Share via

Microsoft Graph Bitlocker Keys and Permissions Required

McDonald, Matthew 241 Reputation points
2022-07-06T14:19:51.447+00:00

We've migrated our Bitlocker keys into Azure and I'm developing an app to pull bitlocker recovery keys for devices, like MBAM does for on-prem.

After fumbling through the limited documentation regarding Bitlocker access I've gotten this to work, but it requires a level of access I do not want my users to have within the tenant.

Per this page, bitlocker key access via Graph is only possible through delegated permission model, and requires the BitlockerKey.ReadBasic.All and BitlockerKey.Read.All scopes, but those scopes only provide access to bitlocker information for devices the calling user owns. In order to pull bitlocker information for devices that the calling user does not own, the user must also be provided one of the following directory roles, most of which are administrative, others providing read access to areas of the entire tenant.

  • Global administrator
  • Cloud device administrator
  • Helpdesk administrator
  • Intune service administrator
  • Security administrator
  • Security reader
  • Global reader

I do not want these users to have any of these roles. They provide more access than should be necessary for this. Can someone help me understand why this is required? Is there no custom role/permission that can be created to limit this down to just what we need here, i.e., bitlocker keys? The Azure permission model seems overly broad scoped in nature and does not really allow granular delegation as is possible in an on-prem AD environment.

Microsoft Security Microsoft Graph
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. McDonald, Matthew 241 Reputation points
    2022-07-07T21:45:01.373+00:00

    I have gotten a potential answer from the SDK GitHub page. Pasting here to close this out.

    https://github.com/microsoftgraph/microsoft-graph-docs/issues/17568#issuecomment-1175965263

    Thank you for asking this question.

    Yes, for some APIs such as those to manage Bitlocker keys, you need both Microsoft Graph permissions and an RBAC role. This double requirement helps ensure only explicitly privileged callers can access the information available through such APIs.

    As for the Global Reader RBAC role being overprivileged for your use case - Microsoft Graph and Azure AD also provide you an option of creating custom roles that can be more finely-scoped compared to the built-in roles. With custom roles, you cherry pick the allowed actions and add them to a role definition for a custom role using the Create roleDefinition API.

    So for your case, you want an admin with the privilege to carry out only this action: microsoft.directory/bitlockerKeys/key/read. You can create the custom role and then assign the custom role to a user or group allowed to call the Get bitlockerRecoveryKey.

    Let me know if this helps.

    0 comments
  2. Carlos Giraldo 1 Reputation point
    2022-11-10T12:46:25.36+00:00

    Can I ask how you managed to solve this? I am looking for a solution to access all keys from all devices and Intune does not have any native solutions for this

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.