onenote-common-errors

What this skill does

# OneNote Common Errors

## Overview

A complete error decoder for the OneNote Graph API. Each HTTP status code has multiple possible root causes — this skill maps every cause, provides diagnostic steps, and gives fix-it code. Special attention to the two trickiest errors: 403 (which could mean wrong permissions OR deprecated app-only auth) and 200 with empty body (silent upload failure that causes data loss).

## Prerequisites

- A OneNote Graph API integration that is returning errors
- Access to application logs or the ability to add logging
- Familiarity with the Graph API request/response format

## Instructions

### Complete Error Reference Table

| Code | Error Name | Possible Causes | Fix |
|------|-----------|-----------------|-----|
| 400 | Bad Request | (1) Invalid XHTML — unclosed tags, bad encoding | Validate HTML with XML parser before sending |
| | | (2) Bad notebook name — empty or duplicate `displayName` | Check for existing notebooks, use unique names |
| | | (3) Malformed JSON in PATCH body | Validate JSON structure matches [update spec](https://learn.microsoft.com/en-us/graph/onenote-update-page) |
| | | (4) Missing `<title>` in page HTML | Always include `<head><title>...</title></head>` |
| | | (5) Invalid `$filter` OData expression | Check [OData query syntax](https://learn.microsoft.com/en-us/graph/api/resources/onenote-api-overview) |
| 403 | Forbidden | (1) **App-only auth (deprecated March 2025)** | Switch to delegated auth (DeviceCodeCredential) |
| | | (2) Missing permission scope | Add `Notes.ReadWrite` in Azure Portal, re-consent |
| | | (3) User doesn't own the notebook | Use `/users/{id}/onenote/` for shared notebooks |
| | | (4) Admin consent required but not granted | Admin must grant consent in Azure Portal |
| | | (5) Conditional access policy blocking app | Check Azure AD conditional access policies |
| 404 | Not Found | (1) Page/section/notebook ID is wrong | Re-fetch parent resource to get correct IDs |
| | | (2) Resource was deleted | Use `$filter=isDeleted eq true` if available |
| | | (3) Wrong URL format | Verify endpoint: `/me/onenote/` not `/me/notes/` |
| | | (4) User context mismatch — querying another user's notes without delegation | Use `/users/{userId}/onenote/` with correct permissions |
| 429 | Too Many Requests | (1) Per-user limit: 600 requests / 60 seconds | Parse `Retry-After` header, wait exact seconds |
| | | (2) Per-tenant limit: 10,000 requests / 10 minutes | Reduce concurrency, use batch requests |
| | | (3) Burst of requests from multiple users in same tenant | Implement per-tenant rate limit tracking |
| 500 | Internal Server Error | (1) Graph service internal failure | Retry with exponential backoff |
| | | (2) Malformed request that passes validation but fails processing | Check request body against API reference |
| 502 | Bad Gateway | (1) Upstream OneNote service unavailable | Retry after 5-10 seconds |
| | | (2) Token expiration during processing | Refresh token and retry |
| 507 | Insufficient Storage | (1) Per-section page limit exceeded (~5000 pages) | Create a new section, archive old pages |
| | | (2) User OneDrive storage quota hit | Check storage quota in OneDrive settings |

### The 403 Trap: App-Only Auth Deprecation

This is the single most common production issue since March 2025. If your code uses `ClientSecretCredential` (Node) or `client_secret` (Python) for OneNote calls, every request returns 403 regardless of permission scope.

**How to diagnose:**

```typescript
// Check if you're using the deprecated auth pattern
// SEARCH your codebase for these — any match means you need to migrate:
// - ClientSecretCredential
// - client_secret
// - AZURE_CLIENT_SECRET
// - ConfidentialClientApplication (for OneNote specifically)

// If found, the fix is:
// BEFORE (broken after March 2025):
import { ClientSecretCredential } from "@azure/identity";
const credential = new ClientSecretCredential(tenantId, clientId, clientSecret);

// AFTER (correct):
import { DeviceCodeCredential } from "@azure/identity";
const credential = new DeviceCodeCredential({ clientId, tenantId });
```

### The 200 Trap: Silent Upload Failure

This error does not appear in any error table because the HTTP status is 200. Files larger than approximately 4MB return 200 OK with an empty response body. The page is never created.

```typescript
// DETECTION: Always check the response body after page creation
const response = await client
  .api(`/me/onenote/sections/${sectionId}/pages`)
  .header("Content-Type", "text/html")
  .post(htmlContent);

// This looks successful but the page was never created:
if (!response || !response.id) {
  console.error("SILENT FAILURE: 200 OK but no page ID returned");
  console.error(`Payload size: ${Buffer.byteLength(htmlContent, "utf-8")} bytes`);
  // Fix: reduce payload size below 4MB, use URL references for images
  // instead of inline base64 data
}
```

### The 404 Trap: Deleted Pages in List Results

`GET /me/onenote/sections/{id}/pages` can return pages that have been recently deleted. When you try to `GET /me/onenote/pages/{id}/content` on these pages, you get 404.

```typescript
// Defensive page content retrieval
async function getPageContentSafe(client: Client, pageId: string) {
  try {
    return await client.api(`/me/onenote/pages/${pageId}/content`).get();
  } catch (error: any) {
    if (error.statusCode === 404) {
      console.warn(`Page ${pageId} listed but not accessible (likely deleted)`);
      return null;
    }
    throw error;
  }
}
```

### Diagnostic Code: Extract Request ID and Diagnostics

When contacting Microsoft support, they need the `request-id` header from the failed response. The `x-ms-ags-diagnostic` header contains internal routing information.

```typescript
function logGraphError(error: any): void {
  const headers = error.headers ?? new Map();
  const requestId = headers.get?.("request-id") ?? "unavailable";
  const diagnostics = headers.get?.("x-ms-ags-diagnostic") ?? "";
  const dateHeader = headers.get?.("date") ?? new Date().toISOString();

  console.error("=== OneNote Graph API Error ===");
  console.error(`Status:     ${error.statusCode}`);
  console.error(`Code:       ${error.code}`);
  console.error(`Message:    ${error.message}`);
  console.error(`Request-ID: ${requestId}`);
  console.error(`Date:       ${dateHeader}`);

  if (diagnostics) {
    try {
      const parsed = JSON.parse(diagnostics);
      console.error(`Server:     ${parsed.serverInfo?.dataCenter ?? "unknown"}`);
    } catch {
      console.error(`Diagnostics: ${diagnostics}`);
    }
  }

  console.error("==============================");
  console.error(
    `For Microsoft support, provide: request-id=${requestId}, date=${dateHeader}`
  );
}
```

```python
# Python equivalent
def log_graph_error(error) -> None:
    """Extract diagnostic info from Graph API error for support tickets."""
    request_id = getattr(error, "request_id", "unavailable")
    status = getattr(error, "status_code", "unknown")
    message = getattr(error, "message", str(error))

    print("=== OneNote Graph API Error ===")
    print(f"Status:     {status}")
    print(f"Message:    {message}")
    print(f"Request-ID: {request_id}")
    print("===============================")
    print(f"For Microsoft support: request-id={request_id}")
```

### Permission Misconfiguration Table

| Symptom | Likely Misconfiguration | Fix |
|---------|------------------------|-----|
| 403 on all OneNote calls | Using `ClientSecretCredential` (app-only deprecated) | Switch to `DeviceCodeCredential` |
| 403 on write operations only | Have `Notes.Read` but missing `Notes.ReadWrite` | Add `Notes.ReadWrite` scope, re-consent |
| 403 on shared notebooks | Have `Notes.ReadWrite` but missing `Notes.ReadWrite.All` | Add `.All` scope for shared notebook access |
| 403 after admin policy change | Conditional access policy blocks the app | Check with Azure AD admin, add app to policy exclusion |
| 403 on first request o