Using Entra ID Privileged Identity Management, can I restrict a "Bitlocker key reader" role to only read keys from a limited set of devices?

Question

I manage Windows laptops for students. They are encrypted using Bitlocker. Occasionally, a student will lock their device (probably by repeatedly entering their Windows Hello PIN incorrectly), requiring a bitlocker key to unlock .

There is a computer-savvy person (but not real IT staff) on-site. I would like to use Privileged Identity Management (PIM) to give him a custom role that allows him to look up bitlocker keys for student devices at that location.

I have made a custom role named "Bitlocker Key Reader" like so:

My question is: Which one of these scopes will allow me to limit the "Bitlocker Key Reader" role to look up bitlocker keys from a limited set of devices only?

I have tried selecting scope type "group" and then assigning a device group containing the student laptops under "selected scope" but that doesn't seem to work. I've also tried to do the same with a user group containing student users as scope. Also didn't work.

Any ideas? Thanks in advance!

Answer 1

The "correct" way would be to scope the role to Administrative unit, which in turn should be populated with the devices in question. Unfortunately, the UI doesn't always expose the correct "target" for scoping, but you can try using the Graph API directly, as detailed here: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-create

Another thing to have in mind that officially, only application-related custom roles are supported. In other words, scoping such role might not work.