MC1011142 - Microsoft OneNote: App-only authentication for OneNote Microsoft Graph APIs will retire

Message ID

MC1011142

View in Message Center

Service

Microsoft 365 suite

Microsoft 365 for the web

Microsoft 365 apps

Published

Feb 20, 2025

Tag

Major change

User impact

Admin impact

Retirement

Act by

Mar 30, 2025

Summary

Microsoft OneNote will retire app-only authentication for Microsoft Graph APIs on March 31, 2025. Organizations using app-only tokens must switch to delegated authentication tokens to avoid unauthorized errors. This change aims to enhance data security. Transition steps and further details are provided in the message.

More information

Note: If your organization uses Microsoft OneNote, please read.

As part of the Microsoft Secure Future Initiative and to address the growing number of cyber threats, we will change the authentication flow for Microsoft Graph OneNote APIs.

What is the update?

Effective March 31, 2025, we will retire support for authentication tokens with application permissions (app-only tokens) for MSGraph OneNote APIs. We will continue to support authentication tokens that have delegated permissions. While app-only tokens are easy to use, they may be more easily exploited compared to more sophisticated authorization methods. Requests to the Notes API endpoints using tokens with application permissions will return 401 unauthorized errors starting March 31, 2025.

How do I know if this update impacts my service?

Your service will be impacted if you have a custom third party or internal application that performs operations using app-only authentication tokens. Overview of Microsoft Graph permissions - Microsoft Graph | Microsoft Learn documents the difference between delegated access and app-only access.
Your service will not be impacted by these changes if you do not use a third-party or a custom internal application (an “app”) to perform operations on OneNote Notebooks.
Your service will not be impacted by these changes if you use an app, but it performs operations only using “delegated access” (also known as app+user) permissions.

What action is required on my part?

Before March 31, 2025, third-party applications using app-only tokens will need to migrate to using delegated authentication tokens. This update is necessary to enhance the security of your data.

To introduce a more secure form of authorization, please take these steps:

Share this message if you rely on a system integrator partner or other third-party solution to perform operations on OneNote notebooks so that they can take further action.
Transition to using a delegated authentication model if you have your own custom internal application that performs operations on OneNote notebooks and that requires each user to approve the app or an admin to approve on behalf of the user(s).
Transition to using a delegated authentication model with admin consent flow if you are a system integrator partner and your app uses app-only authentication. To do this you will need to make changes to your app using the links in the Learn more section. After those changes are complete, a Global tenant admin will need to approve the app for all users in their tenant through the Microsoft Entra admin center.

Learn more

Learn how to configure delegated access for the impacted apps: Get access on behalf of a user - Microsoft Graph | Microsoft Learn
If you have questions about user consent vs admin consent flows for delegated access, please review Microsoft Entra app consent experiences - Microsoft identity platform | Microsoft Learn

We appreciate your cooperation in making these necessary changes to ensure the security of your data.