Important: You can now provision notebooks and classes at scale using alternate methods described here: Provisioning classes at scale using PowerShell and Microsoft Graph.
In accordance with the Microsoft Secure Future Initiative and to address the growing number of cyber threats, we are making a change to the public API for OneNote Class Notebooks.
What is the update?
Effective March 31, 2025, we will be deprecating support for authentication tokens with application permissions in the public API for OneNote Class Notebooks not connected to Unified Groups (also known as Microsoft 365 Groups).
While these app-only tokens are easy-to-use, they may be more easily exploited when compared to more sophisticated authorization methods.
How do I know if this update impacts my service?
-
Your service will not be impacted by these changes if you do not use a third-party or a custom internal application (an “app”) to perform operations on OneNote Class Notebooks (e.g. creation, provisioning, back-up) in your school or district.
-
Your service will not be impacted by these changes if you use an “app”, but it performs operations only using “delegated” (also known as app+user) permissions.
-
Your service will not be impacted by these changes if you use an “app”, but it performs operations only against Unified Group notebooks that are connected to classes in Microsoft Teams.
-
Your service may be impacted if you use an “app” that performs operations on OneNote Class Notebooks that are notUnified Group notebooks connected to Teams. As an example:
-
Your service will be impacted if you have a custom internal application that leverages the service root URLs for Notebooks on OneDrive for Business and SharePoint Site notebooks as documented here.
-
Your service will be impacted if you have a custom internal application that performs operations on OneNote Class Notebooks that are not Unified Group notebooks connected to Teams and uses tokens associated with any of the following scopes (permissions):
-
What action is required on my part?
Before March 31, 2025, third-party applications using app-only tokens will need to migrate to using a more secure form of authorization. This update is necessary to enhance the security of your data.
Here are the steps that you can take to introduce a more secure form of authorization:
-
If you rely on a system integrator partner or other third-party solution to perform operations on non-Teams OneNote Class Notebooks in your tenant, please share this support bulletin with them so that they can take further action.
-
If you have your own custom internal application that performs operations on OneNote Class Notebooks, that aren’t Unified Group notebooks connected to Teams and uses app-only tokens, you’ll need to transition to using Global Tenant Administrator or OneDrive Owner user accounts for authorization for your application.
-
If you are a system integrator partner, the exact application you had previously run as app-only can now be run by a Global Tenant Administrator user account. To do this, you may need a Global Tenant Administrator user account provisioned by the tenant using the app.
What will happen if I don't take action?
Requests to the Notebooks on OneDrive for Business and SharePoint site Notebooks endpoints using tokens with application permissions will return 401 unauthorized errors at the end of March.
We appreciate your cooperation in making these necessary changes to ensure the security of your data. Any questions or concerns can be sent to apponly-cnb@microsoft.com.
