Persistent 401 Unauthorized for OneNote API (me/onenote/notebooks) with Personal Microsoft Account

Question

Persistent 401 Unauthorized for OneNote API (me/onenote/notebooks) with Personal Microsoft Account

DD 20

Hello,

I am experiencing a critical and persistent '401 Unauthorized' error when attempting to access the OneNote API via the Microsoft Graph PowerShell SDK for my personal Microsoft account (MSA). This issue has already undergone extensive, detailed troubleshooting with Microsoft Support agents who were unable to assist, and I am now seeking assistance from this community.

My personal OneNote (onenote.com and desktop app) is functioning perfectly and syncing flawlessly, confirming no general account or sync issues.

Core Problem:

Despite Connect-MgGraph reporting 'Successfully connected to Microsoft Graph' and using the correct authentication flow for personal accounts (including -TenantId "consumers"), all subsequent API calls to https://graph.microsoft.com/v1.0/me/onenote/notebooks consistently return a '401 Unauthorized' error. This behavior contradicts Microsoft Graph's own documentation, which explicitly states that the OneNote API supports personal Microsoft accounts with delegated permissions like Notes.ReadWrite.All.

Key Troubleshooting Performed (All confirmed successful - this is NOT a basic issue):

Successful Authentication: Connect-MgGraph completes without error, and a browser prompt for consent appears and is accepted for Notes.ReadWrite.All scopes.
Correct Tenant ID for MSA: Explicitly used -TenantId "consumers" with Connect-MgGraph to ensure authentication targets the personal account identity platform.
Comprehensive Cache Clearing: Multiple times, I have cleared all cached authentication tokens and data from %LOCALAPPDATA%\Microsoft\OneAuth\accounts and %LOCALAPPDATA%\Microsoft\TokenBroker\Cache to ensure fresh token acquisition.
OneNote Account Health Verified: Confirmed full, bidirectional sync of OneNote notebooks between the desktop application and onenote.com for my personal Microsoft account. OneDrive sync for general files is also fully functional.
Diagnostic Scope Testing: Even testing with the less permissive Notes.Read scope resulted in the same 401 Unauthorized error.
Time Elapsed: Waited significant periods between troubleshooting steps to account for any propagation delays.

This problem is not a script error, module installation issue, or a general incompatibility. It strongly indicates a service-side token validation issue specific to my personal Microsoft account and its interaction with the Microsoft Graph OneNote API.

Reproducible Code (Simplified Snippet):

# Ensure Microsoft.Graph.Authentication and Microsoft.Graph.Notes are installed
# Install-Module -Name Microsoft.Graph.Authentication, Microsoft.Graph.Notes -Scope CurrentUser -Force
# Connect to Graph for personal account
Connect-MgGraph -Scopes "Notes.ReadWrite.All" -ContextScope Process -TenantId "consumers"
# After successful connection, retrieve Access Token
$AccessToken = (Get-MgContext).AccessToken
# Attempt to list notebooks (this consistently fails with 401)
$Headers = @{ "Authorization" = "Bearer $AccessToken" }
$Uri = "https://graph.microsoft.com/v1.0/me/onenote/notebooks"
try {
    Invoke-RestMethod -Method Get -Uri $Uri -Headers $Headers -Body {} -ContentType "application/json" -ErrorAction Stop
}
catch {
    Write-Host "Error accessing OneNote API: $($_.Exception.Message)"
    # Note: Full Response may contain sensitive details, consider sanitizing if copy-pasting from a real log
    Write-Host "Full Response (if available): $($_.Exception.Response.Content)"
}

Any insights or assistance from the community or Microsoft engineers would be greatly appreciated.

Accepted answer

0 additional answers

Your answer

Answer 1

Aashutosh Tiwari - MSFT 435 Microsoft External Staff

Hi DD,

Thanks for choosing Microsoft Forum,

We can see that you are facing this issue in PowerShell. Have you tried this API https://graph.microsoft.com/v1.0/me/onenote/notebooks in Postman or Graph Explorer? If yes, then we would like to tell you that application permissions have stopped working for OneNote APIs effective from 31st March,2025. So, requesting you to try using delegate permissions.

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment

DD 20 Reputation points

2025-05-26T12:32:36.2966667+00:00
Hi Aashutosh,

Thanks again for the guidance! I've run the specific API call https://graph.microsoft.com/v1.0/me/onenote/notebooks in Graph Explorer, and unfortunately, I am still encountering an authorization error.

Here's the response I received from Graph Explorer after signing in with my personal Microsoft account and confirming consent for the Notes.ReadWrite.All delegated permission:

{ "error": { "code": "40001", "message": "The request does not contain a valid authentication token. Detailed error information: {0}", "innerError": { "date": "2025-05-26T12:29:55", "request-id": "ebfab8b5-09ca-4434-8059-38796f982c83", "client-request-id": "91f3850c-42e1-2e62-f106-b046d4420143" } } }

This 40001 error, indicating "The request does not contain a valid authentication token," is consistent with what I'm seeing in PowerShell.

As this is happening directly within Graph Explorer with a delegated token from my personal account, it confirms the issue isn't specific to PowerShell or application permissions. It seems there's a problem with the token validation by the OneNote API for personal Microsoft accounts, even when valid delegated permissions are granted via the v2.0 endpoint.

Could you please investigate why a valid delegated token for a personal account might be deemed invalid by the OneNote API in this scenario? This seems to be a fundamental issue with personal account access to OneNote via Graph.

Thanks for your continued support!

Aashutosh Tiwari - MSFT 435 Microsoft External Staff

Hi @DD,
Thanks for your response ! I would like to suggest you to use the code below which will help authenticating successfully

$body = "grant_type=client_credentials&client_id=CLIENTID&client_secret=CLIENTSECRET=&resource=https%3A%2F%2Fonenote.com%2F"

$auth = Invoke-RestMethod -Uri 'https://login.microsoftonline.com/TENANTNAME.onmicrosoft.com/oauth2/token' -Body $body -Method post -ContentType application/x-www-form-urlencoded
$accesstoken = $auth.access_token

DD 20 Reputation points

2025-05-26T12:41:54.5633333+00:00

Hi Aashutosh,

Thanks for providing that code snippet.

I appreciate the suggestion, but the code you've provided uses the client_credentials grant type, which is for application permissions. As you correctly pointed out in your previous response, "application permissions have stopped working for OneNote APIs effective from 31st March, 2025."

My scenario specifically requires and is already using delegated permissions, acting on behalf of my signed-in personal Microsoft account. The Connect-MgGraph command, which I'm using, handles this delegated authentication flow via MSAL for personal accounts (using -TenantId "consumers").

The core issue remains: I am receiving a 401 Unauthorized error (with code 40001, "The request does not contain a valid authentication token") when attempting to access https://graph.microsoft.com/v1.0/me/onenote/notebooks using a delegated token from my personal Microsoft account, both in PowerShell and directly in Graph Explorer.

This points to a problem with how the OneNote API is validating delegated tokens for personal Microsoft accounts, rather than an issue with the authentication flow itself or the use of application permissions.

Could we please focus on why delegated access for personal accounts to the OneNote API is failing with this 40001 token validation error?

Thanks for your continued assistance.
Aashutosh Tiwari - MSFT 435 Reputation points Microsoft External Staff

2025-05-26T13:21:46.8933333+00:00
Hey DD,

Thank you for your response and apologies for delay. The possible reasons can be due to following below:
API Scope Limitations – The OneNote API may have restrictions for personal accounts using delegated permissions. While certain Graph API endpoints support consumer accounts (TenantId "consumers"), some services like OneNote may only be accessible via Microsoft Work or School accounts.

Token Scope Issues – The token being used may not contain the required permissions for OneNote API access. You might want to check if the Connect-MgGraph command properly includes:

Notes.Read or Notes.ReadWrite

`Notes.Read.All` or `Notes.ReadWrite.All` Ensure these scopes are granted explicitly via **MSAL authentication flow**. **Graph API Limitations for Personal Accounts** – Microsoft has restrictions on accessing certain API endpoints with consumer accounts. **OneNote API**, in particular, may be designed to work primarily with **work or school accounts**, causing unexpected authorization errors when using a personal Microsoft account.
DD 20 Reputation points

2025-05-26T13:28:02.18+00:00
Hi Aashutosh,

Thank you for the detailed response and insights. No worries about the delay.

This explanation regarding API Scope Limitations for personal accounts on the OneNote API is very insightful and aligns with the persistent 401 error I'm seeing, even in Graph Explorer.

My initial understanding, based on the Microsoft identity platform (v2.0) documentation and MSAL's stated support for unifying personal and work accounts, was that personal accounts should indeed be able to access relevant Graph APIs. This is why this specific behavior has been so unexpected.

To confirm regarding the scopes:

Yes, I have consistently used and ensured consent for the Notes.ReadWrite.All (delegated) permission. This was used with Connect-MgGraph -TenantId "consumers" in PowerShell, and explicitly consented to within Graph Explorer before attempting the GET /me/onenote/notebooks query.

Given that the 40001 "invalid authentication token" error persists even in Graph Explorer after confirming delegated Notes.ReadWrite.All consent for my personal Microsoft account, your point about the OneNote API potentially restricting access to work/school accounts despite MSAL v2.0 supporting personal accounts seems to be the most plausible explanation for this unexpected behavior.

Could you please confirm if there is any official documentation or a known limitation that explicitly states the OneNote API is not accessible for personal Microsoft accounts via Microsoft Graph, even with valid delegated Notes.ReadWrite.All permissions? This would provide a definitive answer and help others who might encounter this.

Thanks again for helping to narrow this down!
Aashutosh Tiwari - MSFT 435 Reputation points Microsoft External Staff

2025-05-26T13:38:33.75+00:00

Hey DD,
Thanks for your response. This point will take time to publish in an official documentation soon however I discussed with my team in the past so conveyed to you. Meanwhile you can go through this documentation below:
https://learn.microsoft.com/en-us/graph/api/resources/onenote-api-overview?view=graph-rest-1.0

If you feel like it was a plausible explanation, then please click on "Accept".
DD 20 Reputation points

2025-05-26T13:42:19.0533333+00:00

Hi Aashutosh,

Thank you very much for this confirmation.

Your explanation regarding the API Scope Limitations for personal accounts on the OneNote API being a known issue that will be officially documented is exactly the definitive answer I was looking for. This finally clarifies why I was consistently encountering the 401 Unauthorized error with delegated permissions, even in Graph Explorer, despite correct authentication and consent.

It's truly helpful to have this specific limitation confirmed. While it's not the outcome I hoped for, it provides a clear understanding of the situation and prevents further troubleshooting on my end.

I will proceed to accept your answer as it thoroughly explains the behavior I'm observing.

Thank you again for your patience and for consulting with your team to provide this crucial information.
Aashutosh Tiwari - MSFT 435 Reputation points Microsoft External Staff

2025-05-26T13:54:42.71+00:00

Hey DD,
Thank you !

Share via

Persistent 401 Unauthorized for OneNote API (me/onenote/notebooks) with Personal Microsoft Account

0 additional answers

Your answer