I didn’t plan to build this.
Honestly, it started as an experiment. Something small.
I was just playing around with chatbot frameworks, not expecting anything serious to come out of it.

But… something clicked. ⚡

Now I'm working on a system where a chatbot can provision Azure resources on demand — and it's honestly blowing my mind how powerful and natural this can become.

🤖 The Idea: Talking to the Cloud

Imagine messaging a bot and saying:

“Hey, I need an Ubuntu VM in West Europe. Small size.”

And it replies:

✅ You're about to create a VM with these specs... Do you confirm?

If you say “Yes,” it triggers a full DevOps pipeline, builds the infrastructure via Pulumi, and comes back with provisioning information.

We're not just scripting anymore.
We're interacting with infrastructure.

🔧 The Stack (So Far)

Here’s what powers this project:

• 🧠 Bot Framework + Python — handles the backend logic

• 🤖 OpenAI GPT — parses natural language into structured intents

• 📦 Pulumi — my tool of choice for Infrastructure-as-Code

• 🔁 Azure DevOps Pipelines — automate deployments via bot

• 🗂 JSON-based infra knowledge base — soon evolving into FAISS + RAG

• 🌐 (Optional) React-based Admin UI — for managing infrastructure state

And yes, it’s fully modular — adding support for new resource types or prompts is super straightforward.

💡 Why I Think This Matters

This isn't just about automation.
It’s about changing the interaction model in cloud infrastructure.

We're so used to clicking dashboards or writing code…
But what if you could just say:

“Spin up a staging environment like last week's one, but in West US.”

That’s the kind of experience we can aim for.

And even if it started as a curiosity, this project opened up new ways of thinking for me ; about DevOps, user experience, and cloud accessibility.

🧪 What I’m Working On Next

• ✅ Parsing OpenAI GPT results into real infra actions

• ✅ Running DevOps pipelines with parameter injection

• ✅ Returning real-time output

• 🔜 Integrating FAISS to understand current cloud layout

• 🔜 Building a knowledge base: SKUs, pricing, compliance, etc

Yes, it’s a lot. But it’s fun.

🌍 Final Thoughts

I didn't expect this to work as well as it does.

This project made me realize that AI + DevOps + conversational UX is not just a cool demo — it's a serious enabler for productivity and cloud automation.

And the best part? I’m just getting started. 😄

If you're curious, want to collaborate, or just want to see how it evolves, hit me up on Linkedin or drop a comment below! 👇

Let’s fix that.

In this post, I’ll walk you through a PowerShell solution I built to automatically audit Azure App secrets and notify you before they expire; with a clean HTML report and optional email alerts.

🚨 Why You Need This

App secrets don’t last forever (nor should they). They typically expire in 6–12 months, but there’s no built-in alerting system from Azure unless you build one yourself.

Miss a secret rotation? Suddenly, your production app can’t authenticate, and you’re scrambling to debug authentication failures during a deploy.

This script automates:

✅ Checking all Azure App Registrations
✅ Identifying secrets expiring in the next N days
✅ Generating a sortable HTML report (When running script with UseLocalParameters)
✅ Sending it via email

🛠️ How It Works

The script uses the Microsoft Graph API to authenticate using a service principal (client ID/secret) and fetch all application registrations. It then;

1. Filters secrets that expire within a configurable number of days (default: 30)

2. Generates a styled HTML report (saves it locally)

3. Sends an email report using Microsoft Graph's sendMail endpoint

Bonus: If you include a line like NotifyEmail = team@yourdomain.com in the app’s Notes field, it’ll extract that automatically and show it in the report.

🚀 Getting Started

🧾 Prerequisites

1. App Registration in Entra ID

• Create an app in Entra ID > App Registrations

• Assign API Permissions:

  • Application.Read.All

  • Directory.Read.All

  • Mail.Send

2. Licensed Sender Mailbox

Ensure your app is authorized to send mail on behalf of a licensed user, such as noreply@yourdomain.com.

3. Installed modules;

* Microsoft.Graph.Applications

* Microsoft.Graph.Users

* Microsoft.Graph.Authentication

4. Optional: Azure Automation Setup

Store sensitive variables as Automation Variables:

• ClientID

• ClientSecret

• TenantID

• WarningDays

• SenderEmail

• ToEmail

💻 Local Usage

Here’s how to run it locally with manual parameters:

powershellCopyEdit.\Notify-AppSecretExpire.ps1 `
    -ClientId "<your-client-id>" `
    -ClientSecret "<your-client-secret>" `
    -TenantId "<your-tenant-id>" `
    -SenderEmail "noreply@yourdomain.com" `
    -ToEmail "admin@yourdomain.com" `
    -OutputPath "C:\Reports\AppSecretsExpirationReport.html" `
    -UseLocalParameters

☁️ Azure Automation Usage

If you're running this in an Azure Automation Account, you don’t need to pass parameters. Instead, define Automation Variables like:

• ClientId

• ClientSecret

• TenantId

• SenderEmail

• ToEmail

The script auto-detects that it's running in Automation and pulls these values in.

📄 What the Report Looks Like

The script outputs a responsive, clean HTML report with:

• App name and ID

• Secret name (linked to the Azure portal)

• Expiration date and days remaining

• Optional NotifyEmail extracted from notes

• Clickable column headers for sorting

Here’s a preview of the UI;

(This is an example of the generated HTML report)

🔗 GitHub Repository

All the code is available here:
👉 GitHub – secret-expiry-alert

🔔 New Feature: Notify Application Owners via NotifyEmail

In the latest version of the script (last edited June 20, 2025), there’s now support for automatically notifying the responsible team for each Azure AD App Registration using a custom tag in the app’s branding properties.

✅ How It Works

• You can specify a NotifyEmail tag in the Notes field under Branding & properties of an App Registration:

    NotifyEmail=team-azureops@yourdomain.com
  

• When the script runs, it searches for this tag in Internal Notes and extracts the email address.

• If credentials (client secrets or certificates) are expiring within the configured warning window (e.g. 30 days), the script:

  • Sends a HTML report to the global ToEmail.

  • Sends a separate, targeted email to each unique NotifyEmail recipient with only the credentials related to their apps.

✏️ Example Usage in Branding properties:

• Go to Azure Portal → Entra ID → App Registrations → [Your App] → Branding & Properties

• In the Internal Notes add:

    NotifyEmail=team-azureops@yourdomain.com
  

📄 Script Changes Summary

💡 Benefits of Using NotifyEmail

• Eliminates alert noise by notifying only those who need to act.

• Ensures accountability by routing alerts to the correct team.

• Simplifies onboarding of new apps—just define your tag once and the automation handles the rest.

🤝 Contributions Welcome

Have ideas? Found a bug? Want to add secret expiration to KeyVault secrets too?
Open an issue or send a PR; I’d love to collaborate.

🙌 Final Thoughts

Security is proactive; not reactive.
Automating app secret monitoring is one small investment that saves a lot of future pain.

Let me know if you try this in your environment or have feedback!

In this guide, you'll learn how to automate password expiration checks and send timely email alerts using:

• PowerShell

• Microsoft Graph API

• Azure Automation (or local execution)

📊 What This Script Does

• Connects to Microsoft Graph using App Registration

• Retrieves users from a dynamic Microsoft 365 group

• Checks their last password change date

• Calculates days until expiration (based on org policy)

• Sends custom email notifications for users whose passwords will expire soon (e.g., within 7 days)

💡 Note: The script assumes all users in the dynamic group have passwords that do expire (e.g., users logging in via Microsoft Entra ID Join). Therefore, it does not need to filter out accounts with PasswordNeverExpires, since the group logic already excludes them.

📄 Pre-Requisites

1. App Registration in Entra ID

• Create an app in Entra ID > App Registrations

• Assign API Permissions:

  • User.Read.All

  • Group.Read.All

  • Mail.Send

• Grant Admin Consent

• Generate a client secret and note the Application (Client) ID and Directory (Tenant) ID

2. Licensed Sender Mailbox

Ensure your app is authorized to send mail on behalf of a licensed user, such as noreply@yourdomain.com.

3. Optional: Azure Automation Setup

Store sensitive variables as Automation Variables:

• ClientID

• ClientSecret

• TenantID

• GroupId

• SenderEmail

• PasswordExpirationDays

💡 Features of the Script

• Can run locally or inside Azure Automation

• Smart logging via Write-Log (supports verbosity and silent automation)

• UPN masking for privacy in logs

• Error handling and graceful exits

👺 Masked Logging Example

User: jo*****@domain.com | Days remaining: 5
Sending alert...
Email sent to jo*****@domain.com

✎ Script Usage (Locally or in Azure)

⚡ Local Test Example:

.\Notify-M365PasswordExpiry.ps1 `
    -ClientId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" `
    -ClientSecret "your-secret" `
    -TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" `
    -GroupId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" `
    -PasswordExpirationDays 45 `
    -SenderEmail "noreply@yourdomain.com" `
    -UseLocalParameters

🚀 Scheduled in Azure Automation:

• Import the script as a Runbook

• Set up a daily schedule

• Securely store secrets using Automation Variables

🔧 Under the Hood (Logic Breakdown)

1. Get access token using client_credentials

2. Connect to Microsoft Graph

3. Fetch users from the target group

4. For each user:

   • Get LastPasswordChangeDateTime

   • Add org-defined expiration window (e.g., 45 days)

   • Calculate remaining days

   • If within 7 days, send email

🧩 Key Functions Explained

🔐 Get-GraphAccessToken

Authenticates using client credentials and retrieves a Microsoft Graph API access token.

🌐 Connect-ToGraph

Uses the Microsoft Graph PowerShell SDK to establish a session for additional operations like retrieving user data.

👥 Get-GroupUsers

Fetches members from the specified dynamic group by Group ID.

🔍 Get-UserDetails

Retrieves DisplayName, UserPrincipalName, and LastPasswordChangeDateTime for each user.

✉ Send-EmailNotification

Sends a formatted HTML email to users using Microsoft Graph's sendMail endpoint. The message content is fully customizable based on your organization’s communication style.

🔗 GitHub Repository

You can find the full script and future updates here: 🔗 GitHub – Notify-M365PasswordExpiry.ps1

📈 Benefits

• Reduces help desk tickets

• Keeps users informed and proactive

• Flexible: can run in the cloud or on-prem

• Secure: supports masked logging and stored secrets

🌐 What You Can Improve Next

• Integrate Microsoft Teams alerts

• Write logs to Azure Storage or Log Analytics

• Localize email messages based on user locale (optional – currently defaulted to English)

🚀 Final Thoughts

This script gives you full control over Microsoft 365 password expiration reminders, with enterprise-grade flexibility. Whether you run it in Azure Automation or locally, it's ready to scale and secure.

Have questions or want enhancements? Let's build on this together! ✨