Update Your OneNote API Permissions Before March 31, 2025, to Prevent Outages

Microsoft plans to disable OneNote’s app-only permissions to improve security to its advanced note-taking app. When your Entra apps rely on this permission, they will fail to communicate to OneNote’s back-end service effective March 31, 2025, if you don't take action. 

About Microsoft OneNote 

Microsoft OneNote allows people to gather notes, drawings, screen clippings, videos, and audio commentaries. This rich set of functionalities in OneNote’s free package has made Microsoft enthusiasts worldwide favor OneNote since 2002 to capture their ideas on every one of their devices.  

The free OneNote app provides a canvas to throw all your thoughts together, but as part of Microsoft 365, the app makes true on its ‘OneNote to rule them all’ mission. Collaborating with co-workers and Microsoft’s Copilot allows for many professional use-cases that cannot be achieved within the more formal Word application, or the now deprecated and removed built-in WordPad application.  

It should come as no surprise that many software companies have created solutions to seamlessly integrate Microsoft OneNote into their applications and solutions. For OneNote as part of Microsoft 365, these solutions use API permissions through the Microsoft Graph API. 

OneNote’s App-only vs. delegated API permissions 

It is important to note that Microsoft plans to retire only the app-only permissions for OneNote. Its delegated permissions remain. 

App-only API permissions 

App-only permissions allow applications to act on their own, without a signed-in user. These permissions allow a solution to access OneNote directly without a user’s context and with all OneNote notebooks in scope. When we look at OneNote’s app-only permissions, these permissions reflect that the solution is capable of managing all OneNote notebooks, sections, and pages: 

• • • • • Notes.Read.All 

        • Notes.ReadWrite.All 

                                                                              Figure 1. App-only permissions for OneNote integration in the Entra management portal 

The popular meme, with a small twist, ‘all your notes are belong to us’ applies to these permissions, which is why app-only permissions require admin consent. 

Delegated API permissions 

Delegated permissions on the other hand allow the solution to act on behalf of people. These permissions allow the solution to access only the OneNote notebooks the person has access to. The delegated permissions for OneNote are granular: 

                                                                                  Figure 2. Delegated permissions for OneNote integration in the Entra management portal       

The descriptions for the delegated permissions for OneNote and the values in the ‘Admin consent required’ column make clear that these are API permissions any person in the organization can consent to (if the organization allows them to consent): 

• • • • • Notes.Create 

        • Notes.Read 

        • Notes.Read.All 

        • Notes.ReadWrite 

        • Notes.ReadWrite.All 

Even though Notes.Read.All and Notes.ReadWrite.All for app-only and delegated permissions have the same permission name, their differences are clear. 

Microsoft is changing how to integrate OneNote 

On March 31, 2025, Microsoft no longer allows apps and services from third-party software companies, or your own in-house developed solutions, to integrate with OneNote using app-only API permissions through Microsoft Graph. This change was communicated as part of Message Center item MC1011142 on February 20, 2025. 

From now on, solutions that want to integrate with OneNote need to use delegated permissions. 

Microsoft has made this decision, because they see a growing number of cyber threats that use app-only permissions. App-only permissions are more easily exploited by adversaries compared to the more sophisticated authorization method of delegated permissions. The timeframe for this change – a mere 5 weeks between communications and retirement – may be indicative of the urgency Microsoft sees for closing this loop. 

When a solution remains using app-only permissions, the requests will return 401 unauthorized errors. Effectively, the functionality that relies on these requests stops working. 

App Governance Accelerator is here to help! 

The Entra Management portal doesn’t quite make it easy to go through thousands of enterprise applications and application registrations in search of OneNote app-only API permissions, let alone get an overview of apps that use these API permissions regularly. 

As Matthew Levy pointed out for apps accessing the now retired Windows Azure Active Directory API, Azure Log Analytics can be used to query the logs, but this requires the organization to have streamed their sign-in logs to an Azure Log Analytics workspace. When an organization hasn’t done so, they cannot query historical logs. His conclusion is the same as mine: Enow’s App Governance Accelerator is one of the best tools to simplify the inventory of API permissions. 

Discovering apps that use OneNote app-only permissions 

With App Governance Accelerator, it is frictionless to report on enterprise applications and app registrations that use app-only permissions to access OneNote. 

Enterprise Apps 

For multi-tenant applications, the API Permissions report under the Enterprise Apps node of App Governance Accelerator is the way to go: 

1. 1. 1. 1. 1. Navigate to the AppGov Management Portal. 

            2. Sign in. 

            3. In App Governance Accelerator’s left navigation menu, expand the Enterprise Applications node. 

            4. Then, click the Enterprise Applications with API Permissions report. 

            5. In the main pane, in the Search box at the top of the list of enterprise applications in the Entra tenant, search for Notes. 

            6. The report will automatically filter on enterprise applications that access OneNote and their associated API permissions. 

App Registrations 

For single-tenant apps and apps that your organization has developed themselves, the API Permissions report under the App Registrations node provides this information: 

7. While still signed in, expand the App Registration node in the navigation menu. 

8. Click the App Registrations with API Permissions report. 

9. In the main pane, in the Search box at the top of the list of enterprise applications in the Entra tenant, search for Notes. 

10. The report will automatically filter on app registrations that access OneNote and their associated API permissions: 

                    Figure 3. API Permissions for App Registrations in ENow App Governance Accelerator    

Remediating apps that use OneNote app-only permissions 

Remediating apps that use app-only permissions to access OneNote is another story. Luckily, we created a shortlist of suspected apps within mere minutes with App Governance Accelerator, but now we need to get these apps changed. There are multiple routes: 

• • • • For in-house developed solutions: instruct the developers to switch from app-only API permissions to delegated API permissions. Instruct end-users that they may have to sign in interactively more often to access functionality and that they need OneNote notebooks to be shared with them for them to show up in the solution. 

      • For purchased solutions: work with the vendor. Depending on the time the vendor needs to address this issue, your users may not be able to use the OneNote integration in the solution, temporarily. 

With the deadline of March 31, 2025, fast approaching, starting today is imperative!

If you are interested in learning more about how ENow’s App Governance Accelerator can simplify and streamline your Application Governance journey in Entra ID, and help you continuously manage Microsoft’s API permission changes, request a demo here.  

If you’d like a snapshot of your Application Governance risk, request your free ENow AppGov Score and assessment report.