check before: 2025-03-30
Product:
Entra, Microsoft 365 admin center, Microsoft 365 Apps, Microsoft 365 for the web, Microsoft 365 suite, Microsoft Graph, OneNote
Platform:
Developer, Online, Web, World tenant
Status:
Change type:
User impact, Admin impact, Retirement
Links:
Details:
Summary:
Microsoft OneNote will retire app-only authentication for Microsoft Graph APIs on March 31, 2025. Organizations using app-only tokens must switch to delegated authentication tokens to avoid unauthorized errors. This change aims to enhance data security. Transition steps and further details are provided in the message.
Details:
Note: If your organization uses Microsoft OneNote, please read.
As part of the Microsoft Secure Future Initiative and to address the growing number of cyber threats, we will change the authentication flow for Microsoft Graph OneNote APIs.
What is the update?
Effective March 31, 2025, we will retire support for authentication tokens with application permissions (app-only tokens) for MSGraph OneNote APIs. We will continue to support authentication tokens that have delegated permissions. While app-only tokens are easy to use, they may be more easily exploited compared to more sophisticated authorization methods. Requests to the Notes API endpoints using tokens with application permissions will return 401 unauthorized errors starting March 31, 2025.
How do I know if this update impacts my service?
Your service will be impacted if you have a custom third party or internal application that performs operations using app-only authentication tokens. Overview of Microsoft Graph permissions - Microsoft Graph | Microsoft Learn documents the difference between delegated access and app-only access.
Your service will not be impacted by these changes if you do not use a third-party or a custom internal application (an "app") to perform operations on OneNote Notebooks.
Your service will not be impacted by these changes if you use an app, but it performs operations only using "delegated access" (also known as app+user) permissions.
What action is required on my part?
Before March 31, 2025, third-party applications using app-only tokens will need to migrate to using delegated authentication tokens. This update is necessary to enhance the security of your data.
To introduce a more secure form of authorization, please take these steps:
Share this message if you rely on a system integrator partner or other third-party solution to perform operations on OneNote notebooks so that they can take further action.
Transition to using a delegated authentication model if you have your own custom internal application that performs operations on OneNote notebooks and that requires each user to approve the app or an admin to approve on behalf of the user(s).
Transition to using a delegated authentication model with admin consent flow if you are a system integrator partner and your app uses app-only authentication. To do this you will need to make changes to your app using the links in the Learn more section. After those changes are complete, a Global tenant admin will need to approve the app for all users in their tenant through the Microsoft Entra admin center.
Learn more
Learn how to configure delegated access for the impacted apps: Get access on behalf of a user - Microsoft Graph | Microsoft Learn
If you have questions about user consent vs admin consent flows for delegated access, please review Microsoft Entra app consent experiences - Microsoft identity platform | Microsoft Learn
We appreciate your cooperation in making these necessary changes to ensure the security of your data.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-02-20
updated:
2025-02-20
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Unauthorized Access Errors
Applications using app-only tokens will receive 401 unauthorized errors, disrupting access to OneNote APIs.
- roles: IT Administrator, Application Developer
- references: https://learn.microsoft.com/graph/auth-v2-user?tabs=http, https://learn.microsoft.com/graph/integrate-with-onenote
Increased Workload for IT Support
IT support will face increased requests for assistance as users encounter issues with app-only token transitions.
- roles: IT Support, System Integrator
- references: https://learn.microsoft.com/entra/identity-platform/application-consent-experience, https://learn.microsoft.com/graph/permissions-overview?tabs=http
" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/graph/permissions-overview?tabs=http
User Experience Disruption
Users may experience disruptions in accessing OneNote features if their applications are not updated in time.
- roles: End User, Business Analyst
- references: https://aka.ms/securefutureinitiative, https://learn.microsoft.com/graph/integrate-with-onenote
Compliance and Security Risks
Failure to transition may lead to compliance issues and potential data security risks due to unauthorized access.
- roles: Compliance Officer, Data Security Manager
- references: https://learn.microsoft.com/graph/permissions-overview?tabs=http, https://learn.microsoft.com/entra/identity-platform/application-consent-experience
" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/entra/identity-platform/application-consent-experience
Dependency on Third-Party Applications
Organizations relying on third-party applications may face operational delays if those applications do not transition to delegated tokens.
- roles: IT Administrator, Vendor Manager
- references: https://learn.microsoft.com/graph/auth-v2-user?tabs=http, https://learn.microsoft.com/graph/integrate-with-onenote
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 4 weeks ago
