Target SharePoint environment
SharePoint Online
What SharePoint development model, framework, SDK or API is this about?
💥 SharePoint Framework
Developer environment
Windows
What browser(s) / client(s) have you tested
Additional environment details
- browser version
- SPFx version
- Node.js version
- etc
Describe the bug / error
A Copilot Component (copilotType: "Ux") scaffolded with generator 1.24.0-beta.2 works correctly in the Copilot Component Workbench (/_layouts/CopilotWorkbench.aspx), including brokered SSO calls to Microsoft Graph (/me/calendarView).
After packaging and deploying the .sppkg to the tenant App Catalog (tenant-wide), the declarative agent is auto-registered and responds in production Microsoft 365 Copilot. However, when the agent invokes the tool and the component iframe loads, the component host page fails during preload with:
Error initializing application.
Error preloading the page-based application.
ServerError: invalid_client: Error(s): 700046
AADSTS700046: Invalid Reply Address. Reply Address must have scheme
brk-4765445b-32c6-49b0-83e6-1d93765276ca:// and be of Single Page Application type.
Workload: SPPortableComponentApplication, Name: SpfxLoad, ErrorCategory: spfx
Correlation ID: aa2926a2-a0b5-2001-2534-6a9a2f778dab
Trace ID: 8f4762ed-0ae4-41bd-9470-c20a826f1000
Timestamp: 2026-07-11 09:06:44Z
Surface: M365 Copilot in browser (m365.cloud.microsoft), Chrome and Edge
In the Teams surface the same scenario previously failed earlier in the flow with BrowserAuthError: popup_window_error (popups now allowed; the AADSTS700046 error remains)
The token request appears to use the first-party application "SharePoint Online Web Client Extensibility" (appId starting 08e18876-...), which is Microsoft-managed. Tenant administrators cannot add the required brk-4765445b-...://m365.cloud.microsoft SPA reply URL to a first-party app registration, so this cannot be worked around tenant-side.
Steps to reproduce
1.yo @microsoft/sharepoint with generator 1.24.0-beta.2 → component type Copilot Component → React template
2.Move data fetching out of onInit (note: the starter template's onInit awaits Graph/SPHttp calls, which blocks the MCP handshake in the workbench — separate issue) so the component renders and works in the workbench
3.heft package-solution --production (via npm run build), upload .sppkg to tenant App Catalog, enable tenant-wide; declarative agent auto-registers
4.Approve Microsoft Graph — Calendars.Read (confirmed approved under API access)
5.Open the agent in M365 Copilot in a browser and invoke the tool so the component renders
6.Component iframe fails with the AADSTS700046 error above
Expected behavior
The component loads in production M365 Copilot and brokered (NAA) auth succeeds, as it does in the Copilot Component Workbench.
Additional context
Tenant was switched to Targeted release on 2026-07-10 (day before the error)
Graph permission approved; popups allowed for sharepoint.com / teams.microsoft.com / cloud.microsoft
Workbench scenario on the same tenant works end-to-end incl. Graph calls, so the component code and tenant permissions are functional
Target SharePoint environment
SharePoint Online
What SharePoint development model, framework, SDK or API is this about?
💥 SharePoint Framework
Developer environment
Windows
What browser(s) / client(s) have you tested
Additional environment details
Describe the bug / error
A Copilot Component (copilotType: "Ux") scaffolded with generator 1.24.0-beta.2 works correctly in the Copilot Component Workbench (/_layouts/CopilotWorkbench.aspx), including brokered SSO calls to Microsoft Graph (/me/calendarView).
After packaging and deploying the .sppkg to the tenant App Catalog (tenant-wide), the declarative agent is auto-registered and responds in production Microsoft 365 Copilot. However, when the agent invokes the tool and the component iframe loads, the component host page fails during preload with:
Error initializing application.
Error preloading the page-based application.
ServerError: invalid_client: Error(s): 700046
AADSTS700046: Invalid Reply Address. Reply Address must have scheme
brk-4765445b-32c6-49b0-83e6-1d93765276ca:// and be of Single Page Application type.
Workload: SPPortableComponentApplication, Name: SpfxLoad, ErrorCategory: spfx
Correlation ID: aa2926a2-a0b5-2001-2534-6a9a2f778dab
Trace ID: 8f4762ed-0ae4-41bd-9470-c20a826f1000
Timestamp: 2026-07-11 09:06:44Z
Surface: M365 Copilot in browser (m365.cloud.microsoft), Chrome and Edge
In the Teams surface the same scenario previously failed earlier in the flow with BrowserAuthError: popup_window_error (popups now allowed; the AADSTS700046 error remains)
The token request appears to use the first-party application "SharePoint Online Web Client Extensibility" (appId starting 08e18876-...), which is Microsoft-managed. Tenant administrators cannot add the required brk-4765445b-...://m365.cloud.microsoft SPA reply URL to a first-party app registration, so this cannot be worked around tenant-side.
Steps to reproduce
1.yo @microsoft/sharepoint with generator 1.24.0-beta.2 → component type Copilot Component → React template
2.Move data fetching out of onInit (note: the starter template's onInit awaits Graph/SPHttp calls, which blocks the MCP handshake in the workbench — separate issue) so the component renders and works in the workbench
3.heft package-solution --production (via npm run build), upload .sppkg to tenant App Catalog, enable tenant-wide; declarative agent auto-registers
4.Approve Microsoft Graph — Calendars.Read (confirmed approved under API access)
5.Open the agent in M365 Copilot in a browser and invoke the tool so the component renders
6.Component iframe fails with the AADSTS700046 error above
Expected behavior
The component loads in production M365 Copilot and brokered (NAA) auth succeeds, as it does in the Copilot Component Workbench.
Additional context
Tenant was switched to Targeted release on 2026-07-10 (day before the error)
Graph permission approved; popups allowed for sharepoint.com / teams.microsoft.com / cloud.microsoft
Workbench scenario on the same tenant works end-to-end incl. Graph calls, so the component code and tenant permissions are functional