device offboarding in microsoft 365 defender

Douglas Bonilla 61 Reputation points

Hello, how are you, I have the following case:

I have also removed some devices from intune from azure ad, but in the security center they continue to appear, these devices no longer exist so that I cannot execute the offboarding script nor do it by endpoint manager policies.

I was performing the procedure through the api explorer with this post request

Where I put the device id, the request has been successful and if I execute it it gives me the error that there is a request, however, the device has not yet been removed and a week has already passed.

Does anyone have any solution? Thanks in advance

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,676 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,325 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
821 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
2,702 questions
{count} votes

Accepted answer
  1. Givary-MSFT 14,796 Reputation points Microsoft Employee

    @Douglas Bonilla

    Thank you for reaching out to us. As I understand you are trying to offboard a device which you no longer has access ( cannot-be-reached-by-GPO,-SCCM,-Intune-or-local-script ).

    As long as the machine is not in the "inactive" or "impaired communication" states, then you can offboard it from the portal using API explorer, you can check the state of the device from the defender for endpoint portal ( below screenshot for reference ).

    Also have you tried using the api's closer to your geo location, as mentioned here

    What is the operating system of the devices which you are trying to offboard ?

    Note: This API is supported on Windows 11, Windows 10, version 1703 and later; on Windows Server 2019 and later; and on Windows Server 2012 R2 and Windows Server 2016 when using the new, unified agent for Defender for Endpoint. This API is not supported on macOS or Linux devices. -,Note,-This%20API%20is

    Would suggest to try with above recommendations, if doesnt help let me know we can connect offline and troubleshoot the same.



    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Limitless Technology 25,991 Reputation points


    I am using also the API Offboard, but the device will not be completely deleted. MS intentionally keep the machine record until it ages to avoid cases where the machine may be found out later to be involved in a security incident or investigation.

    You can just filter these machines out of the device list by either using the “active” machine filter (machines will turn inactive after several days with no activity) or as suggested tag them and use the tag to filter them out. More on this here Device list filters ( There was also a recent blog series on tagging:


    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. Pavel Yannara Mirochnitchenko 8,646 Reputation points

    I use exclude option in M356 defender console. When you exclude device one by one, it will no longer affect the score and won't affect Security Recommendation affected device number. Before this exclude option was added in Defender console, I also tried to run offboarding scripts and wrote API script to delete them but it worked very randomly. So exclude is what I use :) (before exclude I had serious problems with scores and numbers, not anymore).

    0 comments No comments