[BUG] M365 connector fails with AADSTS50076 when tenant requires MFA via Conditional Access

Resolved 💬 3 comments Opened Apr 14, 2026 by NTR-DLGL Closed May 30, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

The Microsoft 365 MCP connector fails on every Graph API call with AADSTS50076 (MFA required) when the tenant has a Conditional Access policy requiring MFA for Microsoft Graph access.
The connector's OAuth flow does not trigger an MFA challenge during interactive authentication, so the token issued to the MCP server never contains the mfa claim in its amr array. When the MCP server performs the On-Behalf-Of (OBO) exchange against Graph (00000003-0000-0000-c000-000000000000), Entra rejects it
because the originating token lacks the MFA claim.

I was likely the first user in my tenant to connect to the M365 connector, and I may have done so before the Conditional Access MFA policy was applied to the Claude enterprise apps. Other users on the same tenant with the same CA policy connect and use the connector without issues — only my account is affected.
This suggests my account may be stuck with a stale token or grant chain that was originally issued without the MFA claim, and no amount of reconnecting or token revocation on the Entra side clears whatever state the MCP server has cached for my user.

What I've tried (none worked)

  • Disconnecting and reconnecting the connector multiple times (~50+ attempts)
  • Full sign-out from login.microsoftonline.com + cookie clear + incognito reconnect
  • IT revoked all refresh tokens for my account via Entra, then reconnected
  • Re-authenticating via /mcp in Claude Code
  • All other users on the same tenant work fine — issue is isolated to my account

What does work

  • Excluding my user from the MFA Conditional Access policy — connector works immediately
  • Re-adding me to the MFA policy immediately breaks it again

Suspected Root Cause

I connected to the M365 connector before my tenant's CA policy required MFA for the Claude enterprise apps. The MCP server likely cached an OBO refresh token or grant for my user that was issued without the mfa claim. Even after:

  • Revoking sessions on the Entra side
  • Disconnecting/reconnecting the connector on the Claude side

...the MCP server appears to retain or reissue tokens from the original pre-MFA grant chain. Since other users who connected after the CA policy was active work fine, the issue seems to be stale server-side state for my specific user.

If the MCP server does not already do so, including amr_values=mfa or a claims parameter like {"access_token": {"acr": {"values": ["possessionorinherence"]}}} in the authorization request would force Entra to trigger MFA during interactive auth, preventing this class of issue entirely.

Environment

Related Issues

  • #33028 — AADSTS9000411 duplicate prompt parameter (different error, same connector)
  • #37969 — M365 connector ofid_ errors (different error, same connector)
  • #31089 — M365 MCP OAuth failure

What Should Happen?

Not get an error and get the result of my mcp request.

Error Messages/Logs

AADSTS50076: Due to a configuration change made by your administrator, or because you moved
  to a new location, you must use multi-factor authentication to access
  '0000000x-0000-0000-x000-000000000000'.

  clientId: api://xxxxx
  tenantId: xxxxx

Steps to Reproduce

  1. Have a tenant with a Conditional Access policy requiring MFA for Microsoft Graph (or All cloud apps)
  2. Connect the Microsoft 365 connector in claude.ai
  3. Use any M365 tool (e.g., outlook_email_search)

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.107

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

PowerShell

Additional Information

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗