I was using a query on one of my local SQL Servers where I wanted to know what logins were connected to my databases. I actually ended up running the query against my Azure SQL Database and had some very interesting results.
SELECT login_name ,COUNT(session_id) AS session_count FROM sys.dm_exec_sessions GROUP BY login_name;
Over a hundred sa connections and logins starting with DB210/XXXX. I wouldn’t say that I was worried but more so intrigued. I then ended up on an official Microsoft forum where an employee actually said that this was normal. The sa user most definitely is not us (as the user / customer). The most powerful access we have would be the server admin account or the AD admin account.
The DB210 login is very intriguing. This is always logging in under multiple program names.
SELECT * FROM sys.dm_exec_sessions WHERE login_name LIKE 'DB%' AND Host_name IS NOT NULL
The DMV collector and backup services (program names) is quite obvious what they are but the TdService is actually threat detection services. Regardless of whether or not you have enabled this feature this service connects to the database to confirm if the feature is enabled or not so don’t be alarmed by this login.
However, can you notice an oddity with the above? Why do I have multiple TdService program names? This is soon to be under investigation with Microsoft.