[BUG] Microsoft 365 MCP Server authentication fails with AADSTS9000411: duplicated 'prompt' parameter

Resolved 💬 2 comments Opened Jan 27, 2026 by dan-carlson Closed Feb 28, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When attempting to authenticate with the Microsoft 365 MCP server (https://microsoft365.mcp.claude.com/mcp), the OAuth flow fails
with the following error from Microsoft Entra ID:

> AADSTS9000411: The request is not properly formatted. The parameter 'prompt' is duplicated.

This indicates the OAuth authorization URL is being constructed with the prompt parameter specified twice, which Microsoft
rejects.

What Should Happen?

The OAuth authorization URL should contain the prompt parameter only once, allowing authentication to proceed normally.

Error Messages/Logs

Sign in
  Sorry, but we're having trouble signing you in.

  AADSTS9000411: The request is not properly formatted. The parameter 'prompt' is duplicated.

Steps to Reproduce

  1. Configure the Microsoft 365 MCP server in Claude Code
  1. Run claude mcp list - shows microsoft365: ! Needs authentication
  2. Attempt to authenticate via the sign-in flow
  3. Microsoft displays the error page with AADSTS9000411

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.20 (Claude Code)

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

Windows Terminal

Additional Information

GitBash - fresh install of Claude Code using native windows installer

Request Id: 54edaff0-f566-49ce-ada6-a69fb9799100
Correlation Id: dff75423-a80c-4d7f-8f8a-e8f6a67e5c13
Timestamp: 2026-01-27T19:07:22Z
Message: AADSTS9000411: The request is not properly formatted. The parameter 'prompt' is duplicated.

original URL sent

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?prompt=select_account&response_type=code&client_id=08ad6f98-a4f8-4635-bb8d-f1a3044760f0&code_challenge=HYm6ERB76Y3rnmvZ_LVViafJWUMvD7TmADInaMCI5MQ&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A42050%2Fcallback&state=U-wmpwwCrflBAzUOXck8Riwsm4p1I96Xz5Tvr8G4SRY&scope=api%3A%2F%2F07c030f6-5743-41b7-ba00-0a6e85f37c17%2F.default+offline_access&prompt=consent

this URL clearly confirms the bug - two prompt parameters:

  • prompt=select_account (at the start)
  • prompt=consent (at the end)

thank you

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗