Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
85 lines (75 sloc) 3.68 KB
function Get-AzureADBitLockerKeysForUser {
Retrieve BitLocker keys from all Azure AD devices belonging to a certain user.
Given a user's name or UPN, returns all available BitLocker keys associated with devices belonging to the user. The user running the function needs to have sufficient rights in Azure AD to view BitLocker keys.
Get-AzureADBitLockerKeysForUser -Credential (Get-Credential) -SearchString "John Doe" | Format-Table
.PARAMETER SearchString
Name or UPN of the user whose keys to retrieve. Passed through to Get-AzureADUser -SearchString.
.PARAMETER Credential
If supplied, the credential object for the privileged user retrieving the keys.
filename: Get-AzureADBitLockerKeysForUser.ps1
author: Gerbrand van der Weg
created: 2018-10-26
Access token code courtesy of Jos Lieben:
[parameter(Mandatory = $true)]
Import-Module AzureRM.Profile
if (Get-Module -Name "AzureADPreview" -ListAvailable) {
Import-Module AzureADPreview
} elseif (Get-Module -Name "AzureAD" -ListAvailable) {
Import-Module AzureAD
if ($Credential) {
Try {
Connect-AzureAD -Credential $Credential -ErrorAction Stop | Out-Null
} Catch {
Write-Warning "Couldn't connect to Azure AD non-interactively, trying interactively."
Connect-AzureAD -TenantId $(($Credential.UserName.Split("@"))[1]) -ErrorAction Stop | Out-Null
Try {
Login-AzureRmAccount -Credential $Credential -ErrorAction Stop | Out-Null
} Catch {
Write-Warning "Couldn't connect to Azure RM non-interactively, trying interactively."
Login-AzureRmAccount -TenantId $(($Credential.UserName.Split("@"))[1]) -ErrorAction Stop | Out-Null
} else {
Connect-AzureAD -ErrorAction Stop | Out-Null
Login-AzureRmAccount -ErrorAction Stop | Out-Null
$context = Get-AzureRmContext
$tenantId = $context.Tenant.Id
$refreshToken = @($context.TokenCache.ReadItems() | Where-Object {$_.tenantId -eq $tenantId -and $_.ExpiresOn -gt (Get-Date)})[0].RefreshToken
$body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
$apiToken = Invoke-RestMethod "$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'
$header = @{
'Authorization' = 'Bearer ' + $apiToken.access_token
'X-Requested-With' = 'XMLHttpRequest'
'x-ms-client-request-id' = [guid]::NewGuid()
'x-ms-correlation-id' = [guid]::NewGuid()
$userDevices = Get-AzureADUser -SearchString $SearchString | Get-AzureADUserRegisteredDevice -All:$true
$bitLockerKeys = @()
foreach ($device in $userDevices) {
$url = "$($device.objectId)"
$deviceRecord = Invoke-RestMethod -Uri $url -Headers $header -Method Get
if ($deviceRecord.bitlockerKey.count -ge 1) {
$bitLockerKeys += [PSCustomObject]@{
Device = $deviceRecord.displayName
DriveType = $deviceRecord.bitLockerKey.driveType
KeyId = $deviceRecord.bitLockerKey.keyIdentifier
RecoveryKey = $deviceRecord.bitLockerKey.recoveryKey