Forum Discussion
Azure AD Domain Services and Bitlocker storage
I hate answering my own question on forums, but I did manage to figure it out on my own today. By default, only the Domain Admins group is delegated rights to view BitLocker keys. In Azure AD Domain Services you are only allowed to add accounts to the AAD DC Administrators group and cannot add anyone to the Domain Admins group. AAD DC Administrators doesn't have rights to see Bitlocker keys by default in any OU. So, there are two steps to resolve this.
Step 1 is to create your own OU and move the computers out of the AADDC Computers OU and into the one you just created. You have to do this because you don't have rights to delegate permissions in the AADDC Computers OU, but you can create a new OU at the root of the domain and you will have the ability to delegate permissions on that OU.
Step 2 is to delegate authority on that new OU to allow the AAD DC Administrators group to view Bitlocker recovery keys. I found instructions on this here: https://blog.nextxpert.com/2011/01/11/how-to-delegate-access-to-bitlocker-recovery-information-in-active-directory/
Essentially, you have to give a user or group Full Access permissions to the msFVE-RecoveryInformation objects using a custom task to delegate. Only then can you view the keys in ADUC.
I hate answering my own question on forums, but I did manage to figure it out on my own today. By default, only the Domain Admins group is delegated rights to view BitLocker keys. In Azure AD Domain Services you are only allowed to add accounts to the AAD DC Administrators group and cannot add anyone to the Domain Admins group. AAD DC Administrators doesn't have rights to see Bitlocker keys by default in any OU. So, there are two steps to resolve this.
Step 1 is to create your own OU and move the computers out of the AADDC Computers OU and into the one you just created. You have to do this because you don't have rights to delegate permissions in the AADDC Computers OU, but you can create a new OU at the root of the domain and you will have the ability to delegate permissions on that OU.
Step 2 is to delegate authority on that new OU to allow the AAD DC Administrators group to view Bitlocker recovery keys. I found instructions on this here: https://blog.nextxpert.com/2011/01/11/how-to-delegate-access-to-bitlocker-recovery-information-in-active-directory/
Essentially, you have to give a user or group Full Access permissions to the msFVE-RecoveryInformation objects using a custom task to delegate. Only then can you view the keys in ADUC.