Hello and welcome to a new tutorial from ITSpecialist.news! Today we’ll address a concrete need that many of you may have already encountered: allowing a help desk operator to view the BitLocker recovery keys of Windows devices managed by Microsoft Intune.
📰 What do you prefer? Video or article?
Some notes to make the most of this content.
If you prefer to watch the full video, easy: you’ll find it right above in the header.
If you prefer reading, that’s easy too: just keep going here. For each step I’ve included the specific video snippet, so you’ll only see the screens that matter, without my face talking.
In any case, subscribe to the newsletter to make sure you don’t miss any new tutorials.
Perfect, let’s get started!
Will being a Help Desk Operator through Intune RBAC be enough?
Our main character is Hazel, a help desk operator, who already has the Help Desk Operator role assigned via Intune RBAC. But… will that be sufficient?
Even though Hazel has the correct role in Intune, she won’t be able to view the BitLocker keys. Why? Because this permission is not managed by Intune, but by Microsoft Entra.
With a Zero Trust Security approach, let’s see how to grant the minimum permissions needed to allow Hazel to read the BitLocker recovery keys of devices managed by Intune.
🛠️ Create a group assignable to Entra roles
First, we need to create a security group that can be assigned to Entra roles.
⚠️ Attention: this option can only be enabled at the moment of group creation and cannot be modified later.
Once the group is created, we add Hazel as a member.
🧩 Create the custom role in Entra
Now let’s create a custom role in Entra. The permissions we need are:
microsoft.directory/deviceBitLockerKeys/read
microsoft.directory/bitlockerKeys/metadata/readThis allows reading the BitLocker recovery keys associated with devices registered in Entra.
🔗 Assign the role to the group
With the role ready and the group created, we can proceed with assigning the custom role to the group that contains Hazel. This is the step that effectively enables the visualization of the keys.
✅ Verification: can Hazel see the keys now?
Let’s go back to Intune and log in with Hazel’s account. This time, thanks to the Entra role, she will be able to correctly view the BitLocker keys of the devices.
📚 Attached documentation and useful links
To explore the topic further, here are some official documents with a hint pumpkin cake:
📬 Conclusions
We’ve seen how a simple Intune role is not enough to access BitLocker keys, and how to solve the problem with a custom role in Entra.
If you found this useful, subscribe to the ITSpecialist.News newsletter to receive more practical content, guides, and updates from the Microsoft 365 world.
As always, thank you for following me this far!
See you soon… LEGENDS!
Riccardo
