@Eli Ofek 

With all that ATP is gathering and doing on each DC, is it true that no user associated with ATP running needs privileges? A standard user would not be able to see the network traffic, read the security logs, or be able to run the agent on the DC. Could you explain the different user accounts (if more than one) that are used with ATP and what the minimum level of privilege for each is? Thanks!

@derekmelber 

You need at least one directory service account with read access to all objects in the monitored domain.  This account can be an standard AD user or a Group Managed Service Account.  You configure this within the AATP portal.

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-prerequisites#before-you-start

As Eli mentioned for the sensor, you just need privileges on the local machine to install the sensor.  There is not a second account needed to collect data with the sensor.   

@derekmelber , The sensor has a few components, each running under a different account.

The sensor updater service is running as local system, thus has permissions to do a lot...

The sensor itself is running as a local service virtual account created during deployment,
And since the deployment is running as admin, it gives it the permissions it needs locally to access security log, read traffic etc.

The domain credentials you are adding in the console UI are for outside authentications, like ruining remote LDAP queries,   SAMR authentication to  endpoints for lateral movement etc, so low privileged account for this purpose is enough.