Symptom

This issue can present in several ways, listed below. It is seen when attempting to create a new backup set for OneDrive, SharePoint or Teams. Exchange is not affected.

  • The following error presents in the RedApp: "Access denied: The app needs access to a service ('https://*onenote.com/'). Please log in to this service first before creating new backups."
  • You may see no error, but you will be returned to the Select Service screen after authenticating, instead of progressing to the permissions step.
  • You may see "access denied" in the URL.
  • You may see the following error in your browser's developer tools:

    The app is trying to access a service ({appId}) ({appName}) that your organization '{organization name}' lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal.

 

Cause

The RedApp requires permissions to the OneNote API in order to protect M365 data. Although OneNote is included in all M365 Business plans, the OneNote service is not auto-linked to a subscription as is the case with Exchange, OneDrive, SharePoint, and Teams. This error will therefore occur even if no user in the Microsoft tenant uses the OneNote service.

Why is OneNote necessary to backup SharePoint, OneDrive and Teams? In short, OneNote files may or may not make up a part of the backups of these applications. Our system must provide for the possibility that OneNote files will need to be backed up as part of other backups. Examples include:

  • OneDrive: OneNote notebooks can be stored in OneDrive, but accessing OneNote content requires OneNote-specific permissions. These permissions allow us to retrieve and download OneNote pages, sections, and notebooks.
  • Teams: OneNote permissions allow us to retrieve OneNote notebooks linked to a Team.
  • SharePoint: OneNote permissions allow us to retrieve OneNote notebooks stored in a SharePoint document library.

Redstor requires these OneNote permissions upfront to ensure that backups of the OneNote data can happen should you wish to protect it.

When you attempt to add a backup set for OneDrive, SharePoint or Teams, Microsoft verifies the OneNote state immediately, and in the absence of a OneNote service, returns the error/s above. Without an active OneNote service, Redstor has no way to request the necessary OneNote permissions to perform backups of the other three applications. 

 

Solution

To link the OneNote service to a subscription, a user (any user in the relevant tenant) must log into OneNote, either via the desktop app or via the OneNote web app. Once the service has been accessed, you will be able to create backup sets and authenticate without encountering the above errors. It is normally not necessary to create a notebook or take any further action. However, if the problem persists, you can proceed to create a notebook, which is likely to resolve the problem.