Run antivirus scan API

Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

API description

Initiate Windows Defender Antivirus scan on a machine.


  1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.


This page focuses on performing a machine action via API. See take response actions on a machine for more information about response actions functionality via Microsoft Defender ATP.


One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Use Microsoft Defender ATP APIs

Permission type Permission Permission display name
Application Machine.Scan 'Scan machine'
Delegated (work or school account) Machine.Scan 'Scan machine'


When obtaining a token using user credentials:

  • The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles for more information)
  • The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups for more information)

HTTP request


Request headers

Name Type Description
Authorization String Bearer {token}. Required.
Content-Type string application/json

Request body

In the request body, supply a JSON object with the following parameters:

Parameter Type Description
Comment String Comment to associate with the action. Required.
ScanType String Defines the type of the Scan. Required.

ScanType controls the type of scan to perform and can be one of the following:

  • Quick – Perform quick scan on the machine
  • Full – Perform full scan on the machine


If successful, this method returns 201, Created response code and MachineAction object in the response body.



Here is an example of the request.

Content-type: application/json
  "Comment": "Check machine for viruses due to alert 3212",
  “ScanType”: “Full”