By default, this operation doesn't return the key property that represents the actual recovery key. To include the key property in the response, use the $select OData query parameter. Including the $select query parameter triggers a Microsoft Entra audit of the operation and generates an audit log. For more information on audit logs for bitlocker recovery keys, see the KeyManagement category filter of Microsoft Entra audit logs.
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
Permission type
Least privileged permissions
Higher privileged permissions
Delegated (work or school account)
BitLockerKey.ReadBasic.All
BitLockerKey.Read.All
Delegated (personal Microsoft account)
Not supported.
Not supported.
Application
Not supported.
Not supported.
For delegated permissions, the calling user must be the registered owner of the device that the BitLocker recovery key was originally backed up from, or they must be in one of the following directory roles:
Global administrator
Cloud device administrator
Helpdesk administrator
Intune service administrator
Security administrator
Security reader
Global reader
HTTP request
To get the specified BitLocker key without returning the key property:
GET /informationProtection/bitlocker/recoveryKeys/{bitlockeryRecoveryKeyId}
To get the specified BitLocker key including its key property:
GET /informationProtection/bitlocker/recoveryKeys/{bitlockeryRecoveryKeyId}?$select=key
Optional query parameters
This method supports the $select OData query parameter to return the key property. For general information, see OData query parameters.
Request headers
Name
Description
Authorization
Bearer {token}. Required.
User-Agent
The identifier for the calling application. This value contains information about the operating system and the browser used. Required.
ocp-client-name
The name of the client application performing the API call. This header is used for debugging purposes. Optional.
ocp-client-version
The version of the client application performing the API call. This header is used for debugging purposes. Optional.
Request body
Don't supply a request body for this method.
Response
If successful, this method returns a 200 OK response code and a bitlockerRecoveryKey object in the response body.
Examples
Example 1: Get the BitLocker key by specifying the key id
Request
The following example shows a request. This example doesn't return the key property.
GET https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys/b465e4e8-e4e8-b465-e8e4-65b4e8e465b4
User-Agent: Dsreg/10.0 (Windows 10.0.19043.1466)
ocp-client-name: My Friendly Client
ocp-client-version: 1.2
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.InformationProtection.Bitlocker.RecoveryKeys["{bitlockerRecoveryKey-id}"].GetAsync((requestConfiguration) =>
{
requestConfiguration.Headers.Add("User-Agent", "Dsreg/10.0");
requestConfiguration.Headers.Add("ocp-client-name", "My Friendly Client");
requestConfiguration.Headers.Add("ocp-client-version", "1.2");
});
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc information-protection bitlocker recovery-keys get --bitlocker-recovery-key-id {bitlockerRecoveryKey-id}
<?php
// THIS SNIPPET IS A PREVIEW VERSION OF THE SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestConfiguration = new BitlockerRecoveryKeyItemRequestBuilderGetRequestConfiguration();
$headers = [
'User-Agent' => 'Dsreg/10.0',
'ocp-client-name' => 'My Friendly Client',
'ocp-client-version' => '1.2',
];
$requestConfiguration->headers = $headers;
$result = $graphServiceClient->informationProtection()->bitlocker()->recoveryKeys()->byBitlockerRecoveryKeyId('bitlockerRecoveryKey-id')->get($requestConfiguration)->wait();
# THE PYTHON SDK IS IN PREVIEW. FOR NON-PRODUCTION USE ONLY
graph_client = GraphServiceClient(credentials, scopes)
request_configuration = BitlockerRecoveryKeyItemRequestBuilder.BitlockerRecoveryKeyItemRequestBuilderGetRequestConfiguration()
request_configuration.headers.add("User-Agent", "Dsreg/10.0")
request_configuration.headers.add("ocp-client-name", "My Friendly Client")
request_configuration.headers.add("ocp-client-version", "1.2")
result = await graph_client.information_protection.bitlocker.recovery_keys.by_bitlocker_recovery_key_id('bitlockerRecoveryKey-id').get(request_configuration = request_configuration)
GET https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys/b465e4e8-e4e8-b465-e8e4-65b4e8e465b4?$select=key
User-Agent: Dsreg/10.0 (Windows 10.0.19043.1466)
ocp-client-name: My Friendly Client
ocp-client-version: 1.2
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.InformationProtection.Bitlocker.RecoveryKeys["{bitlockerRecoveryKey-id}"].GetAsync((requestConfiguration) =>
{
requestConfiguration.QueryParameters.Select = new string []{ "key" };
requestConfiguration.Headers.Add("User-Agent", "Dsreg/10.0");
requestConfiguration.Headers.Add("ocp-client-name", "My Friendly Client");
requestConfiguration.Headers.Add("ocp-client-version", "1.2");
});
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc information-protection bitlocker recovery-keys get --bitlocker-recovery-key-id {bitlockerRecoveryKey-id} --select "key"