It is very unfortunate that 2 years later this is still an issue. We have been testing the Help Desk role for our new Duo rollout and we really don't want them to have access to some of the things in that role. It appears that the role has full view access to just about everything and is only restricted by not allowing them to change things. They can however copy the admin API key under directory sync, which is concerning. They can view all of the policies, which we do not want. Hoping in the future we can create a custom role that only gives access to the areas we need. 

@doGlooPA I just want to reassure you that there is no inherent security risk with allowing a Help Desk role admin to copy the directory key for an external directory. The Help Desk role is able to run an individual user sync, so they have access to view some information about the sync config. Having the directory key does not let the Help Desk admin change the sync config or connection config. Help Desk role admins cannot copy or view the directory sync connection's *secret key*. There are other pages and information the Help Desk role cannot view or copy either.

"They can view all of the policies, which we do not want." This often proves useful to Help Desk admins when users cannot log into applications, or do not have the factors or experience they expect. By being able to view the policies the Help Desk admin can figure out if the user is blocked by policy and what they can do to succeed i.e. if a given application policy blocks use of SMS the Help Desk admin can instruct an affected user to authenticate with something other than SMS.

If you have not already contacted your Duo Care or Duo/Cisco account team to express interest in a feature request for customizable administrator role access or navigation I suggest you do so. If you do not have a Duo Care or account team, you may contact Duo Support to submit or upvote a feature request.