Intune – Query Azure AD Bitlocker Keys using Graph API

The Issue

If you have recently started using the BitLocker Encryption options out of Intune whether its device configuration or the endpoint protection encryption portion you will see there are many great reports like the encryption below.

The problem is its quite hard to see if your machines have backed up their keys to Azure AD, especially when you have thousands of machines it would not be feasable going in to every one to see if the backup was successful.

The Investigation

Although there are other alternatives with questionable supportability like querying the Azure AD APIs by generating an access token – see article from Jos Lieben –

Devices that lack a bitlocker recovery key in AzureAD | Liebensraum

I was looking for an easier alternative. Then I remembered Graph API. This is in my opinion one of the least used but most powerful query mechanisms you have access to as an Azure Administrator or Microsoft Products Admin.

By navigating to Graph Explorer – Microsoft Graph and signing in you can start querying information that might be hard to find otherwise.

With some help from my Microsoft colleague Andreas Kainz (Twitter @andikainz) we figured the below should be quite useful.

The Solution

  1. Log in to Graph Explorer – Graph Explorer – Microsoft Graph

2. Sign in with your Azure Admin Account

3. Allow the below permissions by clicking on the Gear Icon

4. Change the Graph API Version to “beta”

5. Fill in the query https://graph.microsoft.com/beta/bitlocker/recoveryKeys

6. Change Response Headers to the below (using anything for the OCP-Client-Name)

7. Run your query! All devices with BitLocker keys will show up(Until you reach the Graph Api limit which is 999 results). id refers to BitLocker Key and deviceID your Azure AD Device ID. I know its not fully comprehensive yet but its a start though!

I hope this post was helpful and feel free to reach out with any suggestions and tips or correct me in any of the steps.

Author