Description:
You are deploying Azure Advanced Threat Protection (AATP) or Microsoft Defender for Identity (MDI) in your Multi-Domain Single-Forest IT environment. You plan to use gMSA account for the Defender for Identity services account when communicating to Active Directory.
You have created a new universal group or domain local group and add all of the Domain Controllers in the Forest to that group. You also have created the gMSA account and configured that group to be able to retrieve password and use the gMSA account.
However when you configure MDI to use the gMSA account, the Sensor Services on the Domain Controllers cannot be start.
Resolution:
Make sure you have Restarted the Domain Controllers that you put inside the new universal or domain local group. After the Domain Controller restart, try to login and notice that Azure ATP Sensor Services will be able to start properly. Delayed start is expected for Azure ATP services.