Offboard machine API

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint
• Microsoft Defender XDR

Want to experience Defender for Endpoint? Sign up for a free trial.

Note

If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.

Tip

For better performance, you can use server closer to your geo location:

• us.api.security.microsoft.com
• eu.api.security.microsoft.com
• uk.api.security.microsoft.com
• au.api.security.microsoft.com
• swa.api.security.microsoft.com
• ina.api.security.microsoft.com

API description

Offboard device from Defender for Endpoint.

Limitations

• Rate limitations for this API are 100 calls per minute and 1,500 calls per hour.

  Note

  This page focuses on performing a machine action via API. See take response actions on a machine for more information about response actions functionality via Microsoft Defender for Endpoint.

Note

• This API is supported on Windows 11, Windows 10, version 1703 and later; on Windows Server 2019 and later; and on Windows Server 2012 R2 and Windows Server 2016 when using the new, unified agent for Defender for Endpoint.
• This API is not supported on macOS or Linux devices.
• Running the offboarding API only stops the sensor service from running, but it does not remove the onboarding information from the registry like an offboarding script does.

Permissions

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Use Defender for Endpoint APIs

Permission type	Permission	Permission display name
Application	Machine.Offboard	Offboard machine
Delegated (work or school account)	Machine.Offboard	Offboard machine

Important

Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

When obtaining a token using user credentials:

• The user must have an appropriate role assigned (see Permission options).

• The user must have access to the device, based on device group settings. For more information, see Create and manage device groups.

Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

HTTP request

POST https://api.security.microsoft.com/api/machines/{id}/offboard

The machine ID can be found in the URL when you select the device. Generally, it's a 40 digit alphanumeric number that can be found in the URL.

Request headers

Name	Type	Description
Authorization	String	Bearer {token}. Required.
Content-Type	string	application/json. Required.

Request body

In the request body, supply a JSON object with the following parameters:

Parameter	Type	Description
Comment	String	Comment to associate with the action. Required.

Response

If successful, this method returns 200 - Created response code and Machine Action in the response body.

Example

Request

Here's an example of the request. If there's no JSON comment added, it errors out with code 400.

POST https://api.security.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard

{
  "Comment": "Offboard machine by automation"
}

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.