Offboard machine API
Applies to:
Want to experience Defender for Endpoint? Sign up for a free trial.
Note
If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.
Tip
For better performance, you can use server closer to your geo location:
- us.api.security.microsoft.com
- eu.api.security.microsoft.com
- uk.api.security.microsoft.com
- au.api.security.microsoft.com
- swa.api.security.microsoft.com
API description
Offboard device from Defender for Endpoint.
Limitations
Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Note
This page focuses on performing a machine action via API. See take response actions on a machine for more information about response actions functionality via Microsoft Defender for Endpoint.
Note
- This API is supported on Windows 11, Windows 10, version 1703 and later; on Windows Server 2019 and later; and on Windows Server 2012 R2 and Windows Server 2016 when using the new, unified agent for Defender for Endpoint.
- This API is not supported on macOS or Linux devices.
- Running the offboarding API only stops the sensor service from running, but it does not remove the onboarding information from the registry like an offboarding script does.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Use Defender for Endpoint APIs
| Permission type | Permission | Permission display name |
|---|---|---|
| Application | Machine.Offboard | 'Offboard machine' |
| Delegated (work or school account) | Machine.Offboard | 'Offboard machine' |
Note
When obtaining a token using user credentials:
- The user needs to 'Global Admin' AD role
- The user needs to have access to the device, based on device group settings (See Create and manage device groups for more information)
Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.
HTTP request
POST https://api.security.microsoft.com/api/machines/{id}/offboard
The machine ID can be found in the URL when you select the device. Generally, it's a 40 digit alphanumeric number that can be found in the URL.
Request headers
| Name | Type | Description |
|---|---|---|
| Authorization | String | Bearer {token}. Required. |
| Content-Type | string | application/json. Required. |
Request body
In the request body, supply a JSON object with the following parameters:
| Parameter | Type | Description |
|---|---|---|
| Comment | String | Comment to associate with the action. Required. |
Response
If successful, this method returns 200 - Created response code and Machine Action in the response body.
Example
Request
Here's an example of the request. If there's no JSON comment added, it will error out with code 400.
POST https://api.security.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard
{
"Comment": "Offboard machine by automation"
}
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for