What admin role grans permission to view devices' bitlocker recovery keys?

%3CLINGO-SUB%20id%3D%22lingo-sub-1587597%22%20slang%3D%22en-US%22%3EWhat%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1587597%22%20slang%3D%22en-US%22%3E%3CP%3EWhich%20of%20the%20standard%20admin%20roles%20is%20required%20to%20view%20bitlocker%20recovery%20keys%20for%20a%20device%20in%20intune%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1587597%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588289%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588289%22%20slang%3D%22en-US%22%3EHi%20Steve%2C%3CBR%20%2F%3E%3CBR%20%2F%3EOne%20of%20those%20should%20do%20it!%3CBR%20%2F%3E%3CBR%20%2F%3EGlobal%20admins%3CBR%20%2F%3EIntune%20Service%20Administrators%3CBR%20%2F%3ESecurity%20Administrators%3CBR%20%2F%3ESecurity%20Readers%3CBR%20%2F%3EHelpdesk%20Admins%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588284%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588284%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Steve%2C%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EOne%20of%20those%20should%20do%20it!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EGlobal%20admins%3CBR%20%2F%3EIntune%20Service%20Administrators%3CBR%20%2F%3ESecurity%20Administrators%3CBR%20%2F%3ESecurity%20Readers%3CBR%20%2F%3EHelpdesk%20Admins%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3EMoe%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1592876%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1592876%22%20slang%3D%22en-US%22%3EThanks%20Moe.%20I%20didn't%20realize%20at%20first%20that%20access%20to%20the%20keys%20in%20Intune%20was%20controlled%20by%20the%20AAD%20administrator%20roles%2C%20I%20was%20expecting%20it%20to%20be%20part%20of%20one%20of%20the%20Intune%20roles.%3CBR%20%2F%3E%3CBR%20%2F%3EFWIW%2C%20the%20Security%20Reades%20and%20Helpdesk%20Administrator%20roles%20do%20not%20appear%20to%20have%20access%20to%20the%20recovery%20keys%2C%20based%20on%20the%20permissions%20listed%20in%20the%20role%20description.%20The%20Cloud%20Device%20Administrator%20role%20does%20grant%20the%20appropriate%20permission.%3CBR%20%2F%3E%3CBR%20%2F%3EHopefully%20once%20the%20Custom%20Roles%20permission%20is%20expanded%20to%20support%20more%20permissions%2C%20I'll%20be%20able%20to%20grant%20only%20the%20permission%20to%20read%20the%20bitlocker%20keys%20without%20everything%20else%20that%20goes%20with%20Cloud%20Device%20Administrator.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1593728%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1593728%22%20slang%3D%22en-US%22%3EYou%20can%20already%20give%20a%20administrator%20view%20permissions%20on%20'devices'%20within%20Intune.%20I%20suppose%20this%20should%20solve%20your%20issue%20as%20well.%3CBR%20%2F%3EThis%20is%20available%20here%20-%20%3CA%20href%3D%22https%3A%2F%2Fendpoint.microsoft.com%2F%23blade%2FMicrosoft_Intune_DeviceSettings%2FRolesLandingMenuBlade%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fendpoint.microsoft.com%2F%23blade%2FMicrosoft_Intune_DeviceSettings%2FRolesLandingMenuBlade%2Foverview%3C%2FA%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Contributor

Which of the standard admin roles is required to view bitlocker recovery keys for a device in intune?  

 

 

4 Replies
Highlighted

Hi Steve,

One of those should do it!


Global admins
Intune Service Administrators
Security Administrators
Security Readers
Helpdesk Admins

Hope this helps!
Moe

Highlighted
Hi Steve,

One of those should do it!

Global admins
Intune Service Administrators
Security Administrators
Security Readers
Helpdesk Admins

Hope this helps!
Moe
Highlighted
Thanks Moe. I didn't realize at first that access to the keys in Intune was controlled by the AAD administrator roles, I was expecting it to be part of one of the Intune roles.

FWIW, the Security Reades and Helpdesk Administrator roles do not appear to have access to the recovery keys, based on the permissions listed in the role description. The Cloud Device Administrator role does grant the appropriate permission.

Hopefully once the Custom Roles permission is expanded to support more permissions, I'll be able to grant only the permission to read the bitlocker keys without everything else that goes with Cloud Device Administrator.
Highlighted
You can already give a administrator view permissions on 'devices' within Intune. I suppose this should solve your issue as well.
This is available here - https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/RolesLandingMenuBlade/overview