Check for retiring OneNote App Permission in Entra

Andres Bohren
Check for retiring OneNote App Permission in Entra

Hi All,

With the MC1011142 Message Center Post, Microsoft has announced the retirement of App Permissions for OneNote:

Effective March 31, 2025, we will retire support for authentication tokens with application permissions (app-only tokens) for MSGraph OneNote APIs. We will continue to support authentication tokens that have delegated permissions. While app-only tokens are easy to use, they may be more easily exploited compared to more sophisticated authorization methods. Requests to the Notes API endpoints using tokens with application permissions will return 401 unauthorized errors starting March 31, 2025.

I’ve added the Permissions to an Entra App

That’s how it looks in the API Permissions

If you look in the Manifiest, you can find the ResourceAppID “00000003-0000-0000-c000-000000000000” (Microsoft Graph) and the two roles

  • Notes.Read.All > Application: 3aeca27b-ee3a-4c2b-8ded-80376e2134a4
  • Notes.ReadWrite.All > Application: 0c458cef-11f3-48c2-a568-c66751c238c0

You can also use the Microsoft Graph permissions reference and search for the Identifier there

Powershell

Let’s check with PowerShell

Connect-MgGraph -Scope Application.Read.All -NoWelcome
$App = Get-MgApplication -ApplicationId "004258ac-3519-4e30-a849-1dd6cdb3d275"
$App.RequiredResourceAccess
$App.RequiredResourceAccess.resourceaccess.id

I’ve written a little PowerShell Script that get’s all the Entra Applications and checks for the two Permissions.

Connect-MgGraph -Scope Application.Read.All -NoWelcome
 
#Notes.Read.All > Application
$NotesReadAll = "3aeca27b-ee3a-4c2b-8ded-80376e2134a4"
 
#Notes.ReadWrite.All > Application
$NotesReadWriteAll = "0c458cef-11f3-48c2-a568-c66751c238c0"
 
$EntraApps =  Get-MgApplication -All
Foreach ($App in $EntraApps)
{
	$AppID = $App.Id
	$AppDisplayName = $App.DisplayName
	$ResourceAccessArray = $App.RequiredResourceAccess.resourceaccess.id
	Foreach ($ResourceAccess in $ResourceAccessArray)
	{
		If ($NotesReadWriteAll -eq $ResourceAccess)
		{
			Write-Host "ReadWriteAll > AppID: $AppID > DisplayName: $AppDisplayName"
		}
		If ($NotesReadAll -match $ResourceAccess )
		{
			Write-Host "ReadAll > AppID: $AppID > DisplayName: $AppDisplayName"
		}
	}
}

Regards
Andres Bohren

EntraID Logo

PowerShell Logo