You might see the Error create instance message during Defender for Identity setup. This can happen if a security group already has the same name as your Azure Active Directory instance. Many people fix this by deleting or renaming the groups that cause problems. Some users delete old default groups like 'Azure ATP Administrators', 'Users', and 'Viewers' to keep setting up. After making these changes, refreshing the page often helps.

Key Takeaways

• Look in Azure Active Directory for old security groups. These groups may have names like 'Azure ATP {instance name} Administrator,' 'Users,' or 'Viewers.' Do this before you make a new Defender for Identity instance.

• Delete or change the name of any groups that have the same name. This helps stop problems with the 'Error create instance' message when you set things up.

• Make sure you have the right permissions. You need to be a Global Administrator or Security Administrator. You also need the Azure AD Premium license before you start.

• After you make changes, wait a few minutes. Then refresh the Azure portal. This lets updates finish before you try to make the instance again.

• If you still have trouble, check your DNS settings. You can also wait a bit longer. If nothing works, ask Microsoft support for help or look at the official documentation for more steps.

Error Create Instance: Quick Fix

Remove Conflicting Security Groups

You might see the Error create instance message if old security groups are still in Azure Active Directory. These groups can stop Defender for Identity from making a new instance. You should find these groups and either remove or rename them to fix the issue.

Here are the steps you need to follow:

1. Go to the Azure portal and open Azure Active Directory.

2. Click on "Groups" in the menu.

3. Use the search box to look for these default groups:

   • Azure ATP {instance name} Administrator

   • Azure ATP {instance name} Users

   • Azure ATP {instance name} Viewers

4. If you find any of these groups, you can delete them or give them a new name. Renaming is good if you still need the group for something else.

5. Save your changes and make sure no group has the same name as the ones Defender for Identity will make.

Tip: Many people forget to delete or rename these old groups. This is a common mistake and can make the Error create instance message show up again.

When you rename groups, pick names that are easy to understand. You can add the date or your initials to the group name. This helps you remember what each group is for. You should also write down who manages each group and why it exists. This makes it easier to keep track of changes and keep your directory neat.

Retry Instance Creation

After you remove or rename the groups that cause problems, you can try again. Go back to the Defender for Identity setup page and start making the instance.

• If you do not see the Error create instance message, you fixed the problem.

• If you get a message about the DNS name being used, wait a few hours. Sometimes, Azure needs time to update. Refresh the portal after waiting and try again.

Note: Refreshing the page or waiting a little while can fix DNS errors. This helps if you just deleted groups or made changes in Azure AD.

By doing these steps, you can fix most Error create instance problems fast. You can stop future problems by using special group names and keeping Azure AD tidy.

Causes of Error Create Instance

Existing Security Groups

You might see the Error create instance message if some security groups are already in Azure Active Directory. Defender for Identity tries to make three default groups when you set up a new instance. These groups are:

• Azure ATP {instance name} Administrator

• Azure ATP {instance name} Users

• Azure ATP {instance name} Viewers

If these groups are already there, Defender for Identity cannot make new ones with the same names. This is the main reason for the error. Sometimes, these groups stay after an old setup or deletion. You should look for these groups before you make a new instance.

Microsoft says you need the right permissions and licenses. You must have the Global Administrator or Security Administrator role. You also need an Azure AD Premium P1 or P2 license. If you do not have these, you might see errors during setup.

Tip: Deleting or renaming old groups usually solves the problem. Always check your permissions and licenses before you begin.

DNS Name in Use

Another reason for the Error create instance message is a DNS name conflict. This happens when the DNS name you want is already used or not set up right. Sometimes, a past instance did not delete fully, or the DNS records did not update yet. Waiting a few hours and refreshing the portal can help.

Here is a table that shows common DNS name problems and how to fix them:

If you fix these DNS problems, you can usually keep going with Defender for Identity setup. Always check your DNS settings and wait if you just made changes.

Troubleshooting Steps

Check Azure AD Groups

First, look in your Azure Active Directory for groups that might cause trouble. Go to the Azure portal and open Azure Active Directory. Click "Groups" in the menu. Use the search bar to find groups with your Defender for Identity instance name. Watch out for these three default groups:

• Azure ATP {instance name} Administrator

• Azure ATP {instance name} Users

• Azure ATP {instance name} Viewers

If you see any of these groups, you need to handle them before moving on. These groups can stay after an old setup or deletion. If they are still there, you might get the Error create instance message.

Delete or Rename Groups

You should delete or rename groups that have the same name. Deleting them stops name problems and lets you make a new Defender for Identity instance. If you still need a group, you can rename it instead. Add a date or a note to the name so you remember why you kept it. This step helps make setup easier.

Tip: Most people fix setup errors by removing or renaming these groups.

Verify Prerequisites

Before you try again, check if you have everything you need. Make sure you have the right permissions and your system is supported. You must be a Global Administrator or Security Administrator. Your server should use a supported Windows Server version. The table below shows what you need:

Sensor v3.x is still being tested and needs Defender for Endpoint. It does not have all features yet.

Refresh and Retry

After you change things, wait a few minutes. Sometimes Azure needs time to update. Refresh the portal and try to make the instance again. If you still see the Error create instance message or a DNS name problem, wait a few hours and try again. Azure may need more time to clear old records.

Note: Waiting and refreshing helps. Many people fix the problem by being patient after making changes.

Related Issues and Solutions

Sensor Installation Errors

You might see sensor installation errors when you set up Defender for Identity. These problems can stop the sensor or keep it from starting. Here are some common issues and ways to fix them:

• Sometimes, the sensor does not start on servers with Active Directory Certificate Services (ADCS). This happens if the server is not in the right security group. You need to put the ADCS server in a group that can get the Group Managed Service Account (gMSA) password. Make sure this group is in the PrincipalsAllowedToRetrieveManagedPassword attribute.

• The Azure Advanced Threat Protection Sensor service may crash if it cannot get the gMSA password. You can look in the Microsoft.Tri.Sensor log for permission errors.

• NPCAP installation problems can also make the sensor unhealthy. Defender for Identity needs NPCAP with special settings. Set admin_only to 'no', WinPcapCompatible to 'yes', and check loopback support. If NPCAP is set to 'admin only', only admins can use it, and this blocks the sensor. You can use a PowerShell script to check and fix NPCAP settings.

• If the sensor still does not work, you might need to uninstall and reinstall it. Use a PowerShell script to remove the sensor. This script cleans registry keys, deletes ATP certificates, and removes old files. After cleanup, download the newest installer and set up the sensor again. Always check that the sensor looks healthy in the Defender portal.

Tip: After you fix these problems, check the sensor status in the Microsoft 365 Defender portal and look at the logs to make sure everything works.

KDS Root Key Issues

KDS Root Key problems can also stop Defender for Identity setup. The KDS Root Key helps with passwords for group Managed Service Accounts. If you do not have this key, you need to make it.

Follow these steps to fix KDS Root Key problems:

1. Open PowerShell as a domain admin.

2. Run this command to make the KDS Root Key now:

Add-KdsRootKey -EffectiveImmediately

1. Make sure your account has domain admin rights.

2. Set up a group Managed Service Account (gMSA) on your domain controller using:

New-ADServiceAccount -Name <gMSAName> -DNSHostName <DomainName>

1. Check the gMSA setup with:

Get-ADServiceAccount <gMSAName>
Test-ADServiceAccount <gMSAName>

Note: Making the KDS Root Key and setting up the gMSA with the right permissions will help your Defender for Identity sensor work well.

By following these steps, you can fix most related problems and keep your Defender for Identity working.

Confirmation and Next Steps

Checklist for Resolution

You need to make sure the problem is gone. Use this checklist to help you check:

• You looked in Azure Active Directory for old security groups.

• You deleted or changed names of groups like "Azure ATP {instance name} Administrator," "Users," or "Viewers."

• You made sure you have the right permissions. You are a Global Administrator or Security Administrator.

• You checked if your server meets the system rules.

• You waited a few minutes after changes and refreshed the Azure portal.

• You tried again to make the Defender for Identity instance.

• You do not see the Error create instance message now.

• You see your new instance in the Defender for Identity portal.

✅ If you finished all these steps, your setup should work fine. You can now start installing the sensor and use other Defender for Identity tools.

Where to Get More Help

If you still have problems, you can get help from Microsoft and others. The Microsoft Learn documentation gives easy steps for installing the Defender for Identity sensor. It tells you what you need, how to install, and ways to fix problems. You can also find tips for checking installer logs and proxy settings.

Sometimes, a bug can cause trouble if Directory Services Advanced Auditing is not turned on in the right Group Policy Object. Many people fixed this by setting the policy in the 'Default Domain Controllers Policy' GPO. The Microsoft Learn Q&A forum has stories from users who fixed the same issues.

You can visit these links for more help:

• Defender for Identity installation guide

• Defender for Identity troubleshooting documentation

• Microsoft Learn Q&A: Defender for Identity

💡 Remember, Microsoft support can help if you still cannot fix the problem. Always look at the newest documentation for updates and new answers.

You can fix the Error create instance issue by checking for old security groups and removing or renaming them. Always follow the checklist to make sure you do not miss any steps. If you still see problems, reach out to Microsoft support for help. Most users solve this error by following these steps. Stay patient and keep your Azure Active Directory clean.

FAQ

What should you do if you cannot find the default Azure ATP groups?

You should double-check the group names in Azure AD. Try searching for parts of the name, like "ATP" or your instance name. Sometimes, groups use slightly different names. If you still cannot find them, refresh the portal and look again.

Can you rename the groups instead of deleting them?

Yes, you can rename the groups. Add something unique, like the date or your initials. This helps you keep the group if you need it for another reason. Defender for Identity will then create new groups with the correct names.

How long should you wait after deleting groups before retrying?

You should wait at least a few minutes. Sometimes, Azure takes time to update changes. If you still see the error, wait one to two hours, then refresh the portal and try again.

What permissions do you need to create a Defender for Identity instance?

You need to be a Global Administrator or Security Administrator in Azure AD. You also need an Azure AD Premium P1 or P2 license. Without these, you cannot create or manage Defender for Identity instances.

Where can you get more help if the error continues?

Visit the Microsoft Learn Q&A or contact Microsoft support. You can also check the official documentation for the latest troubleshooting steps and updates.