This post is to document the process of retrieving BitLocker Recovery Key from Azure Active Directory.
Environment
The Device joined Azure Active Directory, and BitLocker was enabled
The device’s hard drive (SSD) is pulled out and repurposed on an another machine
The Administrator cannot find out who this original owner was.
We have Global Admin right over the domain
BitLocker Prompt when Reuse the Hard Drive (SSD)
“Enter the recovery key to get going again.”
The Easy Way
login https://endpoint.microsoft.com/ as Global Admin, navigate to “Devices” – “All devices”, search your device label
Click on your device, and in the “Monitor” session, you can find the “Recovery keys” option, click on it to see your recovery key
The Difficult Way
There is a brilliant PowerShell Script from “morgantechspace.com” which lists all your user and device lists, please check the URL below, the actual PS is listed here as well.
https://morgantechspace.com/2019/06/get-azure-ad-users-with-registered-devices-powershell.html
$Result=@()
$Users = Get-AzureADUser -All $true | Select UserPrincipalName,ObjectId
$Users | ForEach-Object {
$user = $_
Get-AzureADUserRegisteredDevice -ObjectId $user.ObjectId | ForEach-Object {
$Result += New-Object PSObject -property @{
DeviceOwner = $user.UserPrincipalName
DeviceName = $_.DisplayName
DeviceOSType = $_.DeviceOSType
ApproximateLastLogonTimeStamp = $_.ApproximateLastLogonTimeStamp
}
}
}
$Result | Select DeviceOwner,DeviceName,DeviceOSType,ApproximateLastLogonTimeStamp$Result | Export-CSV "C:\AzureADJoinedDevices.csv" -NoTypeInformation -Encoding UTF8The reason we need the “for” loop is that there is no relationship between “Get-AzureADUser” and “Get-AzureADUserRegisteredDevice” , from the AD User you do see owned devices but when you have no idea who the owner is, it becomes a pain…
Another PowerShell command that helps, but not much.
Once you find out who was the owner, simply go to ‘Azure Active Directory (NOT endpoint manager) – Users – “The Owner” – Devices’, recovery key can be found here as well
Useful Links
https://morgantechspace.com/2019/06/get-azure-ad-users-with-registered-devices-powershell.html
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal