If you work at an MSP and are you’re not fortunate enough to have a good cert tracking tool like ITGlue or Hudu, you’re probably on your own to track certificate expirations. After encountering too many times where out of nowhere, a client has iOS Intune enrollments start failing due to an expired MDM push cert, I wanted an easy way to track this. I also wanted something easy to implement for any client. The idea was to get this configured in a single script without manually specifying too many parameters when the script is executed. After some testing and development, I decided to use Teams for the notifications. Before going into more details, I already know I’ll get people asking why I didn’t do this for email notifications or how to get email notifications instead. Although email notifications are not part of the automation script that does all the work for us, It’s easy to implement afterward. I started this by using both Teams and Email, but I felt the script needed too many mandatory input parameters. However, I added an email template in the runbook script. You can easily enable email notifications by adding a couple of graph permissions for the automation account, uncommenting those lines, and adding your email variables. More details on that are in the email section.
The Azure Automation Setup Script
There’s one script that takes care of everything for us. The script can be found on GitHub here. The user executing the script must authenticate to Azure and MgGraph, supply a Teams Webhook URL (If you don’t know how to generate a Teams webhook URL see this post.), and enter the Azure Region where you want the resources deployed. If multiple Azure Subscriptions are detected, you’ll also be prompted for the subscription you want to use. After that, the script takes care of everything else outlined below:
- Logs the script output to c:\temp
- Creates a new resource group (iOS_MDMAutomation) and Automation Account (iOSMDMAutoationAccount)
- Assigns the required Graph Permissions to the Automation Account Identity
- Downloads the runbook script from GitHub and imports it as an automation runbook
- Adds the required MgGraph PowerShell modules to the automation account
- The script will wait until the authentication module is installed before installing the others. It is a pre-req for the other modules and I was getting random failures if the other modules attempted to install before the authentication module was finished.
- Creates a new schedule with the required parameters and assigns it to the runbook (runs every other Sunday at 12 PM local time and notifies via Teams if a token or cert is within 30 days of expiration)
The parameters can be easily changed if you want to use different names. Aside from the webhookURL and the Azure Region, everything has a default value in the script. For example, if you want to change the expiration detection from 30 days or less to 45 days or less, change the $daystilexpiry parameter to 45. The resulting webhook notification will look like this:
Here’s an example of the script running. It takes around 2 minutes for the graph.authentication module to import, other than that, the script should complete within a minute:
Adding an Email Notification
The below code block is commented out in the automation runbook and can be used to send an email notification. One pre-requisite is you’ll need to make sure your automation account identity has both ‘Mail.Send’ and ‘Mail.ReadWrite’ Graph Permissions or it won’t be permitted to send on behalf of another email. You’ll also need to add the Microsoft.Graph.Users.Actions PowerShell module to the automation account.
#######Send Email Template##########
#$senderemail = "thesenderemail@domain.com"
#$recipient = "recipienteamil@domain.com"
#$subject = "Expiration Warning - Intune iOS Cert or Token"
#$body = "An iOS MDM Certificate or Token is expiring in less than 30 days. Verify expiration dates below:
#Apple MDM Push Certificate Expiration: $certexpiration
#Apple VPP Token Expiration: $tokenexpiration
#Apple Enrollment Program Token Expiration: $EPTExpiration
#Click the link below for renewal details:
#https://learn.microsoft.com/en-us/intune-education/renew-ios-certificate-token"
#$type = "Text"
#$save = "true"
#$params = @{
# Message = @{
# Subject = $subject
# Body = @{
# ContentType = $type
# Content = $body
# }
# ToRecipients = @(
# @{
# EmailAddress = @{
# Address = $recipient
# }
# }
# )
# }
# SaveToSentItems = $save
#}
#Send-MgUserMail -UserId $senderemail -BodyParameter $paramsThe result will be an email that looks like the picture below. There were no certs in the test tenant I ran this in, but if there are certs, there will be dates listed if they’re expiring in 30 days or less just like the Teams notification.
Adding Alerts for Automation Errors
This solution is mostly set it and forget it, and it will run according to the schedule. However, if the runbook encounters errors, we can create an Azure Alert. You’ll need to go to the diagnostic settings for the Automation and start sending job logs and streams to a log analytics workspace:
Once logs are being sent to a log analytics workspace, navigate to Monitoring > Logs for the automation account. Here we can look at the logs that have been generated. I purposely generated some errors and selected the query for “Runbook completed successfully with errors”, or choose something else if you’d like to be alerted on and click New Aert Rule.
Specify the parameters for your alert rule, and then you’ll receive a notification if there is an issue with the automation runbook. Here’s an example alert:
