If you forgot to offboard devices from Microsoft Defender ATP here is a quick guide to offboard them using the Defender API.
MS’s defender api uri: api-eu.securitycenter.microsoft.com
- Head to https://security.microsoft.com
- Click on API-explorer
In API-explorer enter f.x:
https://api.securitycenter.microsoft.com/api/machines?$select=id,healthStatus,computerDnsNameor f.x this below to also filter on a specific state.
https://api.securitycenter.microsoft.com/api/machines?$select=id,healthStatus,computerDnsName&$filter=healthStatus eq 'inactive'
This will list all your machines where we select id, healthStatus and computerDnsName
Id is what we need so we can offboard
healthStatus is so we can see which state the machine is in f.x Inactive, Active
computerDNSname is the name of the computer.
We need to find the computer we will offboard from above query. Copy the id from the machine.
Our new query will be
https://api.securitycenter.microsoft.com/api/machines/{id}/offboard{id} should be replaced with the copied id from the get-query.
In order to make the change we should also change the method from GET to PUT. We also need to add a comment on why we offboard. Here’s a picture of how it should look;
{
"Comment": "Offboard by Automation"
}Was this helpful please rate 
(No Ratings Yet)
Loading...