Audit Log for BitLocker Recovery Keys in Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-225777%22%20slang%3D%22en-US%22%3EAudit%20Log%20for%20BitLocker%20Recovery%20Keys%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-225777%22%20slang%3D%22en-US%22%3E%3CP%3EEscrowing%20BitLocker%20recovery%20keys%20to%20Azure%20AD%20is%20great%20functionality%20but%20I%20have%20been%20asked%20to%20find%20an%20audit%20trail%20when%20a%20user%20or%20administrator%20accesses%20the%20recovery%20keys.%20The%20IT%20Security%20function%20at%20an%20organization%20that%20I%20am%20working%20with%20is%20concerned%20that%20a%20malicious%20insider%20could%20misuse%20the%20recovery%20keys%20to%20decrypt%20drives.%20They%20want%20to%20track%20when%20a%20Recovery%20Key%20is%20viewed%20in%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20conducted%20some%20experiments%20with%20administrator%20and%20end%20user%20accounts%20but%20I%20did%20not%20see%20any%20audit%20log%20entries%20in%20the%20Azure%20AD%20audit%20log.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20audit%20log%20entries%20created%20for%20BitLocker%20Recovery%20Key%20escrow%20and%20where%20would%20I%20find%20the%20audit%20logs%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-490406%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20Log%20for%20BitLocker%20Recovery%20Keys%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-490406%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45079%22%20target%3D%22_blank%22%3E%40Andrew%20Matthews%3C%2FA%3E%26nbsp%3BDid%20you%20found%20an%20answer%20to%20this%20topic%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20not%20found%20any%20Audit%20log%20entry...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-503166%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20Log%20for%20BitLocker%20Recovery%20Keys%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-503166%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F329149%22%20target%3D%22_blank%22%3E%40ThomasKurthCH%3C%2FA%3E%26nbsp%3BI%20have%20not%20found%20an%20answer%20yet.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20a%20UserVoice%20item%20for%20this%20feature.%20Feel%20free%20to%20upvote%20the%20UserVoice%20item.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F35097220-bitlocker%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F35097220-bitlocker%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Escrowing BitLocker recovery keys to Azure AD is great functionality but I have been asked to find an audit trail when a user or administrator accesses the recovery keys. The IT Security function at an organization that I am working with is concerned that a malicious insider could misuse the recovery keys to decrypt drives. They want to track when a Recovery Key is viewed in Azure AD.

 

I conducted some experiments with administrator and end user accounts but I did not see any audit log entries in the Azure AD audit log.

 

Are audit log entries created for BitLocker Recovery Key escrow and where would I find the audit logs?

2 Replies
Highlighted

@Andrew Matthews Did you found an answer to this topic?

I have not found any Audit log entry...

Highlighted

@ThomasKurthCH I have not found an answer yet. 

 

There is a UserVoice item for this feature. Feel free to upvote the UserVoice item.

 

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/35097220-bitlocker