Retrieving BitLocker keys from Azure AD with PowerShell


If you have BitLocker keys backed up to Azure Active Directory from your Azure AD joined computers, you’ve probably found yourself looking for a way to retrieve those keys using something other than the Azure portal. Of course users can retrieve the key themselves, but there are plenty of scenario’s imaginable where you’d want a support agent to be able to look up a user’s BitLocker key for them.

In Active Directory you can accomplish this by fetching the msFVE-RecoveryInformation objects associated with your AD computers, but there’s no comparable method for Azure AD (yet?). Get-AzureADDevice and Get-AzureADObjectByObjectId don’t expose nearly as much information about a device as Get-ADComputer and Get-ADObject!

Cue the “hidden” Azure portal API! I found out about this through a colleague’s blog post at Liebensraum. It enables you to perform various functions in Azure that you normally wouldn’t be able to using PowerShell.

Note: please be careful using this for production workflows as this is NOT supported by Microsoft.

I’ve written a function named Get-AzureADBitLockerKeysForUser which grabs all BitLocker recovery keys from Azure AD for a certain user.

Let’s walk through it step by step!

1. Prerequisites

You’ll need two modules installed for this: AzureAD (or AzureADPreview) and AzureRM, so go ahead and install those if you haven’t already.

You also need to be assigned one of the following Azure AD roles to be able to view BitLocker keys:

  • Global Administrator
  • Helpdesk Administrator
  • Security Administrator
  • Security Reader
  • Intune Service Administrator
  • Cloud Device Administrator

2. Connect to Azure AD and Azure RM

The function starts by connecting to both Azure AD and Azure RM, optionally using the supplied credential.

3. Get Access token

It then uses Jos Lieben’s method to retrieve an OAuth token for the endpoint, and creates the header to use in the API calls:

4. Find devices

Given the supplied user’s name or UserPrincipalName, it looks up all their Azure AD joined/registered devices:

5. Retrieve BitLocker keys

Finally, the script uses the API to retrieve the device records for the user’s devices and retrieve the available BitLocker key ID’s & recovery keys, along with the device name and drive type:

6. Output

The output of the function is an array of PSCustomObjects that you can use for further processing.

To wrap things up, here’s a screenshot of a sample run of the script:


Head over to my GitHub to grab a copy of the script, and let me know if you found it useful (or not)!