This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 30%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Hello! After starting to monitor the Windows Event Logs of our Exchange 2016 Server (hosted on prem), I see successful logins from Microsoft IP, using the server admin account and impersonating personal accounts (that's how I understand the below screenshot): ![72348-exchange-log.png][1] [1]: /api/attachments/72348-exchange-log.png?platform=QnA I see these kind of logins only for two local users from three different Microsoft IPs: 52.97.242.29, 52.97.242.85 and 52.97.243.125. Have we've been hacked or what Microsoft service gains access to our Exchange Server remotely and why? Since one of the local user is my own, I changed my AD password and I got immediately a failed login attempt from one of the Microsoft IPs. Any help is highly appreciated! Cheers, Ben
Using Outlook Mobile? If so that is expected
Yes, we use Outlook on iOS and Android via ActiveSync, but I would expect to see these kind of logins then for dozens of users, not only for three of us.
I'd look through the IIS logs, you should see those connections and the others from Microsoft for ActiveSync.
Thanks Andy!