|
| 1 | +--- |
| 2 | +title: Device management permissions for Azure AD custom roles (Preview) - Azure Active Directory |
| 3 | +description: Device management permissions for Azure AD custom roles (Preview) in the Azure portal, PowerShell, or Microsoft Graph API. |
| 4 | +services: active-directory |
| 5 | +author: rolyon |
| 6 | +manager: KarenH444 |
| 7 | +ms.service: active-directory |
| 8 | +ms.workload: identity |
| 9 | +ms.subservice: roles |
| 10 | +ms.topic: reference |
| 11 | +ms.date: 03/22/2022 |
| 12 | +ms.author: rolyon |
| 13 | +ms.reviewer: |
| 14 | +ms.custom: it-pro |
| 15 | +--- |
| 16 | + |
| 17 | +# Device management permissions for Azure AD custom roles (Preview) |
| 18 | + |
| 19 | +> [!IMPORTANT] |
| 20 | +> Device management permissions for Azure AD custom roles are currently in PREVIEW. |
| 21 | +> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. |
| 22 | +
|
| 23 | +Device management permissions can be used in custom role definitions in Azure Active Directory (Azure AD) to grant fine-grained access such as the following: |
| 24 | + |
| 25 | +- Enable or disable devices |
| 26 | +- Delete devices |
| 27 | +- Read BitLocker recovery keys |
| 28 | +- Read BitLocker metadata |
| 29 | +- Read device registration policies |
| 30 | +- Update device registration policies |
| 31 | + |
| 32 | +This article lists the permissions you can use in your custom roles for different device management scenarios. For information about how to create custom roles, see [Create and assign a custom role](custom-create.md). |
| 33 | + |
| 34 | +## Enable or disable devices |
| 35 | + |
| 36 | +The following permissions are available to toggle device states. |
| 37 | + |
| 38 | +- microsoft.directory/devices/enable |
| 39 | +- microsoft.directory/devices/disable |
| 40 | + |
| 41 | +## Read BitLocker recovery keys |
| 42 | + |
| 43 | +The following permission is available to read BitLocker metadata and recovery keys. Note that this single permission provides read for both BitLocker metadata and recovery keys. |
| 44 | + |
| 45 | +- microsoft.directory/bitlockerKeys/key/read |
| 46 | + |
| 47 | +You can view the BitLocker recovery key by selecting a device from the **All Devices** page, and then selecting **Show Recovery Key**. For more information about reading BitLocker recovery keys, see [View or copy BitLocker keys](../devices/device-management-azure-portal.md#view-or-copy-bitlocker-keys). |
| 48 | + |
| 49 | + |
| 50 | + |
| 51 | +## Read BitLocker metadata |
| 52 | + |
| 53 | +The following permission is available to read the BitLocker metadata for all devices. |
| 54 | + |
| 55 | +- microsoft.directory/bitlockerKeys/metadata/read |
| 56 | + |
| 57 | +You can read the BitLocker metadata for all devices, but you can't read the BitLocker recovery key. |
| 58 | + |
| 59 | + |
| 60 | + |
| 61 | +## Read device registration policies |
| 62 | + |
| 63 | +The following permission is available to read tenant-wide device registration settings. |
| 64 | + |
| 65 | +- microsoft.directory/deviceRegistrationPolicy/standard/read |
| 66 | + |
| 67 | +You can read device settings in the Azure portal. |
| 68 | + |
| 69 | + |
| 70 | + |
| 71 | +## Update device registration policies |
| 72 | + |
| 73 | +The following permission is available to update tenant-wide device registration settings. |
| 74 | + |
| 75 | +- microsoft.directory/deviceRegistrationPolicy/basic/update |
| 76 | + |
| 77 | +## Full list of permissions |
| 78 | + |
| 79 | +#### Read |
| 80 | + |
| 81 | +> [!div class="mx-tableFixed"] |
| 82 | +> | Permission | Description | |
| 83 | +> | ---------- | ----------- | |
| 84 | +> | microsoft.directory/devices/createdFrom/read | Read createdfrom properties of devices | |
| 85 | +> | microsoft.directory/devices/registeredOwners/read | Read registered owners of devices | |
| 86 | +> | microsoft.directory/devices/registeredUsers/read | Read registered users of devices | |
| 87 | +> | microsoft.directory/devices/standard/read | Read basic properties on devices | |
| 88 | +> | microsoft.directory/bitlockerKeys/key/read | Read bitlocker metadata and key on devices | |
| 89 | +> | microsoft.directory/bitlockerKeys/metadata/read | Read bitlocker metadata on devices | |
| 90 | +> | microsoft.directory/deviceRegistrationPolicy/standard/read | Read standard properties on device registration policies | |
| 91 | +
|
| 92 | +#### Update |
| 93 | + |
| 94 | +> [!div class="mx-tableFixed"] |
| 95 | +> | Permission | Description | |
| 96 | +> | ---------- | ----------- | |
| 97 | +> | microsoft.directory/devices/registeredOwners/update | Update registered owners of devices | |
| 98 | +> | microsoft.directory/devices/registeredUsers/update | Update registered users of devices | |
| 99 | +> | microsoft.directory/devices/enable | Enable devices in Azure AD | |
| 100 | +> | microsoft.directory/devices/disable | Disable devices in Azure AD | |
| 101 | +> | microsoft.directory/deviceRegistrationPolicy/basic/update | Update basic properties on device registration policies | |
| 102 | +
|
| 103 | +#### Delete |
| 104 | + |
| 105 | +> [!div class="mx-tableFixed"] |
| 106 | +> | Permission | Description | |
| 107 | +> | ---------- | ----------- | |
| 108 | +> | microsoft.directory/devices/delete | Delete devices from Azure AD | |
| 109 | +
|
| 110 | +## Next steps |
| 111 | + |
| 112 | +- [Create and assign a custom role in Azure Active Directory](custom-create.md) |
| 113 | +- [List Azure AD role assignments](view-assignments.md) |
0 commit comments