Using Entra ID Privileged Identity Management, can I restrict a "Bitlocker key reader" role to only read keys from a limited set of devices?

JD 0 Reputation points

I manage Windows laptops for students. They are encrypted using Bitlocker. Occasionally, a student will lock their device (probably by repeatedly entering their Windows Hello PIN incorrectly), requiring a bitlocker key to unlock .

There is a computer-savvy person (but not real IT staff) on-site. I would like to use Privileged Identity Management (PIM) to give him a custom role that allows him to look up bitlocker keys for student devices at that location.

I have made a custom role named "Bitlocker Key Reader" like so:User's image

My question is: Which one of these scopes will allow me to limit the "Bitlocker Key Reader" role to look up bitlocker keys from a limited set of devices only?

User's image

I have tried selecting scope type "group" and then assigning a device group containing the student laptops under "selected scope" but that doesn't seem to work. I've also tried to do the same with a user group containing student users as scope. Also didn't work.

Any ideas? Thanks in advance!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,446 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 99,936 Reputation points MVP

    The "correct" way would be to scope the role to Administrative unit, which in turn should be populated with the devices in question. Unfortunately, the UI doesn't always expose the correct "target" for scoping, but you can try using the Graph API directly, as detailed here:

    Another thing to have in mind that officially, only application-related custom roles are supported. In other words, scoping such role might not work.

    0 comments No comments