Microsoft Entra ID · Remaining Built-in Roles
Cloud Device Administrator
Can enable, disable, and delete devices in Microsoft Entra ID and read Windows BitLocker recovery keys in the Azure portal.
Scope: Entra ID device object management including BitLocker recovery
Permissions
- Audit - Read audit logs
- BitLocker - Read BitLocker recovery keys
- Devices - Delete devices from Entra ID
- Devices - Disable devices in Entra ID
- Devices - Enable devices in Entra ID
- Device Credentials - Read device local credentials
- Device Policies - Read device management policies
- Registration - Read registration policies
- Sign-in Reports - Read sign-in reports
- Device Properties - View device properties and metadata
- Limitation - Cannot enroll or configure devices via Intune
- Limitation - Cannot manage Intune device policies
Common use cases
- Device lifecycle management in Entra ID
- BitLocker key recovery for helpdesk support
- Removing stale or compromised devices
- Disabling lost or stolen devices
- Device troubleshooting and diagnostics
- LAPS password retrieval for local admin
- Device cleanup and hygiene operations
Best practices
- Assign to IT helpdesk for device support
- Use Intune roles for full device management
- Document device deletion reasons
- Implement device cleanup procedures
- Review stale devices regularly
- Coordinate with Intune Admin for policy changes
- Use PIM for just-in-time access
- Audit BitLocker key access
Security considerations
- Can delete devices affecting user access
- BitLocker key access is sensitive
- LAPS password access is privileged
- Cannot configure device policies (limits impact)
- Audit all device deletions
- Monitor for bulk device operations
- Alert on BitLocker key access patterns
- Consider PIM for elevated access