app registrations, staying ahead of these expirations is not optional, it’s essential. Secrets that silently expire can grind systems to a halt, disrupt integrations, and worst of all, trigger security incidents or SLA breaches.

A Common Problem in the Real World

When I first set out to automate monitoring for app secret expirations, I assumed it’d be simple. A few PowerShell lines here, an API call there, maybe some Logic App magic… problem solved, right?

Well, not quite.

Most of the tutorials and blog posts I found focused solely on fetching the expiration date of secrets — they showed how to query the data, but not how to operationalize it. I wanted something that would proactively notify the right people before things went south.

Eventually, I came across a helpful post on Microsoft Tech Community:
Use Azure Logic Apps to Notify of Pending AAD Application Client Secrets and Certificate Expirations

It was a solid foundation. The Logic App would periodically check secrets and send an email notification if one was nearing expiration.

But then… I hit a snag.

If an application had multiple owners which, in the enterprise world, is very common the Logic App would only notify the first listed owner. Everyone else? Left in the dark.

Not ideal. Especially when that one person is on PTO, has left the company, or, let’s be honest, just ignores emails from IT.

So, I decided to roll up my sleeves and build a PowerShell-based solution that:

Queries all app registrations
Checks for secrets or certificates nearing expiration
Looks up all owners (not just the first one)
Sends clear, actionable email notifications to each owner

Why Automate This? Let’s Talk Benefits

Here’s why every enterprise IT team should care about automating secret expiration alerts:

Proactive Security – Timely notifications help you spot secrets that are about to expire, before they become a security risk or business disruption. It’s the difference between being reactive and being prepared.
Reduced Downtime – Missed secret expirations lead to failed authentications, which means broken apps. Proactive alerts buy you time to renew secrets and avoid outages.
No More Manual Tracking – Maintaining a spreadsheet of app secrets? Been there. Done that. Automation means less grunt work and fewer mistakes.
Smart Notifications – By targeting all app owners, not just the first in line: you’re covering your bases. Even if someone’s on vacation, someone else sees the alert and can take action.

What This Script Does

Authenticates to Microsoft Graph with the required permissions
Queries all Entra app registrations
Identifies app secrets and certificates that are expiring within a defined threshold (e.g., 30 days)
Pulls all assigned owners for each app
Sends an email notification to each owner with details about the impending expiration
Sends an email notification to an administrator email, a distribution group or a shared mailbox containing a list of all secrets that are expiring

Use task scheduler to run this script from your on-premise environment. You can securely store the credentials to be used in the PowerShell script using the SecretManagement module. I’ve covered this in detail in an earlier post here. The ideal and preferred method is to use Azure automation account which is much more easier and secure, which I will cover in a future post.

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Application.Read.All","User.Read.All","AppRoleAssignment.Read.All"

# Set default value for the number of days until expiration
$DaysUntilExpiration = 30

# Email configuration
$SmtpServer = "smtp.yourdomain.com"
$From = "alerts@yourdomain.com"
$DefaultEmail = "entra_app_cert_notif@yourdomain.com"

# Function to send email
function Send-ExpirationAlert {
    param (
        [string]$To,
        [string]$FirstName,
        [string]$AppName,
        [string]$SecretOrCertName,
        [string]$SecretOrCertId,
        [datetime]$EndDate
    )

    $Subject = "Alert: Secret or Certificate Expiration Notice for $AppName"
    $Body = @"
<html>
<body>
<p>Hello $FirstName,</p>
<p>This is a notification that the secret or certificate named '$SecretOrCertName' for the application '$AppName' will expire on $($EndDate.ToShortDateString()).</p>
<p>Please contact Progressrail's Entra (previously known as Azure AD) Administrators and take the necessary actions to renew or replace the secret or certificate before it expires.</p>
<p>Details to provide the administrators:</p>
<ul>
<li>Application Name: $AppName</li>
<li>Secret or Certificate Name: $SecretOrCertName</li>
<li>Secret or Certificate ID: $SecretOrCertId</li>
<li>Expiration Date: $($EndDate.ToShortDateString())</li>
</ul>
<p><span style="color: red;">Please do not reply to this email, this mailbox is not monitored.</span></p>
<p>Thank you,<br>Your IT Team</p>
</body>
</html>
"@

    Send-MailMessage -SmtpServer $SmtpServer -From $From -To $To -Subject $Subject -Body $Body -BodyAsHtml
}

# Function to send summary email
function Send-SummaryEmail {
    param (
        [string]$To,
        [string]$Body
    )

    $Subject = "Summary: Secrets and Certificates Expiring in the Next 30 Days"
    Send-MailMessage -SmtpServer $SmtpServer -From $From -To $To -Subject $Subject -Body $Body -BodyAsHtml
}

# Get the current date
$Now = Get-Date

# Query all applications
$Applications = Get-MgApplication -All

# Initialize a variable to store the summary of expiring secrets and certificates
$SummaryBody = @"
<html>
<body>
<p>Hello,</p>
<p>The following secrets and certificates are expiring in the next 30 days:</p>
<table border="1">
<tr>
<th>Application Name</th>
<th>Secret or Certificate Name</th>
<th>Secret or Certificate ID</th>
<th>Expiration Date</th>
</tr>
"@

# Process each application
foreach ($App in $Applications) {
    $AppName = $App.DisplayName
    $AppID   = $App.Id
    $ApplID  = $App.AppId

    $AppCreds = Get-MgApplication -ApplicationId $AppID
    $Secrets = $AppCreds.PasswordCredentials
    $Certs   = $AppCreds.KeyCredentials

    foreach ($Secret in $Secrets) {
        $StartDate  = $Secret.StartDateTime
        $EndDate    = $Secret.EndDateTime
        $SecretName = $Secret.DisplayName
        $SecretId   = $Secret.KeyId

        $Owners = Get-MgApplicationOwner -ApplicationId $App.Id

        if ($Owners.Count -eq 0) {
            # No owner information, send to default email
            $FirstName = "Admin"
            Send-ExpirationAlert -To $DefaultEmail -FirstName $FirstName -AppName $AppName -SecretOrCertName $SecretName -SecretOrCertId $SecretId -EndDate $EndDate
        } else {
            foreach ($Owner in $Owners) {
                $Username = $Owner.AdditionalProperties.userPrincipalName
                $OwnerID  = $Owner.Id

                if ($null -eq $Username) {
                    $Username = $Owner.AdditionalProperties.displayName
                    if ($null -eq $Username) {
                        $Username = '**<This is an Application>**'
                    }
                }

                # Extract first name from givenName or user principal name
                $FirstName = $Owner.AdditionalProperties.givenName
                if ($null -eq $FirstName -or $FirstName -eq '') {
                    $FirstName = $Username.Split('@')[0].Split('.')[0]
                }

                $RemainingDaysCount = ($EndDate - $Now).Days

                if ($RemainingDaysCount -le $DaysUntilExpiration -and $RemainingDaysCount -ge 0) {
                    if ($Username -ne '<<No Owner>>') {
                        Send-ExpirationAlert -To $Username -FirstName $FirstName -AppName $AppName -SecretOrCertName $SecretName -SecretOrCertId $SecretId -EndDate $EndDate
                    }
                }
            }
        }

        # Add to summary if expiring in the next 30 days
        if ($RemainingDaysCount -le $DaysUntilExpiration -and $RemainingDaysCount -ge 0) {
            $SummaryBody += @"
<tr>
<td>$AppName</td>
<td>$SecretName</td>
<td>$SecretId</td>
<td>$($EndDate.ToShortDateString())</td>
</tr>
"@
        }
    }

    foreach ($Cert in $Certs) {
        $StartDate  = $Cert.StartDateTime
        $EndDate    = $Cert.EndDateTime
        $CertName   = $Cert.DisplayName
        $CertId     = $Cert.KeyId

        $Owners = Get-MgApplicationOwner -ApplicationId $App.Id

        if ($Owners.Count -eq 0) {
            # No owner information, send to default email
            $FirstName = "Admin"
            Send-ExpirationAlert -To $DefaultEmail -FirstName $FirstName -AppName $AppName -SecretOrCertName $CertName -SecretOrCertId $CertId -EndDate $EndDate
        } else {
            foreach ($Owner in $Owners) {
                $Username = $Owner.AdditionalProperties.userPrincipalName
                $OwnerID  = $Owner.Id

                if ($null -eq $Username) {
                    $Username = $Owner.AdditionalProperties.displayName
                    if ($null -eq $Username) {
                        $Username = '**<This is an Application>**'
                    }
                }

                # Extract first name from givenName or user principal name
                $FirstName = $Owner.AdditionalProperties.givenName
                if ($null -eq $FirstName -or $FirstName -eq '') {
                    $FirstName = $Username.Split('@')[0].Split('.')[0]
                }

                $RemainingDaysCount = ($EndDate - $Now).Days

                if ($RemainingDaysCount -le $DaysUntilExpiration -and $RemainingDaysCount -ge 0) {
                    if ($Username -ne '<<No Owner>>') {
                        Send-ExpirationAlert -To $Username -FirstName $FirstName -AppName $AppName -SecretOrCertName $CertName -SecretOrCertId $CertId -EndDate $EndDate
                    }
                }
            }
        }

        # Add to summary if expiring in the next 30 days
        if ($RemainingDaysCount -le $DaysUntilExpiration -and $RemainingDaysCount -ge 0) {
            $SummaryBody += @"
<tr>
<td>$AppName</td>
<td>$CertName</td>
<td>$CertId</td>
<td>$($EndDate.ToShortDateString())</td>
</tr>
"@
        }
    }
}

# Close the HTML table and body
$SummaryBody += @"
</table>
<p>Thank you,<br>Your IT Team</p>
</body>
</html>
"@

# Send the summary email
Send-SummaryEmail -To $DefaultEmail -Body $SummaryBody

Monitoring Entra application secret expirations may not be the flashiest part of your security strategy, but it’s one of the most crucial. It’s also one of those tasks that’s easy to automate, but costly to ignore.

If you’re currently relying on manual processes or using a Logic App that only pings one owner, consider leveling up your approach. A bit of PowerShell and planning can save you hours of downtime, reduce late-night incident calls, and help keep your environment secure.

Thank you for stopping by. ✌️