You can add Tier Zero objects manually for AD objects that were not identified as Tier Zero by the Tier Zero provider but are considered critical assets in your organization.

 

In addition to the Tier Zero objects identified by the Tier Zero provider, it is recommended that the following objects be added manually:

  • Microsoft Entra Connect servers, including:

    • servers with PTA agents if Pass-Through Authentication (PTA) is enabled

    • the "AZUREADSSO" computer account

  • Active Directory Federation servers

  • Privileged access management (PAM) systems

  • Certificate Authorities and Subordinates

  • Computers that host Quest Recovery Manager and other Active Directory management software and their backups

  • Computers that host GPOAdmin, Active Administrator, and other group policy management software

  • Microsoft Exchange Servers (if split permissions are not configured)

  • Microsoft System Center Configuration Manager (SCCM) servers or equivalent

  • Microsoft Exchange Groups (if default permissions are still configured)

  • Microsoft SQL server or equivalent if hosting a database from a Tier Zero system

  • Active Directory Management and auditing software, such as Change Auditor or Active Roles Server

To add a Tier Zero object manually:

  1. Use one of the following options:

  2. For each Tier Zero object you want to add:

    1. Enter the object's Principal Name, or type at least two characters then select the object from the drop-down. (Note that a message will display if the object is already Tier Zero.)

      The object will be added to the Principal Name list.

    2. In the Principal Name list, select object(s) you want to add.

  3. Click Save.