Aug 08 2018 08:27 AM
Escrowing BitLocker recovery keys to Azure AD is great functionality but I have been asked to find an audit trail when a user or administrator accesses the recovery keys. The IT Security function at an organization that I am working with is concerned that a malicious insider could misuse the recovery keys to decrypt drives. They want to track when a Recovery Key is viewed in Azure AD.
I conducted some experiments with administrator and end user accounts but I did not see any audit log entries in the Azure AD audit log.
Are audit log entries created for BitLocker Recovery Key escrow and where would I find the audit logs?
Apr 28 2019 03:45 AM
@Andrew Matthews Did you found an answer to this topic?
I have not found any Audit log entry...
Apr 30 2019 03:28 AM
@ThomasKurthCH I have not found an answer yet.
There is a UserVoice item for this feature. Feel free to upvote the UserVoice item.
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/35097220-bitlocker
Mar 26 2021 01:07 PM
Solution@Andrew Matthews In case anyone else is looking for this feature - It seems it was added late last year in Azure AD.
AUDITED BITLOCKER RECOVERY IN AZURE AD PUBLIC PREVIEW
Service category: Device Access Management
Product capability: Device Lifecycle Management
When IT admins or end users read BitLocker recovery key(s) they have access to, Azure Active Directory now generates an audit log that captures who accessed the recovery key. The same audit provides details of the device the BitLocker key was associated with.
End users can access their recovery keys via My Account. IT admins can access recovery keys via the BitLocker recovery key API in beta or via the Azure AD Portal.
https://dirteam.com/sander/2020/10/06/whats-new-in-azure-active-directory-in-september-2020/
Mar 27 2021 07:52 AM
Mar 26 2021 01:07 PM
Solution@Andrew Matthews In case anyone else is looking for this feature - It seems it was added late last year in Azure AD.
AUDITED BITLOCKER RECOVERY IN AZURE AD PUBLIC PREVIEW
Service category: Device Access Management
Product capability: Device Lifecycle Management
When IT admins or end users read BitLocker recovery key(s) they have access to, Azure Active Directory now generates an audit log that captures who accessed the recovery key. The same audit provides details of the device the BitLocker key was associated with.
End users can access their recovery keys via My Account. IT admins can access recovery keys via the BitLocker recovery key API in beta or via the Azure AD Portal.
https://dirteam.com/sander/2020/10/06/whats-new-in-azure-active-directory-in-september-2020/