Last month Microsoft finally announced new features related to role-based access control with which we can create a custom role that only holds the permissions to read BitLocker keys.
Besides the custom role announcement, also support for adding devices to an Azure Administrative Unit (AU) was announced.
I’m excited to share several new features to enable fine-grained delegation of device administration in Azure AD. With these new capabilities, you can now:
– Create custom roles using permissions for device objects.
– Add devices as members of administrative units and assign built-in or custom roles for managing devices over the scope of an administrative unit.
Yes! Finally, we can create a custom role in Azure AD, with only BitLocker key read permissions, and with the support for adding devices to an AU, we can scope this permission per country or BU.
And as a bonus to all this news, dynamic administrative units group membership is now also supported (in preview)!
Let’s see how we can configure all these new features, and get our fine-grained BitLocker Recovery key reader role in place.
Configure the BitLocker Recovery Key Reader role
The set this all up, we need to configure several objects in Azure AD.
We need to have Azure groups, which support AAD role assignments and hold our local IT employees.
We need to create a custom role that holds the required permission to read BitLocker recovery keys.
And we need to create an Administrative Unit per business unit/ country. To every AU we add a dynamic query, so our Windows devices are automatically added to the AU.
- Sign in to the Azure portal
- Open Azure Active Directory, open Groups
- Click New Group
- Enter a Name
- Enter a Description (optional)
- Switch Azure AD roles can be assigned to this group to Yes (Important!)
- Add members to the group
- Click Create
- Browse to Roles and administrators
- Click New custom role
- Enter a Name
- Enter a Description (optional)
- Click Next
- Search for BitLocker
- Select bitlockerkeys/key/read
- Select Next and finish creating the role
- Browse to Administrative Units
- Click Add
- Enter a Name
- Enter a Description (optional)
- Click Review + create (twice)
- Click Create
- Open the Properties tab
- Switch Membership type to Dynamic Device
- Click Add dynamic query
- Configure the query to your needs
- Click Save
- Open the Roles and administrators tab
- Open the just create custom BitLocker role
- Click Add assignments
- Add a group
- Click Next
- Make your choice for the assignement type
- Finish the assignment
Everything is configured as needed.
The assignment is in place with a scope.
Devices are member of the administrative unit.
The end result
The end-result is that my Dutch helpdesk employee is able to view BitLocker recovery keys from the Dutch Windows devices.
First the employee needs to activate the permissions as part of Privileged Identity Management.
The BitLocker key is shown for a Dutch device.
The BitLocker key is not shown for a Belgium device.
That’s it for this post.
I’m glad we can finally implement a custom role with only BitLocker recovery key read permissions and implement this per country/ business unit.