Machine resource type


The improved Microsoft 365 security center is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new. This topic might apply to both Microsoft Defender for Endpoint and Microsoft 365 Defender. Refer to the Applies To section and look for specific call outs in this article where there might be differences.

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.


If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.


For better performance, you can use server closer to your geo location:



Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.


Method Return Type Description
List machines machine collection List set of machine entities in the org.
Get machine machine Get a machine by its identity.
Get logged on users user collection Get the set of User that logged on to the machine.
Get related alerts alert collection Get the set of alert entities that were raised on the machine.
Get installed software software collection Retrieves a collection of installed software related to a given machine ID.
Get discovered vulnerabilities vulnerability collection Retrieves a collection of discovered vulnerabilities related to a given machine ID.
Get security recommendations recommendation collection Retrieves a collection of security recommendations related to a given machine ID.
Add or Remove machine tags machine Add or Remove tag to a specific machine.
Find machines by IP machine collection Find machines seen with IP.
Find machines by tag machine collection Find machines by Tag.
Get missing KBs KB collection Get a list of missing KBs associated with the machine ID
Set device value machine collection Set the value of a device.


Property Type Description
id String machine identity.
computerDnsName String machine fully qualified name.
firstSeen DateTimeOffset First date and time where the machine was observed by Microsoft Defender for Endpoint.
lastSeen DateTimeOffset Time and date of the last received full device report. A device typically sends a full report every 24 hours.
osPlatform String Operating system platform.
osProcessor String Operating system processor.
version String Operating system Version.
osBuild Nullable long Operating system build number.
lastIpAddress String Last IP on local NIC on the machine.
lastExternalIpAddress String Last IP through which the machine accessed the internet.
healthStatus Enum machine health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData", "NoSensorDataImpairedCommunication" and "Unknown".
rbacGroupName String Machine group Name.
riskScore Nullable Enum Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'.
exposureScore Nullable Enum Exposure score as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'.
aadDeviceId Nullable representation Guid AAD Device ID (when machine is AAD Joined).
machineTags String collection Set of machine tags.
exposureLevel Nullable Enum Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'.
deviceValue Nullable Enum The value of the device. Possible values are: 'Normal', 'Low' and 'High'.
ipAddresses IpAddress collection Set of IpAddress objects. See Get machines API.