Is there any solution to remove or offboard Microsoft Defender for Endpoint from these machines, given that the tenant is no longer active?

Yes. Offboarding and uninstalling are done locally on the machines and do not require access to the original tenant.

Use one of these approaches, depending on OS.

1. Decide whether to offboard only, or fully uninstall

• Offboard: Stops communication with the Defender service and makes the agent nonfunctional, but keeps it installed. Recommended if there is any chance of reusing the agent later.
• Uninstall: Completely removes the Defender application from the machine when it is no longer needed.

After either offboarding or uninstalling, the agent:

• Stops sending telemetry
• Becomes unlicensed and nonfunctional
• Has Defender policies removed

Details are below.

2. Linux servers

A. Offboard without tenant access

• Use the JSON-based method; it does not require downloading a fresh script from the tenant if you already have an offboarding JSON file from before. If you still have an old mdatp_offboard.json that is not expired, copy it to:

    sudo cp mdatp_offboard.json /etc/opt/microsoft/mdatp/mdatp_offboard.json
  

• Then verify offboarding state:

    mdatp health --field health_issues
  

  Expected output:

    ATTENTION: No license found. Contact your administrator for help. ["missing license"]
  

If no valid offboarding package is available anymore, proceed directly to uninstall (next step). Once uninstalled, the device is effectively removed from the service.

B. Uninstall the Defender application (no tenant required)

• Recommended method (if you can download the Defender deployment tool from any accessible tenant or if you already have it):
  1. Extract the Defender deployment tool package.
  2. Run:

          ./defender_deployment_tool.sh --remove --clean
     

• Manual uninstallation (works entirely offline, no tenant access needed):
  • RHEL/CentOS/Oracle Linux:

        sudo yum remove mdatp
    

    or

        sudo dnf remove mdatp
    

  • SLES:

        sudo zypper remove mdatp
    

  • Ubuntu/Debian:

        sudo apt-get purge mdatp
    

  • Mariner:

        sudo dnf remove mdatp
    

3. Windows servers

• Offboarding Windows servers normally uses scripts or management tools (Configuration Manager, MDM, Group Policy, local script) that are downloaded from the tenant. If those are no longer available because the tenant is gone, uninstalling the unified solution or MMA agent from the server removes the Defender for Endpoint integration in practice.
• For older, MMA-based servers, the documented offboarding options are:
  • Uninstall the MMA agent, or
  • Remove the Defender for Endpoint workspace configuration.

4. macOS (if applicable)

• Offboard in the portal is normally the first step, but if the tenant is gone, uninstalling the app locally removes the agent from the machine:
  • Interactive: In Finder → Applications, move “Microsoft Defender for Endpoint” to Trash.
  • Command line:

        sudo '/Library/Application Support/Microsoft/Defender/uninstall/uninstall'
    

5. Azure VMs integrated via Defender for Cloud

• If machines were onboarded via Defender for Cloud and that subscription/tenant is gone, you cannot toggle the integration there anymore. However, on each VM you can:
  • Remove the MDE.Windows or MDE.Linux extension from the VM (from whatever control plane is still accessible), and
  • Offboard/uninstall the agent locally as described above.

Once the agent is uninstalled or offboarded locally, it stops communicating and is effectively removed from Defender for Endpoint, regardless of the tenant’s current state.

References:

• Offboard or uninstall Microsoft Defender for Endpoint on Linux
• Onboard servers through Microsoft Defender for Endpoint's onboarding experience
• Server migration scenarios from the previous, MMA-based Microsoft Defender for Endpoint solution
• Enable Defender for Endpoint integration
• Resources for Microsoft Defender for Endpoint on macOS