Issue Description:
We developed a webpart to access copilot agent data. When configuring the webpart on a SharePoint site, it opens a popup for authentication. After authentication succeeds, the token is not being returned to the webpart.
Microsoft Support team findings below,
The Auth pop-up opening the Sharepoint site is a direct symptom of new MSAL instance created on every call combined with missing handleRedirectPromise().
Here's what's happening step by step:
- loginPopup() opens a popup to login.microsoftonline.com.
- User picks their account → Azure AD authenticates successfully
- Azure AD redirects the popup to the redirect Uri, which is settings. redirectUri || window.location.origin — i.e., the SharePoint site URL
- The popup now loads the full SharePoint site instead of closing
The popup should close automatically at this point. MSAL's popup flow works by having the parent window monitor the popup's URL via polling. When the popup redirects back to the same origin with the auth code in the URL hash, the parent MSAL instance reads the code, processes it, and closes the popup.
But because a new MSAL instance is created on every call and handleRedirectPromise() is never called:
• The MSAL instance that opened the popup may have been garbage collected (React re-render)
• The polling interval that monitors the popup URL is gone
• Nobody reads the auth code from the popup's URL
• Nobody closes the popup
• The popup just sits there showing the SharePoint site it was redirected to
So the SharePoint site loading in the popup is the redirect working correctly from Azure AD's side — but MSAL on the parent side failing to intercept and close it.
To fix this, the MSAL instance must be a singleton, and handleRedirectPromise() must be called.
Issue Description:
We developed a webpart to access copilot agent data. When configuring the webpart on a SharePoint site, it opens a popup for authentication. After authentication succeeds, the token is not being returned to the webpart.
Microsoft Support team findings below,
The Auth pop-up opening the Sharepoint site is a direct symptom of new MSAL instance created on every call combined with missing handleRedirectPromise().
Here's what's happening step by step:
The popup should close automatically at this point. MSAL's popup flow works by having the parent window monitor the popup's URL via polling. When the popup redirects back to the same origin with the auth code in the URL hash, the parent MSAL instance reads the code, processes it, and closes the popup.
But because a new MSAL instance is created on every call and handleRedirectPromise() is never called:
• The MSAL instance that opened the popup may have been garbage collected (React re-render)
• The polling interval that monitors the popup URL is gone
• Nobody reads the auth code from the popup's URL
• Nobody closes the popup
• The popup just sits there showing the SharePoint site it was redirected to
So the SharePoint site loading in the popup is the redirect working correctly from Azure AD's side — but MSAL on the parent side failing to intercept and close it.
To fix this, the MSAL instance must be a singleton, and handleRedirectPromise() must be called.