Skip to content

[SharePoint Copilot Apps preview] AADSTS700046 "Invalid Reply Address" (brk- scheme) when component loads in production Microsoft 365 Copilot #10942

Description

@Martin-Tvedesoe

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

Windows

What browser(s) / client(s) have you tested

  • 💥 Internet Explorer
  • 💥 Microsoft Edge
  • 💥 Google Chrome
  • 💥 FireFox
  • 💥 Safari
  • mobile (iOS/iPadOS)
  • mobile (Android)
  • not applicable
  • other (enter in the "Additional environment details" area below)

Additional environment details

  • browser version
  • SPFx version
  • Node.js version
  • etc

Describe the bug / error

A Copilot Component (copilotType: "Ux") scaffolded with generator 1.24.0-beta.2 works correctly in the Copilot Component Workbench (/_layouts/CopilotWorkbench.aspx), including brokered SSO calls to Microsoft Graph (/me/calendarView).

After packaging and deploying the .sppkg to the tenant App Catalog (tenant-wide), the declarative agent is auto-registered and responds in production Microsoft 365 Copilot. However, when the agent invokes the tool and the component iframe loads, the component host page fails during preload with:

Error initializing application.
Error preloading the page-based application.
ServerError: invalid_client: Error(s): 700046
AADSTS700046: Invalid Reply Address. Reply Address must have scheme
brk-4765445b-32c6-49b0-83e6-1d93765276ca:// and be of Single Page Application type.

Workload: SPPortableComponentApplication, Name: SpfxLoad, ErrorCategory: spfx
Correlation ID: aa2926a2-a0b5-2001-2534-6a9a2f778dab
Trace ID: 8f4762ed-0ae4-41bd-9470-c20a826f1000
Timestamp: 2026-07-11 09:06:44Z
Surface: M365 Copilot in browser (m365.cloud.microsoft), Chrome and Edge
In the Teams surface the same scenario previously failed earlier in the flow with BrowserAuthError: popup_window_error (popups now allowed; the AADSTS700046 error remains)

The token request appears to use the first-party application "SharePoint Online Web Client Extensibility" (appId starting 08e18876-...), which is Microsoft-managed. Tenant administrators cannot add the required brk-4765445b-...://m365.cloud.microsoft SPA reply URL to a first-party app registration, so this cannot be worked around tenant-side.

Steps to reproduce

1.yo @microsoft/sharepoint with generator 1.24.0-beta.2 → component type Copilot Component → React template
2.Move data fetching out of onInit (note: the starter template's onInit awaits Graph/SPHttp calls, which blocks the MCP handshake in the workbench — separate issue) so the component renders and works in the workbench
3.heft package-solution --production (via npm run build), upload .sppkg to tenant App Catalog, enable tenant-wide; declarative agent auto-registers
4.Approve Microsoft Graph — Calendars.Read (confirmed approved under API access)
5.Open the agent in M365 Copilot in a browser and invoke the tool so the component renders
6.Component iframe fails with the AADSTS700046 error above

Expected behavior

The component loads in production M365 Copilot and brokered (NAA) auth succeeds, as it does in the Copilot Component Workbench.

Additional context
Tenant was switched to Targeted release on 2026-07-10 (day before the error)
Graph permission approved; popups allowed for sharepoint.com / teams.microsoft.com / cloud.microsoft
Workbench scenario on the same tenant works end-to-end incl. Graph calls, so the component code and tenant permissions are functional

Metadata

Metadata

Assignees

No one assigned

    Labels

    type:bug-suspectedSuspected bug (not working as designed/expected). See “type:bug-confirmed” for confirmed bugs.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions