Whats the user count for users actually logged onto your devices – looking through Defender For Endpoint?
Quick-glance;
DeviceLogonEvents | where AccountDomain == "YOURDOMAIN" | where LogonType in ("Interactive","CachedInteractive") and ActionType == "LogonSuccess" | extend parsed = parse_json(AdditionalFields) | extend Localcheck = tostring(parsed.IsLocalLogon) | where Localcheck notcontains "false" | summarize AccountName=dcount(AccountName) by AccountDomain