[BUG] M365 connector fails with AADSTS50076 when tenant requires MFA via Conditional Access
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
The Microsoft 365 MCP connector fails on every Graph API call with AADSTS50076 (MFA required) when the tenant has a Conditional Access policy requiring MFA for Microsoft Graph access.
The connector's OAuth flow does not trigger an MFA challenge during interactive authentication, so the token issued to the MCP server never contains the mfa claim in its amr array. When the MCP server performs the On-Behalf-Of (OBO) exchange against Graph (00000003-0000-0000-c000-000000000000), Entra rejects it
because the originating token lacks the MFA claim.
I was likely the first user in my tenant to connect to the M365 connector, and I may have done so before the Conditional Access MFA policy was applied to the Claude enterprise apps. Other users on the same tenant with the same CA policy connect and use the connector without issues — only my account is affected.
This suggests my account may be stuck with a stale token or grant chain that was originally issued without the MFA claim, and no amount of reconnecting or token revocation on the Entra side clears whatever state the MCP server has cached for my user.
What I've tried (none worked)
- Disconnecting and reconnecting the connector multiple times (~50+ attempts)
- Full sign-out from login.microsoftonline.com + cookie clear + incognito reconnect
- IT revoked all refresh tokens for my account via Entra, then reconnected
- Re-authenticating via /mcp in Claude Code
- All other users on the same tenant work fine — issue is isolated to my account
What does work
- Excluding my user from the MFA Conditional Access policy — connector works immediately
- Re-adding me to the MFA policy immediately breaks it again
Suspected Root Cause
I connected to the M365 connector before my tenant's CA policy required MFA for the Claude enterprise apps. The MCP server likely cached an OBO refresh token or grant for my user that was issued without the mfa claim. Even after:
- Revoking sessions on the Entra side
- Disconnecting/reconnecting the connector on the Claude side
...the MCP server appears to retain or reissue tokens from the original pre-MFA grant chain. Since other users who connected after the CA policy was active work fine, the issue seems to be stale server-side state for my specific user.
If the MCP server does not already do so, including amr_values=mfa or a claims parameter like {"access_token": {"acr": {"values": ["possessionorinherence"]}}} in the authorization request would force Entra to trigger MFA during interactive auth, preventing this class of issue entirely.
Environment
- Claude Code v2.x (also reproduces on claude.ai web)
- Windows 11 Enterprise
- MCP Server: https://microsoft365.mcp.claude.com/mcp
- Tenant: Microsoft Entra ID with Conditional Access MFA policy
Related Issues
- #33028 — AADSTS9000411 duplicate prompt parameter (different error, same connector)
- #37969 — M365 connector ofid_ errors (different error, same connector)
- #31089 — M365 MCP OAuth failure
What Should Happen?
Not get an error and get the result of my mcp request.
Error Messages/Logs
AADSTS50076: Due to a configuration change made by your administrator, or because you moved
to a new location, you must use multi-factor authentication to access
'0000000x-0000-0000-x000-000000000000'.
clientId: api://xxxxx
tenantId: xxxxx
Steps to Reproduce
- Have a tenant with a Conditional Access policy requiring MFA for Microsoft Graph (or All cloud apps)
- Connect the Microsoft 365 connector in claude.ai
- Use any M365 tool (e.g., outlook_email_search)
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.107
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
PowerShell
Additional Information
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗