Share via

Need Help with BitLocker Key Access for Device Owners and Managers in Azure AD Administrative Unit

Olívio Moura 0 Reputation points
2024-10-29T15:49:55.5933333+00:00

Hi everyone,

I’m setting up BitLocker key access in Azure AD (Entra ID) for a group of devices, and I need some advice. Here’s the situation:

I have a set of devices that should only be managed by specific people (device managers), so I created an Administrative Unit (AU) in Azure AD and added these devices to it. There are two types of users involved:

Device Owners – who should have access to view their device's BitLocker recovery key.

Device Managers – who should be able to view BitLocker keys for all devices in the AU.

To accomplish this, I:

Created a custom Azure role with the microsoft.directory/bitlockerKeys/key/read permission.

Assigned this role to device managers in the AU, allowing them to view BitLocker metadata and recovery keys for all devices in the AU.

Here’s the issue:

Device owners (the actual users of the devices) are reporting that they can no longer see their BitLocker recovery keys at https://myaccount.microsoft.com/device-list. Instead, they’re getting this message: "You don’t have the permissions to view this device's BitLocker recovery keys. Please contact your IT helpdesk to retrieve this device's keys."

Additional Details:

The setting “Restrict users from recovering the BitLocker key(s) for their owned devices” in Entra ID is set to No.

Before adding the devices to the AU, users could access their BitLocker keys without issues.

Question:

How can I keep these devices under the AU to manage them with a specific device manager role, but still allow individual users to access their own BitLocker recovery keys? Ideally, I want to avoid giving device owners access to all BitLocker keys within the AU scope.

Any guidance or suggestions would be greatly appreciated!

Microsoft Security Microsoft Entra Microsoft Entra ID
Microsoft Security Intune Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 53,981 Reputation points Microsoft External Staff
    2024-10-30T02:02:01.62+00:00

    @Olívio Moura, Thanks for posting in Q&A. Based on my researching, I find there's a setting named "Restricted management administrative unit". If it is set to yes, it will protect specific objects in your tenant from modification by anyone other than a specific set of administrators that you designate.

    User's image

    https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management

    I think this can be the reason the device owner unable to view the recovery key. Please check if it is set as yes in your Administrative Unit (AU). If yes, as a test, you can change it to no to see if the device owner can view it.

    Please try the above suggestion and if there's any update, feel free to let us know.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.