How to Block User Access to BitLocker Keys in Microsoft Entra

By default, where the BitLocker key of a users device is stored in Microsoft Entra ID, that user (or the owner of the device) can access the BitLocker key through their Microsoft Entra profile on the web. 

There are many arguments for and against allowing a user access to their own BitLocker key, however, with the ever-increasing sophistication of attacks against organisations, my recommendation is to restrict this access to administrators only.

In this post, I am going to show you how to prevent a user from accessing their own BitLocker key in Microsoft Entra.

Should I block users from recovering BitLocker keys?

The answer to whether your organisation should allow non-admin users access to the BitLocker keys of the device they own comes down to a question of risk and practicality. 

Practically, are non-admin users likely to need access to their BitLocker keys and in the event that they do, even if they know how to access them, will they just ask you (support) for help anyway? If they are likely to be raising a support request in the event of a necessary recovery regardless, it probably isn’t worth the added risk. 

On the other hand, the counter-argument to allowing non-admin users access to their own BitLocker keys is that because of modern multi-factor authentication methods, the risk of compromise is lower and for that scenario, I do agree. 

Unfortunately what I don’t trust is for devices to not be left unattended, even for a short amount of time, as for the savvy attacker, one who can snatch and grab while the device is active, they could grab the laptop, steal the BitLocker key and away they go… this to me overrules the occasional need for a non-admin user to access their recovery key.

Overall, yes, you should be limiting access to BitLocker keys to only approved users. But I do agree with Microsoft’s stance to leave BitLocker keys accessible by default, as in a perfect world it would be beneficial, but in our current world, it is not.

Block user access to BitLocker keys using the Microsoft Entra portal

The simplest way to ensure they no standard users can access their own BitLocker keys is to use the Microsoft Entra admin center through the web. Follow the below setup to restrict access:

1. Login to Microsoft Entra at https://entra.microsoft.com

2. Expand Devices and select All Devices.

3. Select Device settings.

4. Set 

Restrict bitlocker access
Restrict bitlocker access

Now that this setting has been enabled, if a user logs into myaccount.microsoft.com and attempts to access their device BitLocker key, by selecting the Device tab, they will not be able to select View Bitlocker Keys button.

View BitLocker Keys
View BitLocker Keys

Block user access to BitLocker keys using Microsoft Graph PowerShell

You can also use Microsoft Graph PowerShell to block or restrict user access to their BitLocker keys. For this, you will need to have the latest version of the Microsoft Graph PowerShell SDK installed as well as access to a Global Administrator user in your tenant for permission consent.

For detailed steps on how to install the Microsoft Graph PowerShell module, check out my post: https://ourcloudnetwork.com/how-to-install-the-microsoft-graph-powershell-sdk/

Start by connecting to Microsoft Graph PowerShell with the following command:

Connect-MgGraph -Scopes Policy.ReadWrite.Authorization

As the property that we need to modify ‘allowedToReadBitlockerKeysForOwnedDevice‘ is a nested property there is not direct parameter supported for it, so we must save our payload variable as a hash table.

$body = @{
	defaultUserRolePermissions = @{
		allowedToReadBitlockerKeysForOwnedDevice = $false
	}
}

When can then use the update command to complete the request:

Update-MgBetaPolicyAuthorizationPolicy -AuthorizationPolicyId authorizationPolicy -BodyParameter $body

Once the command has run, the Get-MgBetaPolicyAuthorizationPolicy cmdlet can be used to verify our policy is now correct:

Get-MgBetaPolicyAuthorizationPolicy | Select -ExpandProperty DefaultUserRolePermissions

As you can see from the below results, the AllowedToReadBitlockerKeysForOwnedDevice property is now false.

Get-MgBetaPolicyAuthorizationPolicy
Get-MgBetaPolicyAuthorizationPolicy

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply