Role permission on Entra / Intune

Question

Role permission on Entra / Intune

Consultant Djelal Kasamoski 0

Hi Guys,
i have created a role-based access control for a User to allow him to see Bitlocker Key.
Currently the user is managing devices from Intune, but i noticed after the creation of the role he can see all the devices on Entra.
Is it possible to block the access to Entra and leave just Intune or something else to restrict access on after logging to Entra to the same device and user that he can manage from Intune?

Thanks

Rukmini 8,600 Reputation points Microsoft External Staff Moderator

2025-11-20T12:21:42.43+00:00

Hello Consultant Djelal Kasamoski, Following up to see if the above provided information was helpful. If you have any further queries do let us know.
jasonkatz 0 Reputation points

2025-11-20T16:01:47.56+00:00

Hi @Consultant Djelal Kasamoski , perhaps you can create a custom role in Entra, provide it with microsoft.directory/Bitlockerkeys/key/read, and scope the role to an administrative unit?

1 answer

Your answer

Rukmini 8,600 Reputation points Microsoft External Staff Moderator

2025-11-20T12:21:42.43+00:00

Hello Consultant Djelal Kasamoski, Following up to see if the above provided information was helpful. If you have any further queries do let us know.
jasonkatz 0 Reputation points

2025-11-20T16:01:47.56+00:00

Hi @Consultant Djelal Kasamoski , perhaps you can create a custom role in Entra, provide it with microsoft.directory/Bitlockerkeys/key/read, and scope the role to an administrative unit?

Answer 1

Rukmini 8,600 Microsoft External Staff Moderator

Hello Consultant Djelal Kasamoski,

No, without granting access to every device in Entra, you cannot permit a user to view BitLocker keys in Intune.

Tenant-wide accessibility to all devices is automatically granted by any Entra role that has device.read rights; this cannot be scoped.

To limit access so that the user can only view the devices under their control:

Eliminate the Entra role and replace it with Intune RBAC.
Create a custom Intune role and scope it to a group of devices using the BitLocker key read.

In this way, the user won't see every device in Entra and can only view BitLocker keys for particular Intune devices.

If the resolution was helpful, kindly take a moment to accept the answer and upvote it 👍 it as a token of appreciation.

Consultant Djelal Kasamoski 0 Reputation points

2025-11-21T15:16:44.3966667+00:00

Hi
thanks both for your replies.

I have already everything set up with RBAC for Intune and Custom role for EntraID.
I wanted to know if there is any way to block the view on entra ID from all Users&Devices after giving a single admin permission.
I mean, if i create a custom role applied to a user to a single Administrative Unit, that is populated with a few device's, i want that if someone log in Entra or Intune, they cannot see All devices and all users of my Tenant.

Hope i explained myself :)
Rukmini 8,600 Reputation points Microsoft External Staff Moderator

2025-11-21T15:20:24.5133333+00:00

Consultant Djelal Kasamoski No, Entra ID Entra ID cannot hide “All Users” or “All Devices” in the portal

Even when you create a custom role and limit it to an Administrative Unit, the user will still view the complete list in Entra. AU scoping solely restricts what they can control, not what they can observe.

Only Intune RBAC enables genuine scoping.

To ensure the user views only their assigned devices, you should depend on Intune rather than the Entra portal.

Let me know if any further queries - feel free to reach out!
Consultant Djelal Kasamoski 0 Reputation points

2025-11-21T15:28:33.69+00:00

Rukmini thank you for your fast response.
How from Intune i cannot create a custom Intune role and scope it to a group of devices using the BitLocker key read?
I know how to create the custom role because is already done, but not for bitlockerkey.
Is also this way possible for Users and resetting them passwords?

I mean, i want to create granular admin roles than can permit the reset password and read bitlocker key but only for particular accounts, but from the other way i don't want that this admins can read every device and user that is joined in my Tenant
Rukmini 8,600 Reputation points Microsoft External Staff Moderator

2025-11-21T15:32:40.0633333+00:00
Consultant Djelal Kasamoski,

Intune does not offer any RBAC permissions for reading BitLocker keys.

BitLocker keys are held in Entra ID, and they can only be accessed via an Entra role, which cannot be limited to conceal other devices.

Therefore, it's not possible to create a custom Intune role that accesses BitLocker keys for a specific group of devices.

Password resets can be limited to Administrative Units, yet the admin will still have visibility of all users, even if they can only reset those within the AU.

Hence,

Scoped BitLocker key retrieval → Not achievable

Limited device/user visibility → Not achievable in Entra

Scoped password reset → Achievable with AUs

Scoped device actions → Feasible in Intune RBAC

However, BitLocker key access consistently reveals the entire device list in Entra.
Rukmini 8,600 Reputation points Microsoft External Staff Moderator

2025-11-21T15:35:34.29+00:00

Hello Consultant Djelal Kasamoski, If the assistance was helpful, kindly take a moment to accept the answer and upvote it 👍 it as a token of appreciation.

Share via

Role permission on Entra / Intune

1 answer

Your answer