You can grant a user or group permission to view BitLocker recovery keys for devices using an Entra ID role.
To use a built-in role, grant the user/user group Cloud Device Administrator or Helpdesk Administrator privileges.
You can also choose to create a custom role that delegates access to BitLocker keys using the microsoft.directory/bitlockerKeys/key/read permission.
To learn more, see Microsoft Learn | Helpdesk recovery in Microsoft Entra ID.