Install and configure OneNote SDK/API authentication with delegated auth (MSAL). Use when setting up a new OneNote integration, configuring Azure AD app registration, or migrating from deprecated app-only auth. Trigger with "install onenote", "setup onenote auth", "onenote credentials", "azure ad onenote".
Set up Microsoft Graph API authentication for OneNote using delegated credentials via MSAL. This skill walks through Azure AD app registration, SDK installation, permission scope selection, token caching, and connection verification for both Python and TypeScript.
BREAKING CHANGE (March 31, 2025): App-only authentication (ClientSecretCredential) was deprecated for OneNote APIs. All integrations MUST use delegated auth — DeviceCodeCredential or InteractiveBrowserCredential. If your existing code uses ClientSecretCredential with OneNote endpoints, it will receive 403 Forbidden on every call. This skill provides the correct migration path.
onenote-integration-dev)http://localhost| Scope | Use Case |
|---|---|
Notes.Read | Read-only access to user's notebooks |
Notes.ReadWrite | Read and write to user's notebooks |
Notes.ReadWrite.All | Read/write all notebooks the user can access (including shared) |
Notes.Read.All | Read all notebooks the user can access (including shared) |
Python:
pip install msgraph-sdk azure-identity
TypeScript/Node:
npm install @microsoft/microsoft-graph-client @azure/identity @azure/msal-node
# .env file — NEVER commit this to version control
AZURE_CLIENT_ID=your-application-client-id
AZURE_TENANT_ID=your-directory-tenant-id
# Do NOT set AZURE_CLIENT_SECRET — app-only auth is deprecated for OneNote
import os
from azure.identity import DeviceCodeCredential
from msgraph import GraphServiceClient
CLIENT_ID = os.environ["AZURE_CLIENT_ID"]
TENANT_ID = os.environ["AZURE_TENANT_ID"]
# DeviceCodeCredential prompts user to visit a URL and enter a code
# This is the recommended flow for CLI tools and headless environments
credential = DeviceCodeCredential(
client_id=CLIENT_ID,
tenant_id=TENANT_ID,
)
scopes = ["Notes.ReadWrite"]
client = GraphServiceClient(credentials=credential, scopes=scopes)
# Verify connection
notebooks = await client.me.onenote.notebooks.get()
if notebooks and notebooks.value:
for nb in notebooks.value:
print(f"Notebook: {nb.display_name} (id: {nb.id})")