As you probably already know when you enable BitLocker on a Windows device you can save the recovery key to either Active Directory, Azure Active Directory, a USB device, a file or even print it.
By default, end-users can access the BitLocker recovery key for the device they own by accessing the BitLocker keys blade in Azure AD (also called self-service BitLocker key access) or by accessing the device they own properties
Well, you can now restrict access to the BitLocker recovery key when saved on Azure.
To do so, you need to update the authorization policy using Microsoft Graph (you need to have Microsoft Graph PowerShell module installed – Install-Module Microsoft.Graph)
Connect-MgGraph -Scopes Policy.ReadWrite.Authorization
$authPolicyUri = “https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy”
$body = @{
defaultUserRolePermissions = @{
allowedToReadBitlockerKeysForOwnedDevice = $false #Set this to $true to allow BitLocker self-service recovery
}
}| ConvertTo-Json
Invoke-MgGraphRequest -Uri $authPolicyUri -Method PATCH -Body $body
# Show current policy setting
$authPolicy = Invoke-MgGraphRequest -Uri $authPolicyUri
$authPolicy.defaultUserRolePermissions
When connecting to Microsoft Graph, you may be requested to grant permissions – I would recommend to enable the Consent on behalf of your organization
When you have updated the policy to turn off the self-service BitLocker key access, only user with either the following role will be able to access the BitLocker key:
- Global admins
- Intune Service Administrators
- Security Administrators
- Security Readers
- Helpdesk Admins
- or custom role with the BitLocker key read permissions
