List recoveryKeys

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Get a list of the bitlockerRecoveryKey objects and their properties.

This operation does not return the key property. For information about how to read the key property, see Get bitlockerRecoveryKey.

Permissions

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type Permissions (from most to least privileged)
Delegated (work or school account) BitLockerKey.ReadBasic.All, BitLockerKey.Read.All
Delegated (personal Microsoft account) Not supported
Application Not supported

Note: For delegated permissions to allow apps to get BitLockerRecoveryKey resources on behalf of the signed-in user, the tenant administrator must have assigned the user one of the following roles, or the user must be the registered owner of the device that the BitLocker recovery key was originally backed up from:

  • Global administrator
  • Cloud device administrator
  • Helpdesk administrator
  • Intune service administrator
  • Security administrator
  • Security reader
  • Global reader

HTTP request

To get a list of BitLocker keys within the tenant:

GET /informationProtection/bitlocker/recoveryKeys

To get a list of BitLocker keys within the tenant filtered by the device id:

GET /informationProtection/bitlocker/recoveryKeys?$filter=deviceId eq '{deviceId}'

Optional query parameters

This method supports the $filter OData query parameter to filter results by the device id the key was most recently backed up to. This method does not support the $top filter. For details, see Example 2. For general information, see OData query parameters.

The response might also contain an odata.nextLink, which you can use to page through the result set. For details, see Paging Microsoft Graph data.

Request headers

Name Description
Authorization Bearer {token}. Required.
ocp-client-name Name of the client application performing the API call. Required.
ocp-client-version Version of the client application performing the API call. Required.

Request body

Do not supply a request body for this method.

Response

If successful, this method returns a 200 OK response code and a collection of bitlockerRecoveryKey objects in the response body.

Examples

Example 1

Retrieve a list of BitLocker keys in the tenant.

Request

The following is an example of the request.

GET https://graph.microsoft.com/beta/informationProtection/bitlocker/recoveryKeys
ocp-client-name: "My Friendly Client"
ocp-client-version: "1.2"

Response

The following is an example of the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-Type: application/json

{
  "value": [
    {
      "@odata.type": "#microsoft.graph.bitlockerRecoveryKey",
      "id": "b465e4e8-e4e8-b465-e8e4-65b4e8e465b4",
      "createdDateTime": "2020-06-15T13:45:30.0000000Z",
      "volumeType": 1,
      "deviceId": "2ef04ef1-23b0-2e00-a3a5-ab345e567ab6"
    },
    {
      "@odata.type": "#microsoft.graph.bitlockerRecoveryKey",
      "id": "6a30ed7b-247b-4d26-86b5-2f405e55ea42",
      "createdDateTime": "2020-06-15T13:45:30.0000000Z",
      "volumeType": 1,
      "deviceId": "1ab40ab2-32a8-4b00-b6b5-ba724e407de9"
    }
  ]
}

Example 2

Retrieve a list of BitLocker keys filtered by device id.

Request

The following is an example of the request.

GET https://graph.microsoft.com/beta/informationProtection/bitlocker/recoveryKeys?$filter=deviceId eq '1ab40ab2-32a8-4b00-b6b5-ba724e407de9'
ocp-client-name: "My Friendly Client"
ocp-client-version: "1.2"

Response

The following is an example of the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-Type: application/json

{
  "value": [
    {
      "@odata.type": "#microsoft.graph.bitlockerRecoveryKey",
      "id": "b465e4e8-e4e8-b465-e8e4-65b4e8e465b4",
      "createdDateTime": "2020-06-15T13:45:30.0000000Z",
      "volumeType": 1,
      "deviceId": "1ab40ab2-32a8-4b00-b6b5-ba724e407de9"
    }
  ]
}