![Microsoft OneNote: App-only authentication for OneNote Microsoft Graph APIs will retire [MC1011142]](https://mwpro.co.uk/wp-content/uploads/2024/08/pexels-eberhardgross-1287142-1024x683.webp "Microsoft OneNote: App-only authentication for OneNote Microsoft Graph APIs will retire [MC1011142]")
Message ID: MC1011142
Note: If your organization uses Microsoft OneNote, please read.
As part of the Microsoft Secure Future Initiative and to address the growing number of cyber threats, we will change the authentication flow for Microsoft Graph OneNote APIs.
What is the update?
Effective March 31, 2025, we will retire support for authentication tokens with application permissions (app-only tokens) for MSGraph OneNote APIs. We will continue to support authentication tokens that have delegated permissions. While app-only tokens are easy to use, they may be more easily exploited compared to more sophisticated authorization methods. Requests to the Notes API endpoints using tokens with application permissions will return 401 unauthorized errors starting March 31, 2025.
How do I know if this update impacts my service?
- Your service will be impacted if you have a custom third party or internal application that performs operations using app-only authentication tokens. Overview of Microsoft Graph permissions – Microsoft Graph | Microsoft Learn documents the difference between delegated access and app-only access.
- Your service will not be impacted by these changes if you do not use a third-party or a custom internal application (an “app”) to perform operations on OneNote Notebooks.
- Your service will not be impacted by these changes if you use an app, but it performs operations only using “delegated access” (also known as app+user) permissions.
What action is required on my part?
Before March 31, 2025, third-party applications using app-only tokens will need to migrate to using delegated authentication tokens. This update is necessary to enhance the security of your data.
To introduce a more secure form of authorization, please take these steps:
- Share this message if you rely on a system integrator partner or other third-party solution to perform operations on OneNote notebooks so that they can take further action.
- Transition to using a delegated authentication model if you have your own custom internal application that performs operations on OneNote notebooks and that requires each user to approve the app or an admin to approve on behalf of the user(s).
- Transition to using a delegated authentication model with admin consent flow if you are a system integrator partner and your app uses app-only authentication. To do this you will need to make changes to your app using the links in the Learn more section. After those changes are complete, a Global tenant admin will need to approve the app for all users in their tenant through the Microsoft Entra admin center.
Learn more
- Learn how to configure delegated access for the impacted apps: Get access on behalf of a user – Microsoft Graph | Microsoft Learn
- If you have questions about user consent vs admin consent flows for delegated access, please review Microsoft Entra app consent experiences – Microsoft identity platform | Microsoft Learn
We appreciate your cooperation in making these necessary changes to ensure the security of your data.
Source: Microsoft
![Microsoft OneNote: App-only authentication for OneNote Microsoft Graph APIs will retire [MC1011142]](https://mwpro.co.uk/wp-content/uploads/2024/08/pexels-tomfisk-1595104-150x150.webp "Microsoft OneNote: App-only authentication for OneNote Microsoft Graph APIs will retire [MC1011142]")
![Microsoft OneNote: App-only authentication for OneNote Microsoft Graph APIs will retire [MC1011142]](https://mwpro.co.uk/wp-content/uploads/2024/08/pexels-freestockpro-319975-150x150.webp "Microsoft OneNote: App-only authentication for OneNote Microsoft Graph APIs will retire [MC1011142]")
The upcoming changes to Microsoft OneNote’s authentication process, effective March 31, 2025, mark a significant shift aimed at enhancing security. For both admins and users, this update brings both challenges and opportunities, and it’s essential to understand how it will impact your experience.
For administrators, the retirement of app-only tokens means a need to transition to delegated authentication models. This could involve some initial work, especially if your organization relies on custom or third-party applications that currently use app-only tokens. However, this shift not only fortifies security against potential cyber threats but also ensures that user data is better protected in the long run. Just think of it as a necessary spring cleaning for your digital environment—out with the old vulnerabilities, in with the new security measures!
Users may not feel the direct impact unless they operate within a system that relies on these app-only tokens. However, the move to delegated access means that users will need to approve apps, which can sometimes feel like an extra layer of bureaucracy. But hey, who doesn’t love a little extra security? It’s like having a bouncer at the door of your favorite club—keeping the unwanted out and ensuring a safe environment for everyone inside!
In summary, while the transition may require some effort and adjustment, the long-term benefits of enhanced security for both admins and users are well worth it. Let’s embrace these changes with open arms and a dash of humor—after all, a little laughter can make even the most daunting updates feel manageable!
I encourage everyone to share their thoughts and experiences regarding this update. How do you see it impacting your workflow? Let’s get the conversation going! For more insights, check out other posts on mwpro.co.uk.