Device logon user showing mismatch in Microsoft Defender for Cloud (Server)

Question

Hello Team,

We have onboarded Exchange server in Microsoft Defender for Cloud (Server). And this server successfully showing in Microsoft Defender for Endpoint Assets lists. When we view a single asset details, we found that in logon user details there have 417 users in user lists. They all are not directly login in this Server. Then why it is showing total 417 users in user lists?

Thanks

Noyon

Answer 1

Hello Noyon Chandra Das,

From your screenshot, this looks like an exchange server. Correct me if I am wrong.
Is this a case with only this server or similar exchange servers? Were you able to notice this in any other server, other than exchange?
Trying to figure out if it in case any indirect authentications like Autodiscover or activesync might cause these entries in the logs, resulting in this number. Confirming the pattern might help address here.

Answer 2

Hi Noyon Chandra Das,
Thank you for reaching out to us on the Microsoft Q&A forum.

This topic is currently not supported in the Q&A forums.

I recommend initiating a new discussion through the Microsoft Defender for Endpoint Forum

Moderators are readily available there to assist you and provide guidance.

Please don't forget to Accept answer and close this thread.