Offboard inactive computers from Microsoft Defender ATP

If you forgot to offboard devices from Microsoft Defender ATP here is a quick guide to offboard them using the Defender API.

MS’s defender api uri:

  1. Head to
  2. Click on API-explorer

In API-explorer enter f.x:$select=id,healthStatus,computerDnsName

or f.x this below to also filter on a specific state.$select=id,healthStatus,computerDnsName&$filter=healthStatus eq 'inactive'

This will list all your machines where we select id, healthStatus and computerDnsName

Id is what we need so we can offboard
healthStatus is so we can see which state the machine is in f.x Inactive, Active
computerDNSname is the name of the computer.

We need to find the computer we will offboard from above query. Copy the id from the machine.

Our new query will be{id}/offboard

{id} should be replaced with the copied id from the get-query.

In order to make the change we should also change the method from GET to PUT. We also need to add a comment on why we offboard. Here’s a picture of how it should look;

    "Comment": "Offboard by Automation"

Was this helpful please rate 1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)


Leave a Reply

Your email address will not be published. Required fields are marked *