Share via

SharePoint File Picker v8 intermittently returns 3000003 (invalid_client) despite successful authentication flow

Agrawal, Kushagra [C] 0 Reputation points
2026-06-09T12:40:21.4566667+00:00

Hello,

 

I am integrating the Microsoft OneDrive/SharePoint File Picker v8 into a standalone React application using MSAL authentication.

Environment

  • React application (not SPFx)
  • MSAL Browser for authentication
  • Azure App Registration configured
  • Delegated permissions granted
  • SharePoint Online tenant
  • File Picker v8 integration based on Microsoft documentation

Issue 

The File Picker behaves inconsistently. Sometimes it loads successfully and allows users to browse SharePoint files. Other times, with no code changes, the picker displays:

3000003, invalid_clientand fails to load.

 What I have verified

  • The picker communication flow appears to be working correctly.
  • I receive the initialization message:
  • WINDOW MESSAGE: initialize
  • I activate the message port:
  • Picker activated
  • The picker then sends an authentication request:
    • PORT MESSAGE: command
    • COMMAND: authenticate

This indicates that:

  • MessageChannel communication is established
  • The picker is successfully communicating with the host application
  • The authenticate command is reaching my application

 

After authentication, the picker sometimes loads correctly and sometimes shows:

Please try again or refresh the page.

code: 3000003, invalid_client

Additional Information

  • Same Azure App Registration
  • Same SharePoint tenant
  • Same user account
  • No code changes between successful and failed attempts
  • Issue appears intermittent rather than permanent

Question: What specifically triggers error code "3000003, invalid_client" within File Picker v8?

Any guidance on troubleshooting steps or known causes would be greatly appreciated.

 

Thank you.

Microsoft 365 and Office | SharePoint | Development
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michelle-N 17,775 Reputation points Microsoft External Staff Moderator
    2026-06-09T14:01:27.75+00:00

    Hi @Agrawal, Kushagra [C]

    Based on the information provided, I understand that you are encountering Error 3000003 - invalid_client while integrating the SharePoint File Picker v8.

    Generally, this error occurs because your Azure AD (Entra ID) application fails to authenticate properly during the standalone authentication flow initiated by the File Picker. Even if your main application logs in successfully via MSAL, the File Picker runs inside an isolated iframe, which triggers its own separate authentication loop. Because the picker strictly validates the token's audience and scope, any mismatch or caching issue during token acquisition will cause this failure.

    To resolve this issue, please review the technical breakdown and configuration checklists below:

    • Incorrect Audience: The File Picker explicitly expects the token's audience to be the target SharePoint resource URL (e.g., https://contoso.sharepoint.com or the user's personal OneDrive site https://{tenant}-my.sharepoint.com). It does not accept Microsoft Graph tokens (https://graph.microsoft.com).
    • Static Scope Logic: The picker sends a resource property inside its authenticate command containing the exact SharePoint site URL it needs. If your application logic does not dynamically build the scope using this variable, MSAL might return a cached Graph token or a token acquired for a completely different SharePoint site.
    • MSAL Cache Behavior: acquireTokenSilent can occasionally fetch an incorrect token from the local cache, especially if a user navigates frequently between OneDrive and various SharePoint sites. Furthermore, standard token expiration (~1 hour) will trigger this error if a silent refresh is not handled properly.

    To ensure a stable authentication handshake with the File Picker v8, please apply the following adjustments to your code and Azure configurations:

    • Always read the resource property sent by the picker in the authenticate command and construct your request scope dynamically using the format: ${resource}/.default.
    • Set Active Account: Call msalInstance.setActiveAccount(...) immediately following a successful interactive login so MSAL consistently tracks the correct user context.
    • Proactive Token Refresh: Handle token expiration cleanly by executing acquireTokenSilent right before launching the picker or immediately when the authenticate command event arrives.
    • Personal Account Handling (MSA): If your application needs to support personal OneDrive accounts, note that you will need a separate authentication flow using the consumers authority endpoint and the OneDrive.ReadWrite scope.

    Additionally, please ensure that your App Registration has been granted and consented to the minimum required delegated permissions:

    • SharePoint: SharePoint.MyFiles.Read + SharePoint.AllSites.Read
    • Or the Graph equivalents: Files.Read.All + Sites.Read.All

    Please give these adjustments a try and let me know if you need further clarification on handling the picker's authentication events!

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".  

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

  2. AI answer

    2026-06-09T12:41:27.05+00:00

    Error 3000003 (invalid_client) in the File Picker v8 is caused by authentication/token issues between the picker and Microsoft Graph/SharePoint APIs. The picker always uses delegated permissions and relies on valid access tokens for the current user; if the token is missing, invalid, or does not match the required permissions, the picker reports an invalid_client error.

    From the File Picker v8 requirements:

    • The picker operates only with delegated permissions and can access only files the current user can access.
    • At minimum, SharePoint MyFiles.Read (or Graph Files.Read) must be granted to read files.
    • For SharePoint sites and Teams channels, the appropriate delegated permissions (SharePoint.MyFiles.Read, Graph.Files.Read, SharePoint.AllSites.Read, etc.) must be present.
    • The app registration must be configured with these delegated permissions and the tokens provided to the picker must include them.

    In practice, 3000003/invalid_client is typically triggered when one of the following occurs during a given run:

    1. The access token supplied to the picker does not include the required delegated scopes (for example, missing SharePoint.MyFiles.Read / Graph.Files.Read or the SharePoint.AllSites.* scopes for the selected location).
    2. The token is expired or otherwise invalid at the time the picker calls the backend.
    3. The token is for a different resource than expected (for example, a Graph token is provided where a SharePoint token is required, or vice versa).
    4. The Azure AD application configuration does not match what the picker expects (for example, redirect URI or SPA configuration issues causing inconsistent token acquisition).

    Because the picker is a hosted control that communicates via postMessage and message ports, any intermittent failure in acquiring or supplying a valid token for the requested resource will surface as this error, even if the MSAL login flow itself appears successful.

    Recommended checks based on the documented setup:

    1. Verify the Azure AD app registration has, at minimum, these delegated permissions:
      • Microsoft Graph: Files.Read.All, Sites.Read.All (and User.Read)
      • SharePoint: AllSites.Read, MyFiles.Read
    2. If upload/write is needed, ensure Files.ReadWrite.All, Sites.ReadWrite.All, AllSites.Write, and MyFiles.Write are also configured.
    3. Confirm that the tokens passed to the picker for Graph and SharePoint actually contain these scopes and are not expired.
    4. Ensure the same app registration and redirect URI are consistently used and that MSAL is not returning tokens for a different client or resource in some runs.

    Intermittent behavior usually indicates that, in some executions, the picker is receiving a valid token with the correct scopes, and in others it is receiving an invalid, expired, or incorrectly scoped token, which the backend rejects as invalid_client.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.