cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Audit Log for BitLocker Recovery Keys in Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-225777%22%20slang%3D%22en-US%22%3EAudit%20Log%20for%20BitLocker%20Recovery%20Keys%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-225777%22%20slang%3D%22en-US%22%3E%3CP%3EEscrowing%20BitLocker%20recovery%20keys%20to%20Azure%20AD%20is%20great%20functionality%20but%20I%20have%20been%20asked%20to%20find%20an%20audit%20trail%20when%20a%20user%20or%20administrator%20accesses%20the%20recovery%20keys.%20The%20IT%20Security%20function%20at%20an%20organization%20that%20I%20am%20working%20with%20is%20concerned%20that%20a%20malicious%20insider%20could%20misuse%20the%20recovery%20keys%20to%20decrypt%20drives.%20They%20want%20to%20track%20when%20a%20Recovery%20Key%20is%20viewed%20in%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20conducted%20some%20experiments%20with%20administrator%20and%20end%20user%20accounts%20but%20I%20did%20not%20see%20any%20audit%20log%20entries%20in%20the%20Azure%20AD%20audit%20log.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20audit%20log%20entries%20created%20for%20BitLocker%20Recovery%20Key%20escrow%20and%20where%20would%20I%20find%20the%20audit%20logs%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-490406%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20Log%20for%20BitLocker%20Recovery%20Keys%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-490406%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45079%22%20target%3D%22_blank%22%3E%40Andrew%20Matthews%3C%2FA%3E%26nbsp%3BDid%20you%20found%20an%20answer%20to%20this%20topic%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20not%20found%20any%20Audit%20log%20entry...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-503166%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20Log%20for%20BitLocker%20Recovery%20Keys%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-503166%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F329149%22%20target%3D%22_blank%22%3E%40ThomasKurthCH%3C%2FA%3E%26nbsp%3BI%20have%20not%20found%20an%20answer%20yet.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20a%20UserVoice%20item%20for%20this%20feature.%20Feel%20free%20to%20upvote%20the%20UserVoice%20item.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F35097220-bitlocker%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F35097220-bitlocker%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2238541%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20Log%20for%20BitLocker%20Recovery%20Keys%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2238541%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45079%22%20target%3D%22_blank%22%3E%40Andrew%20Matthews%3C%2FA%3E%26nbsp%3BIn%20case%20anyone%20else%20is%20looking%20for%20this%20feature%20-%20It%20seems%20it%20was%20added%20late%20last%20year%20in%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAUDITED%20BITLOCKER%20RECOVERY%20IN%20AZURE%20AD%20PUBLIC%20PREVIEW%3CBR%20%2F%3EService%20category%3A%20Device%20Access%20Management%3CBR%20%2F%3EProduct%20capability%3A%20Device%20Lifecycle%20Management%3C%2FP%3E%3CP%3EWhen%20IT%20admins%20or%20end%20users%20read%20BitLocker%20recovery%20key(s)%20they%20have%20access%20to%2C%20Azure%20Active%20Directory%20now%20generates%20an%20audit%20log%20that%20captures%20who%20accessed%20the%20recovery%20key.%20The%20same%20audit%20provides%20details%20of%20the%20device%20the%20BitLocker%20key%20was%20associated%20with.%3C%2FP%3E%3CP%3EEnd%20users%20can%20access%20their%20recovery%20keys%20via%20My%20Account.%20IT%20admins%20can%20access%20recovery%20keys%20via%20the%20BitLocker%20recovery%20key%20API%20in%20beta%20or%20via%20the%20Azure%20AD%20Portal.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdirteam.com%2Fsander%2F2020%2F10%2F06%2Fwhats-new-in-azure-active-directory-in-september-2020%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdirteam.com%2Fsander%2F2020%2F10%2F06%2Fwhats-new-in-azure-active-directory-in-september-2020%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Andrew Matthews
Contributor

‎Aug 08 2018 08:27 AM

‎Aug 08 2018 08:27 AM

Audit Log for BitLocker Recovery Keys in Azure AD

Escrowing BitLocker recovery keys to Azure AD is great functionality but I have been asked to find an audit trail when a user or administrator accesses the recovery keys. The IT Security function at an organization that I am working with is concerned that a malicious insider could misuse the recovery keys to decrypt drives. They want to track when a Recovery Key is viewed in Azure AD.

 

I conducted some experiments with administrator and end user accounts but I did not see any audit log entries in the Azure AD audit log.

 

Are audit log entries created for BitLocker Recovery Key escrow and where would I find the audit logs?

2,132 Views
1 Like
4 Replies
Reply
4 Replies
ThomasKurthCH

‎Apr 28 2019 03:45 AM

‎Apr 28 2019 03:45 AM

Re: Audit Log for BitLocker Recovery Keys in Azure AD

@Andrew Matthews Did you found an answer to this topic?

I have not found any Audit log entry...

0 Likes
Reply
Andrew Matthews

‎Apr 30 2019 03:28 AM

‎Apr 30 2019 03:28 AM

Re: Audit Log for BitLocker Recovery Keys in Azure AD

@ThomasKurthCH I have not found an answer yet. 

 

There is a UserVoice item for this feature. Feel free to upvote the UserVoice item.

 

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/35097220-bitlocker

0 Likes
Reply
best response confirmed by Andrew Matthews (Contributor)
Gian202b

‎Mar 26 2021 01:07 PM

‎Mar 26 2021 01:07 PM

Solution

Re: Audit Log for BitLocker Recovery Keys in Azure AD

@Andrew Matthews In case anyone else is looking for this feature - It seems it was added late last year in Azure AD.

 

AUDITED BITLOCKER RECOVERY IN AZURE AD PUBLIC PREVIEW
Service category: Device Access Management
Product capability: Device Lifecycle Management

When IT admins or end users read BitLocker recovery key(s) they have access to, Azure Active Directory now generates an audit log that captures who accessed the recovery key. The same audit provides details of the device the BitLocker key was associated with.

End users can access their recovery keys via My Account. IT admins can access recovery keys via the BitLocker recovery key API in beta or via the Azure AD Portal.

https://dirteam.com/sander/2020/10/06/whats-new-in-azure-active-directory-in-september-2020/

1 Like
Reply
Andrew Matthews

‎Mar 27 2021 07:52 AM

‎Mar 27 2021 07:52 AM

Re: Audit Log for BitLocker Recovery Keys in Azure AD

Awesome. That's a good example of the dev teams listening to the community
0 Likes
Reply