msgraph-sdk-dotnet icon indicating copy to clipboard operation
msgraph-sdk-dotnet copied to clipboard
verified publisher icon microsoftgraph

The request does not contain a valid authentication token when getting Onenote

Open kostyrin opened this issue 6 months ago • 6 comments

Describe the bug

When I am trying to work as ClientCertificateCredential with certificate I faced with issue

The request does not contain a valid authentication token. Detailed error information: To improve the security of our customers' data, this API will no longer support app-only tokens starting from March 31st 2025. Customers may still call these APIs using delegated (app+user) tokens. Please refer to this link: https://learn.microsoft.com/en-us/graph/auth-v2-user

But the same time I can retrieve users/permissions and etc.

this is script:

using Azure.Identity;
using LatestVersion;
using Microsoft.Graph;
using Microsoft.Graph.Models;
using System.Security.Cryptography.X509Certificates;

var settings = Settings.LoadSettings();

var certificate = new X509Certificate2("d:\\cert.pfx", settings.Password);
var clientCertCredential = new ClientCertificateCredential(settings.TenantId, settings.ClientId, certificate);

var appClient = new GraphServiceClient(clientCertCredential, ["https://graph.microsoft.com/.default"]);

var permissions = await appClient.Oauth2PermissionGrants.GetAsync();
Console.WriteLine($"Permissions: {string.Join(",", permissions!.Value!.Select(p => p.Scope))}");
var users = await appClient.Users.GetAsync();
Console.WriteLine($"{users.Value.Count} users");

try
{
    Console.WriteLine("Try to getting Onenotes..");
    var notes = await appClient.Users[settings.UserName].Onenote.Notebooks.GetAsync();
    var notebook = new Notebook { DisplayName = $"test_{DateTime.UtcNow.ToString("yyyyMMddhhmmss")}" };
    var result = await appClient.Users[settings.UserName].Onenote.Notebooks.PostAsync(notebook);
}
catch (Exception ex)
{
    Console.WriteLine($"Got Error: {ex.Message}");
    Console.WriteLine(ex);
}

It doesn't work from some time.

Expected behavior

should work

How to reproduce

run the script

SDK Version

5.83.0

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

Permissions: AppCatalog.Read.All AppCatalog.Submit Channel.ReadBasic.All EduAssignments.ReadBasic EduRoster.ReadBasic Files.Read.All Files.ReadWrite.All Group.Read.All People.Read People.Read.All Presence.Read.All TeamsAppInstallation.ReadWriteSelfForTeam User.Read User.ReadBasic.All Tasks.ReadWrite Group-Conversation.ReadWrite.All Team.ReadBasic.All Channel.Create Sites.Read.All PrinterShare.ReadBasic.All PrintJob.Create PrintJob.ReadBasic FileStorageContainer.Selected Calendars.Read Files.Read GroupMember.Read.All InformationProtectionPolicy.Read TeamsAppInstallation.ReadWriteForTeam ChatMember.Read TeamsTab.Create,User.Read User.ReadBasic.All,user_impersonation,user_impersonation,Forms.ReadWrite,MLModel.Execute.All Report.Read.All UserState.ReadWrite.All Dataset.Read.All,Sites.FullControl.All ExternalConnection.ReadWrite.All,User.Read,Notes.Create Notes.ReadWrite.CreatedByApp User.Read, User.Read openid offline_access IMAP.AccessAsUser.All profile Mail.ReadWrite Files.ReadWrite Contacts.ReadWrite Calendars.ReadWrite EWS.AccessAsUser.All, User.Read Mail.ReadWrite Files.ReadWrite EWS.AccessAsUser.All openid offline_access IMAP.AccessAsUser.All Contacts.ReadWrite Calendars.ReadWrite,MyFiles.Write,User.Read,User.Read, User.Read Mail.ReadWrite EWS.AccessAsUser.All Files.ReadWrite openid offline_access IMAP.AccessAsUser.All Contacts.ReadWrite Calendars.ReadWrite, openid offline_access IMAP.AccessAsUser.All User.Read Mail.ReadWrite Files.ReadWrite Contacts.ReadWrite Calendars.ReadWrite,MyFiles.Write, Notes.Create openid profile offline_access Notes.Read,APIConnectors.Read.All APIConnectors.ReadWrite.All Application.Read.All Calendars.Read Calendars.ReadBasic Calendars.ReadWrite DelegatedPermissionGrant.Read.All DelegatedPermissionGrant.ReadWrite.All Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All Domain.Read.All Files.Read.All Group.Read.All Group.ReadWrite.All Mail.ReadWrite Notes.Create Notes.Read openid profile Sites.FullControl.All Sites.Manage.All Sites.Read.All Sites.ReadWrite.All Sites.Selected User.Read User.Read.All User.ReadBasic.All email Files.ReadWrite.All offline_access Files.ReadWrite User.ReadWrite.All Device.Read.All Domain.ReadWrite.All AppCatalog.Read.All Application.ReadWrite.All, openid profile User.Read offline_access Notes.Read.All Notes.ReadWrite Notes.ReadWrite.All Files.Read Files.Read.All Files.ReadWrite.All, User.Read, openid profile offline_access, openid profile email offline_access, openid profile offline_access,User.Read,User.Read,User.Read,user_impersonation,user_impersonation,user_impersonation 100 users Try to getting Onenotes.. Got Error: The request does not contain a valid authentication token. Detailed error information: To improve the security of our customers' data, this API will no longer support app-only tokens starting from March 31st 2025. Customers may still call these APIs using delegated (app+user) tokens. Please refer to this link: https://learn.microsoft.com/en-us/graph/auth-v2-user Microsoft.Graph.Models.ODataErrors.ODataError: The request does not contain a valid authentication token. Detailed error information: To improve the security of our customers' data, this API will no longer support app-only tokens starting from March 31st 2025. Customers may still call these APIs using delegated (app+user) tokens. Please refer to this link: https://learn.microsoft.com/en-us/graph/auth-v2-user at Microsoft.Kiota.Http.HttpClientLibrary.HttpClientRequestAdapter.ThrowIfFailedResponseAsync(HttpResponseMessage response, Dictionary2 errorMapping, Activity activityForAttributes, CancellationToken cancellationToken) at Microsoft.Kiota.Http.HttpClientLibrary.HttpClientRequestAdapter.SendAsync[ModelType](RequestInformation requestInfo, ParsableFactory1 factory, Dictionary2 errorMapping, CancellationToken cancellationToken) at Microsoft.Kiota.Http.HttpClientLibrary.HttpClientRequestAdapter.SendAsync[ModelType](RequestInformation requestInfo, ParsableFactory1 factory, Dictionary2 errorMapping, CancellationToken cancellationToken) at Microsoft.Graph.Users.Item.Onenote.Notebooks.NotebooksRequestBuilder.GetAsync(Action1 requestConfiguration, CancellationToken cancellationToken) at Program.<Main>$(String[] args) in D:\dev\temp\msgraph-training-dotnet\app-auth\LatestVersion\Program.cs:line 22

Configuration

No response

Other information

No response

kostyrin avatar Jun 26 '25 08:06 kostyrin

anybody?

kostyrin avatar Jul 08 '25 19:07 kostyrin

Same here want to read oneNote an it doesn't work

Egonolson avatar Jul 31 '25 08:07 Egonolson

Attempted to use Get-MgGroupOnenoteNotebook and hit this error.

robinmalik avatar Sep 30 '25 18:09 robinmalik

This requires follow up with OneNote API owners. Anybody that comes across this issue please let us know via this issue if this is affecting you. We need to see the number of affected scenarios to triage this work.

MIchaelMainer avatar Dec 08 '25 20:12 MIchaelMainer

@MIchaelMainer please note that everything(working with OneNote api) is broken since summer 2025. I think it's important to fix that.

kostyrin avatar Dec 15 '25 07:12 kostyrin

Communication about this scenario:

  • https://learn.microsoft.com/en-us/graph/integrate-with-onenote
  • https://m365admin.handsontek.net/microsoft-onenote-app-only-authentication-for-onenote-microsoft-graph-apis-will-retire-2/

This breaking change in the supported authorization mechanism is by design. While I don't have clear information on this scenario, the OneNote API team likely removed app-only auth to improve security. I recognize that this is very disruptive and I'm sorry for any impacts it may have had on you and your customers.

MIchaelMainer avatar Dec 16 '25 22:12 MIchaelMainer