IT admins need to have a specific permission within Microsoft Entra ID to be able to see device BitLocker recovery keys: microsoft.directory/bitlockerKeys/key/read
. You can create/add a custom role with only this permission and assign to ensure Least Privilege
There are some other roles within Microsoft Entra ID that come with this permission, including Cloud Device Administrator, Helpdesk Administrator, etc. For more information on which Microsoft Entra roles have which permissions, see Microsoft Entra built-in roles.