SOLVED

Audit Log for BitLocker Recovery Keys in Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-225777%22%20slang%3D%22en-US%22%3EAudit%20Log%20for%20BitLocker%20Recovery%20Keys%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-225777%22%20slang%3D%22en-US%22%3E%3CP%3EEscrowing%20BitLocker%20recovery%20keys%20to%20Azure%20AD%20is%20great%20functionality%20but%20I%20have%20been%20asked%20to%20find%20an%20audit%20trail%20when%20a%20user%20or%20administrator%20accesses%20the%20recovery%20keys.%20The%20IT%20Security%20function%20at%20an%20organization%20that%20I%20am%20working%20with%20is%20concerned%20that%20a%20malicious%20insider%20could%20misuse%20the%20recovery%20keys%20to%20decrypt%20drives.%20They%20want%20to%20track%20when%20a%20Recovery%20Key%20is%20viewed%20in%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20conducted%20some%20experiments%20with%20administrator%20and%20end%20user%20accounts%20but%20I%20did%20not%20see%20any%20audit%20log%20entries%20in%20the%20Azure%20AD%20audit%20log.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20audit%20log%20entries%20created%20for%20BitLocker%20Recovery%20Key%20escrow%20and%20where%20would%20I%20find%20the%20audit%20logs%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-490406%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20Log%20for%20BitLocker%20Recovery%20Keys%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-490406%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45079%22%20target%3D%22_blank%22%3E%40Andrew%20Matthews%3C%2FA%3E%26nbsp%3BDid%20you%20found%20an%20answer%20to%20this%20topic%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20not%20found%20any%20Audit%20log%20entry...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-503166%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20Log%20for%20BitLocker%20Recovery%20Keys%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-503166%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F329149%22%20target%3D%22_blank%22%3E%40ThomasKurthCH%3C%2FA%3E%26nbsp%3BI%20have%20not%20found%20an%20answer%20yet.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20a%20UserVoice%20item%20for%20this%20feature.%20Feel%20free%20to%20upvote%20the%20UserVoice%20item.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F35097220-bitlocker%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F35097220-bitlocker%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2238541%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20Log%20for%20BitLocker%20Recovery%20Keys%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2238541%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45079%22%20target%3D%22_blank%22%3E%40Andrew%20Matthews%3C%2FA%3E%26nbsp%3BIn%20case%20anyone%20else%20is%20looking%20for%20this%20feature%20-%20It%20seems%20it%20was%20added%20late%20last%20year%20in%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAUDITED%20BITLOCKER%20RECOVERY%20IN%20AZURE%20AD%20PUBLIC%20PREVIEW%3CBR%20%2F%3EService%20category%3A%20Device%20Access%20Management%3CBR%20%2F%3EProduct%20capability%3A%20Device%20Lifecycle%20Management%3C%2FP%3E%3CP%3EWhen%20IT%20admins%20or%20end%20users%20read%20BitLocker%20recovery%20key(s)%20they%20have%20access%20to%2C%20Azure%20Active%20Directory%20now%20generates%20an%20audit%20log%20that%20captures%20who%20accessed%20the%20recovery%20key.%20The%20same%20audit%20provides%20details%20of%20the%20device%20the%20BitLocker%20key%20was%20associated%20with.%3C%2FP%3E%3CP%3EEnd%20users%20can%20access%20their%20recovery%20keys%20via%20My%20Account.%20IT%20admins%20can%20access%20recovery%20keys%20via%20the%20BitLocker%20recovery%20key%20API%20in%20beta%20or%20via%20the%20Azure%20AD%20Portal.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdirteam.com%2Fsander%2F2020%2F10%2F06%2Fwhats-new-in-azure-active-directory-in-september-2020%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdirteam.com%2Fsander%2F2020%2F10%2F06%2Fwhats-new-in-azure-active-directory-in-september-2020%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Escrowing BitLocker recovery keys to Azure AD is great functionality but I have been asked to find an audit trail when a user or administrator accesses the recovery keys. The IT Security function at an organization that I am working with is concerned that a malicious insider could misuse the recovery keys to decrypt drives. They want to track when a Recovery Key is viewed in Azure AD.

 

I conducted some experiments with administrator and end user accounts but I did not see any audit log entries in the Azure AD audit log.

 

Are audit log entries created for BitLocker Recovery Key escrow and where would I find the audit logs?

4 Replies

@Andrew Matthews Did you found an answer to this topic?

I have not found any Audit log entry...

@ThomasKurthCH I have not found an answer yet. 

 

There is a UserVoice item for this feature. Feel free to upvote the UserVoice item.

 

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/35097220-bitlocker

best response confirmed by Andrew Matthews (Contributor)
Solution

@Andrew Matthews In case anyone else is looking for this feature - It seems it was added late last year in Azure AD.

 

AUDITED BITLOCKER RECOVERY IN AZURE AD PUBLIC PREVIEW
Service category: Device Access Management
Product capability: Device Lifecycle Management

When IT admins or end users read BitLocker recovery key(s) they have access to, Azure Active Directory now generates an audit log that captures who accessed the recovery key. The same audit provides details of the device the BitLocker key was associated with.

End users can access their recovery keys via My Account. IT admins can access recovery keys via the BitLocker recovery key API in beta or via the Azure AD Portal.

https://dirteam.com/sander/2020/10/06/whats-new-in-azure-active-directory-in-september-2020/

Awesome. That's a good example of the dev teams listening to the community