This is the list of required permissions for Microsoft Intune.
offline_access
openid
profile
Device.ReadWrite.All
DeviceManagementConfiguration.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementManagedDevices.PrivilegedOperations.All
BitlockerKey.Read.All
DeviceManagementApps.ReadWrite.All
Group.ReadWrite.All
Directory.Read.All
GroupMember.ReadWrite.All
RoleManagement.ReadWrite.Directory (only required to add members to role-assignable groups)
The service account defined under settings must be a member of one of the following roles in order to read bitlocker recovery keys: