Delegate permission to view the Bitlocker recovery key to other roles than Global admins (e.g. Device administrators). Our clients guys are responsible for managing the devices, and they will support the end users.
Or provide RBAC for Azure AD to build customer roles.
The following admins can read bitlocker keys –
Cloud Device Admin
Would it be sufficient to what you are looking for?
we want to be able to scope the permission to specific group of devices, as we scope management of devices
We are facing similar issues, with a few roles, such as BitLocker key and MFA. Having the option to build custom roles should solve this issue.