Skip to main content
Beta: This page contains beta features and may change.
OneNote support is delivered via the OneDrive and SharePoint connectors. There is no separate “OneNote” connector tile in the Admin console. All app registration, permissions, and security settings are shared with your existing OneDrive/SharePoint configuration.
The Glean OneNote capability extends the functionality of the existing OneDrive and SharePoint connectors, adding deep indexing of OneNote content to enhance search results. This feature uses your existing Microsoft Graph app registration and OAuth configuration.
  • The OneNote capability provides users with a complete and permission-aware search experience for their notes
  • Users can search inside OneNote pages, not just the notebook and section files that contain them.
  • Glean respects existing Microsoft 365 permissions for notebooks, sections, and pages.
  • Rich metadata is captured, including author, last modified time, created time, and parent section/notebook information for pages.
  • Users can utilize search operators to narrow their results. To search for content within a specific section, use the section: operator (for example, section:"Section A").
  • The same Application (client) ID and Directory (tenant) ID are shared between:
    • OneDrive connector
    • SharePoint connector
    • OneNote capability layered on top

Supported OneNote content

Glean’s OneNote capability indexes:
  • Notebooks
    • Notebook name
    • Parent location (OneDrive or SharePoint)
    • Owner and modified timestamps
  • Sections
    • Section name
    • Parent notebook
  • Pages
    • Page title
    • Page body text (main content)
    • Created by / last modified by
    • Created / last modified timestamps
    • Hierarchy: Notebook → Section → Page
    • Page URL in Microsoft 365 (web link)

Limitations

  • Content coverage
    • Focused on page text and standard metadata.
    • Some rich content (ink, certain embedded objects) may not be fully searchable.
    • Attachments within pages may not be indexed yet (or may be indexed only as metadata, depending on rollout state).
  • Storage locations
    • Only notebooks stored in OneDrive for Business or SharePoint Online are in scope.
    • Personal consumer OneNote (e.g., outlook.com / live.com accounts) is out of scope.
  • Freshness
    • Initial full coverage may require a standard connector crawl cycle.
    • Incremental updates depend on a combination of Graph delta queries and webhooks; there may be a short delay before edits to pages appear in Glean.

Requirements

Platform requirements

You must meet all of the following:
  • Microsoft 365 tenant with:
    • OneDrive for Business enabled.
    • SharePoint Online enabled (for notebooks stored in SharePoint-backed sites).
  • Glean deployment with:
    • OneDrive connector available and configured (recommended).
    • SharePoint connector available and configured (recommended for team notebooks).

Admin roles

You will need:
  • A Microsoft Entra / Azure AD tenant administrator to:
    • Register or update the Microsoft 365 app for Glean.
    • Grant admin consent to required Graph scopes.
  • A Glean administrator to:
    • Configure the OneDrive and SharePoint data sources in the Glean Admin Console.
    • Enable OneNote support.

Setup instructions

Perform the following steps:

Step 1: Configure or update your Microsoft 365 app registration

If you already have a Microsoft 365 app registration in use for your OneDrive/SharePoint connectors, you will reuse it and add one additional scope for OneNote.

1.1 Locate or create the app registration

  1. Sign in to the Azure portal as a tenant administrator.
  2. Go to Microsoft Entra ID > App registrations.
  3. Either:
    • Select the existing app registration used by your Glean OneDrive/SharePoint connectors, or
    • Create a new one to be used by both connectors and OneNote.
Record:
  • Application (client) ID
  • Directory (tenant) ID
You will enter these values in the Glean Admin Console for both OneDrive and SharePoint so they match.

1.2 Configure required Microsoft Graph API scopes

On your app registration:
  1. Go to API permissions > Add a permission > Microsoft Graph > Application permissions.
  2. Ensure the following scopes are present (some may already exist for your file connectors):
    • User.Read.All
    • offline_access
    • Files.ReadWrite.All
    • Notes.Read.All (required for OneNote)
  3. Click Grant admin consent for your tenant.
Notes
  • User.Read.All allows Glean to resolve which users and groups are associated with OneNote content and to enforce ACLs.
  • Files.ReadWrite.All is required by Microsoft to manage webhook subscriptions and handle certain drive operations, even though Glean only uses it in a read pattern.
  • Notes.Read.All is the OneNote-specific scope that allows read access to OneNote notebooks, sections, and pages via Graph.

1.3 (Optional) Configure OAuth redirect URI

If you are already using this app for OneDrive/SharePoint Data Fetching, you typically only need to add Notes.Read.All, not create a new redirect URI.
  1. In the same app registration, go to Authentication > Platform configurations.
  2. Add or update a Web platform configuration to include the redirect URI provided in the Glean Admin Console for:
    • The OneDrive connector, and
    • The SharePoint connector (these should match).
  3. Save your changes.

Step 2: Enable OneNote in OneDrive and SharePoint connectors

Once the app registration is ready, connect it in Glean and enable OneNote support.

2.1 Ensure OneDrive and SharePoint connectors share the same app

In the Glean Admin Console:
  1. Go to Admin Console > Data sources > OneDrive.
  2. Confirm that:
    • Application (client) ID matches the app registration.
    • Directory (tenant) ID matches the tenant.
  3. Go to Admin Console > Data sources > SharePoint.
  4. Verify that these fields are identical:
    • Application (client) ID
    • Directory (tenant) ID
If you need to update them, update both connectors to use the same values. The OneNote capability assumes OneDrive and SharePoint share a single Microsoft 365 app configuration.

2.2 Enable OneNote support

In the same connector configuration:
  1. Select the checkbox Allow OneNote content fetching with OAuth.
  2. Save the connector configuration.
Repeat this for:
  • OneDrive: for notebooks stored in user OneDrive folders.
  • SharePoint: for notebooks stored in SharePoint team sites.
After saving, Glean will begin including OneNote content discovered under these connectors, subject to user-level permissions and OAuth.

Step 3: Ask users to connect Microsoft 365 in Glean

The OneNote capability uses delegated Graph access at the user level. Admin configuration alone is not sufficient. Each user who wants to see OneNote content in Glean must:
  1. Open Glean in a browser.
  2. Click profile picture > Your settings > Data sources.
  3. Find the Microsoft 365 (or “Microsoft”) tile.
  4. Click Connect / Authenticate and complete the Microsoft sign-in flow.
After this:
  • Glean can retrieve OneNote content that the user is authorized to access.
  • Search results and Assistant responses will begin to include OneNote pages, subject to crawl freshness.
Important: If a user has not completed this step:
  • They may still see notebook files surfaced via existing OneDrive/SharePoint coverage, but
  • They will not see page-level OneNote content for private notebooks that require delegated access.

Permissions and security

Permission model

  • Glean does not change your Microsoft 365 permissions.
  • OneNote content is only visible in Glean if the user:
    • Has access to the notebook/section/page in Microsoft 365, and
    • Has completed the Microsoft 365 connection step in Glean (delegated OAuth).

Scopes recap

The OneNote capability relies on the same Microsoft 365 app registration used for OneDrive/SharePoint with these key scopes:
  • User.Read.All: list users and map permissions.
  • Files.ReadWrite.All: required to create and reauthorize drive/webhook subscriptions (used in read-only patterns).
  • Notes.Read.All: required to read OneNote notebooks, sections, and pages.
  • offline_access: maintain tokens for long-running crawls.
Glean uses these scopes only to read data and maintain permission maps; it does not perform write operations in your tenant.

Choosing OneDrive vs SharePoint for OneNote

Many organizations store OneNote notebooks in both OneDrive and SharePoint. Use this guidance:
  • Use OneDrive for:
    • Personal notebooks stored under each user’s OneDrive.
    • “My notes” scenarios where each user owns their own notebook.
  • Use SharePoint for:
    • Team notebooks stored in SharePoint-backed team sites.
    • Project- or department-wide notebooks attached to M365 groups.
In practice:
  • Enable OneNote support in both connectors if:
    • Users rely on both personal and team notebooks.
    • You want comprehensive OneNote coverage.
If you must start small:
  • Start with OneDrive + OneNote to cover personal notebooks.
  • Expand to SharePoint + OneNote once you’re ready to include team notebooks.

FAQs

It depends where your notebooks live:
  • Personal notebooks → enable OneNote in OneDrive.
  • Team notebooks in SharePoint sites → enable OneNote in SharePoint.
  • Most customers enable OneNote in both connectors for full coverage.
No. Glean does not change permissions in your tenant. It reads OneNote content using Microsoft Graph under the app permissions you grant and enforces the same ACLs that already exist in Microsoft 365.
That user will not see page-level OneNote content. They may still see notebook files indexed as normal OneDrive/SharePoint documents, depending on your existing connector configuration.
Yes. Your OneDrive and SharePoint connector configurations can already be scoped (for example, by user, group, or site). OneNote coverage respects those same scoping rules. You can also use Microsoft-side controls (e.g., IP restrictions, Sites.Selected) where appropriate, understanding the trade-offs described in the SharePoint security docs.