How to Retrieve the BitLocker Recovery Key from Azure AD

This post is to document the process of retrieving BitLocker Recovery Key from Azure Active Directory.


The Device joined Azure Active Directory, and BitLocker was enabled

The device’s hard drive (SSD) is pulled out and repurposed on an another machine

The Administrator cannot find out who this original owner was.

We have Global Admin right over the domain

BitLocker Prompt when Reuse the Hard Drive (SSD)

Enter the recovery key to get going again.”

The Easy Way

login as Global Admin, navigate to “Devices” – “All devices”, search your device label

Click on your device, and in the “Monitor” session, you can find the “Recovery keys” option, click on it to see your recovery key

The Difficult Way

There is a brilliant PowerShell Script from “” which lists all your user and device lists, please check the URL below, the actual PS is listed here as well.

$Users = Get-AzureADUser -All $true | Select UserPrincipalName,ObjectId
$Users | ForEach-Object {
$user = $_
Get-AzureADUserRegisteredDevice -ObjectId $user.ObjectId | ForEach-Object {
$Result += New-Object PSObject -property @{ 
DeviceOwner = $user.UserPrincipalName
DeviceName = $_.DisplayName
DeviceOSType = $_.DeviceOSType
ApproximateLastLogonTimeStamp = $_.ApproximateLastLogonTimeStamp
$Result | Select DeviceOwner,DeviceName,DeviceOSType,ApproximateLastLogonTimeStamp
$Result | Export-CSV "C:\AzureADJoinedDevices.csv" -NoTypeInformation -Encoding UTF8

The reason we need the “for” loop is that there is no relationship between “Get-AzureADUser” and “Get-AzureADUserRegisteredDevice” , from the AD User you do see owned devices but when you have no idea who the owner is, it becomes a pain…

Another PowerShell command that helps, but not much.

Once you find out who was the owner, simply go to ‘Azure Active Directory (NOT endpoint manager) – Users – “The Owner” – Devices’, recovery key can be found here as well

Useful Links

Leave a Comment

Your email address will not be published. Required fields are marked *