Share via

Why MS Graph API for OneNote are updated to use Delegated access

Global Admin1 5 Reputation points
2025-06-02T12:02:07.56+00:00

Why Microsoft Graph APIs for OneNote are changed to only work with Delegated access when all other files and data in SharePoint is still can be accessed using graph API with Application access?

Microsoft Security Microsoft Graph
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-06-02T12:02:07.6833333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The Microsoft Graph APIs for OneNote are transitioning to only support delegated access because this approach aligns better with the way users interact with their personal notes and data. Delegated access allows applications to act on behalf of a signed-in user, ensuring that the application can only access the resources that the user has permission to access. This is particularly important for OneNote, where user privacy and data security are paramount.

    In contrast, application-only access is more suited for scenarios where no user context is required, such as background services or automation tasks. Since OneNote is inherently a user-centric application, it makes sense to require delegated access to ensure that users have control over their notes and can manage permissions effectively.

    Moreover, the OneNote API's shift to delegated authentication reflects a broader trend towards enhancing user security and privacy across Microsoft services.

    References:

  2. Rukmini 3,841 Reputation points Microsoft External Staff Moderator
    2025-06-05T09:02:22.82+00:00

    Hello @Global Admin1,

    Microsoft has announced that it will retire app-only access to OneNote APIs by March 31, 2025.

    Refer this Blog: Microsoft OneNote: App-only authentication for OneNote Microsoft Graph APIs will retire - M365 Admin

    • To enhance security and to address cyber threats, Microsoft is changing the authentication flow for Microsoft Graph OneNote APIs.

    Using delegated permissions and the delegated authentication flow:

    • The user signs in and grants consent*, enabling Microsoft to enforce fine-grained access control, auditing, and compliance,
    • This ensures that all actions are performed on behalf of an identifiable, authenticated user rather than a background application.

    This lowers the possibility of data being accessed or stolen covertly by ensuring Zero Trust and least privilege, which help guarantee users only have access they actually need.

    Does This Mean All Graph APIs Will Eventually Require Delegated Access?

    No, not all Microsoft Graph APIs will eventually require delegated access.

    • Only APIs that involve sensitive or personal user data — like OneNote, To Do, or Planner are moving toward delegated-only access to better protect privacy and security.
    • Many Graph APIs, meant for administrative tasks or organizational data (like managing users, groups, or SharePoint content), will continue to support app-only access.
    • App-only access will remain an important and supported model for many scenarios.

    Hope this information is helpful and clarifies things!

    If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

    User's image

    If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.