[Bug] [Question] Unable to use MSAL browser auth (Graph API) in Code Apps — dynamic iframe URL prevents redirect URI registration

[LeHailender]

Describe the bug

Power Apps Code Apps run inside a sandboxed iframe with a dynamic URL that changes on every deployment:

https://.environment.api.powerplatformusercontent.com/.../storageproxy//index.html

The storageproxy segment includes a timestamp (e.g., 20260318t164616z4f80d73c36) that changes with each pac code push. This makes it impossible to register a stable redirect URI in Azure AD App Registration for browser-based MSAL authentication flows.

Why this is a problem

Any Code App that needs to call Microsoft Graph API (e.g., SharePoint files, user photos, Teams presence) with delegated permissions requires browser-based MSAL authentication. Since no MSAL flow (redirect, popup, or custom window) can work with the dynamic iframe URL, Code Apps cannot authenticate to Graph API when running in Power Platform.

The same app works perfectly in local development (http://localhost:5173) because the URL is stable and can be registered.

What we tried

• acquireTokenRedirect with window.location.origin as redirect URI

Result: origin/ returns RouteNotFound — the Power Platform host only serves the app at the full dynamic path, not at the origin root.

• acquireTokenPopup with window.location.origin as redirect URI

Result: The popup lands on the RouteNotFound JSON error page. MSAL cannot process the auth callback because no JavaScript runs on that page.

• acquireTokenPopup with https://apps.powerapps.com as redirect URI

Result: The popup lands on apps.powerapps.com, which redirects to make.powerapps.com — a cross-origin page. MSAL cannot communicate back to the parent window via window.opener.

• Custom auth window opening the full app URL with ?auth=sharepoint

Result: RouteNotFound — the Power Platform API host rejects any query parameters it doesn't recognize on its routes.

• Wildcard redirect URI registration

Result: Azure AD does not allow wildcard characters in SPA redirect URIs.

Expected behavior

Code Apps should provide one of the following:

1. A stable redirect URI (e.g., https://.environment.api.powerplatformusercontent.com/auth/callback) that can be registered in Azure AD and serves a minimal page that MSAL can process
2. A built-in token acquisition API in the Code Apps SDK (e.g., getContext().acquireTokenForResource('https://graph.microsoft.com', scopes)) that leverages the existing Power Platform SSO session
3. . Support for custom connectors or fetch with delegated auth from within Code Apps

Environment

• PAC CLI: 2.4.1
• @microsoft/power-apps SDK: 1.0.3
• @azure/msal-browser: 5.4.0
• Framework: React 19 + Vite
• Browser: Edge/Chrome

Minimal reproduction

1. Create a Code App with pac code init
2. Add @azure/msal-browser and configure a PublicClientApplication
3. Register an Azure AD app with Graph API scopes
4. Try any MSAL flow (acquireTokenPopup, acquireTokenRedirect)
5. Run locally → ✅ works
6. pac code push and run in Power Platform → ❌ fails