Microsoft Entra ID · Remaining Built-in Roles

Cloud Device Administrator

Can enable, disable, and delete devices in Microsoft Entra ID and read Windows BitLocker recovery keys in the Azure portal.

Scope: Entra ID device object management including BitLocker recovery

Permissions

  • Audit - Read audit logs
  • BitLocker - Read BitLocker recovery keys
  • Devices - Delete devices from Entra ID
  • Devices - Disable devices in Entra ID
  • Devices - Enable devices in Entra ID
  • Device Credentials - Read device local credentials
  • Device Policies - Read device management policies
  • Registration - Read registration policies
  • Sign-in Reports - Read sign-in reports
  • Device Properties - View device properties and metadata
  • Limitation - Cannot enroll or configure devices via Intune
  • Limitation - Cannot manage Intune device policies

Common use cases

  • Device lifecycle management in Entra ID
  • BitLocker key recovery for helpdesk support
  • Removing stale or compromised devices
  • Disabling lost or stolen devices
  • Device troubleshooting and diagnostics
  • LAPS password retrieval for local admin
  • Device cleanup and hygiene operations

Best practices

  • Assign to IT helpdesk for device support
  • Use Intune roles for full device management
  • Document device deletion reasons
  • Implement device cleanup procedures
  • Review stale devices regularly
  • Coordinate with Intune Admin for policy changes
  • Use PIM for just-in-time access
  • Audit BitLocker key access

Security considerations

  • Can delete devices affecting user access
  • BitLocker key access is sensitive
  • LAPS password access is privileged
  • Cannot configure device policies (limits impact)
  • Audit all device deletions
  • Monitor for bulk device operations
  • Alert on BitLocker key access patterns
  • Consider PIM for elevated access

Common questions

When should I assign the Cloud Device Administrator role?

Assign Cloud Device Administrator when you need to: Device lifecycle management in Entra ID; BitLocker key recovery for helpdesk support; Removing stale or compromised devices; Disabling lost or stolen devices; and Device troubleshooting and diagnostics. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Cloud Device Administrator role do?

The Cloud Device Administrator role grants permissions including: Audit - Read audit logs; BitLocker - Read BitLocker recovery keys; Devices - Delete devices from Entra ID; Devices - Disable devices in Entra ID; Devices - Enable devices in Entra ID; and Device Credentials - Read device local credentials. See the Permissions section above for the full list.

What are the security risks of the Cloud Device Administrator role?

Key considerations when assigning Cloud Device Administrator: Can delete devices affecting user access; BitLocker key access is sensitive; LAPS password access is privileged; and Cannot configure device policies (limits impact). Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →