Offboard machine API

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.


If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.


For better performance, you can use server closer to your geo location:


API description

Offboard device from Defender for Endpoint.


  • Rate limitations for this API are 100 calls per minute and 1,500 calls per hour.


    This page focuses on performing a machine action via API. See take response actions on a machine for more information about response actions functionality via Microsoft Defender for Endpoint.


  • This API is supported on Windows 11, Windows 10, version 1703 and later; on Windows Server 2019 and later; and on Windows Server 2012 R2 and Windows Server 2016 when using the new, unified agent for Defender for Endpoint.
  • This API is not supported on macOS or Linux devices.
  • Running the offboarding API only stops the sensor service from running, but it does not remove the onboarding information from the registry like an offboarding script does.


One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Use Defender for Endpoint APIs

Permission type Permission Permission display name
Application Machine.Offboard Offboard machine
Delegated (work or school account) Machine.Offboard Offboard machine


Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.


When obtaining a token using user credentials:

  • The user must have a Global Administrator role.
  • The user must have access to the device, based on device group settings. For more information, see Create and manage device groups.

Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

HTTP request


The machine ID can be found in the URL when you select the device. Generally, it's a 40 digit alphanumeric number that can be found in the URL.

Request headers

Name Type Description
Authorization String Bearer {token}. Required.
Content-Type string application/json. Required.

Request body

In the request body, supply a JSON object with the following parameters:

Parameter Type Description
Comment String Comment to associate with the action. Required.


If successful, this method returns 200 - Created response code and Machine Action in the response body.



Here's an example of the request. If there's no JSON comment added, it errors out with code 400.

  "Comment": "Offboard machine by automation"


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.