In today’s cloud-first, remote-centric IT landscape, managing devices remotely has become essential. One critical function in modern device lifecycle management is the ability to offboard Microsoft Defender for Endpoint (MDE)-managed devices without physically accessing them.
This blog provides a practical, easy-to-follow guide to remotely offboard MDE devices via Microsoft API—ensuring minimal disruption, maximum security, and full automation. Whether you’re leveraging Microsoft Intune, Azure Active Directory, or Office 365, this remote offboarding process fits right into your Microsoft cloud security framework.
What You Need Before Starting
- The device must be connected to the internet.
- The device must be fully enrolled and managed by Microsoft Defender for Endpoint.
- Access to the Microsoft 365 Defender Security Portal.
- A valid Microsoft Defender for Endpoint Plan 2 license.
- Security Admin or Global Admin privileges.
- The Device ID of the endpoint to be offboarded.
Step-by-Step: Remotely Offboarding a Device from MDE Using API
Step 1: Locate the Device ID
Go to the Microsoft 365 Defender portal.
https://security.microsoft.com
Navigate to Assets > Devices.
Use the search bar to enter the device’s hostname.
Click the device from the results list.
On the left panel, locate and copy the Device ID.
Step 2: Prepare the Offboarding URL
Take the following API endpoint and replace {Device ID} with your copied ID:
This is the URL that initiates the offboarding request.
Step 3: Use the API Explorer
In the Microsoft 365 Defender portal, navigate to:
- Endpoints > Partners and APIs > API Explorer.
Paste your offboarding URL into the API endpoint box.
Step 4: Enter the Offboarding Payload
Paste the following JSON into the body field:
{
“Comment”: “Offboard machine by automation”
}
This comment helps for audit tracking and documentation.
Step 5: Execute the Request
Choose the POST method.
Click the Run Query button.
If successful, you’ll see a confirmation message. The device will begin the offboarding process and should be fully offboarded within 15 minutes to 6 hours.
What Happens After Offboarding?
- The offboarded device’s processes in Microsoft Defender for Endpoint will begin to stop gradually.
- The device will appear as inactive in the MDE portal within 6–7 hours.
- Device data remains viewable in the portal for up to 30 days for auditing or compliance tracking.
Why Use API for Offboarding?
Using the MDE API to offboard devices allows for:
- Remote, zero-touch execution for distributed or hybrid teams.
- Enhanced control across Azure, Intune, and Office 365.
- Automated workflows integrated with tools like Microsoft Graph API or Power Automate.
- Improved security and compliance through seamless offboarding from Microsoft Defender for Endpoint.
Final Thoughts
As organizations scale and shift to remote-first environments, manual device management becomes a bottleneck. The API-based MDE offboarding process provides a powerful solution to streamline endpoint lifecycle management across the Microsoft cloud ecosystem—from Windows 11 security to Office 365 governance and Azure-based access control.
By automating this key security function, your team can focus on proactive threat management, instead of manual device maintenance.
