Offboard machine API

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

Note

If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.

Tip

For better performance, you can use server closer to your geo location:

  • us.api.security.microsoft.com
  • eu.api.security.microsoft.com
  • uk.api.security.microsoft.com
  • au.api.security.microsoft.com
  • swa.api.security.microsoft.com
  • ina.api.security.microsoft.com

API description

Offboard device from Defender for Endpoint.

Limitations

  • Rate limitations for this API are 100 calls per minute and 1,500 calls per hour.

    Note

    This page focuses on performing a machine action via API. See take response actions on a machine for more information about response actions functionality via Microsoft Defender for Endpoint.

Note

  • This API is supported on Windows 11, Windows 10, version 1703 and later; on Windows Server 2019 and later; and on Windows Server 2012 R2 and Windows Server 2016 when using the new, unified agent for Defender for Endpoint.
  • This API is not supported on macOS or Linux devices.
  • Running the offboarding API only stops the sensor service from running, but it does not remove the onboarding information from the registry like an offboarding script does.

Permissions

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Use Defender for Endpoint APIs

Permission type Permission Permission display name
Application Machine.Offboard Offboard machine
Delegated (work or school account) Machine.Offboard Offboard machine

Important

Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

When obtaining a token using user credentials:

Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

HTTP request

POST https://api.security.microsoft.com/api/machines/{id}/offboard

The machine ID can be found in the URL when you select the device. Generally, it's a 40 digit alphanumeric number that can be found in the URL.

Request headers

Name Type Description
Authorization String Bearer {token}. Required.
Content-Type string application/json. Required.

Request body

In the request body, supply a JSON object with the following parameters:

Parameter Type Description
Comment String Comment to associate with the action. Required.

Response

If successful, this method returns 200 - Created response code and Machine Action in the response body.

Example

Request

Here's an example of the request. If there's no JSON comment added, it errors out with code 400.

POST https://api.security.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard
{
  "Comment": "Offboard machine by automation"
}

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.