MCP HTTP OAuth fails on Microsoft `agent365` MCP catalog (12 first-party M365 servers) — `/callback` redirect path not in `aebc6443-…` allowlist; DCR unsupported
Summary
Claude Code's MCP HTTP OAuth uses redirect URIs of the form http://localhost:<port>/callback. Microsoft's first-party MCP servers hosted at https://agent365.svc.cloud.microsoft/agents/tenants/{tenant}/servers/mcp_*Tools mandate the pre-registered Microsoft public client aebc6443-996d-45c2-90f0-388ff96faa56, whose Azure AD redirect-URI allowlist does not include the /callback path. Result: AADSTS50011 on every Microsoft 365 first-party MCP server (12 servers).
The endpoint also rejects Dynamic Client Registration, so there is no client-side escape hatch. The fix must come from Claude Code aligning its loopback redirect URI with the convention used by every other Microsoft-OAuth-friendly client.
This complements the existing reports for the Anthropic-hosted M365 variant (#47975, #52730, #45993). Filing separately because the affected tenant is Microsoft's managed app (aebc6443-…), not Anthropic's (08ad6f98-…), proving the bug is general to Claude Code's MCP HTTP OAuth implementation rather than tenant-specific.
Affected MCP servers (12)
All under the same agent365.svc.cloud.microsoft host (Foundry uses a sibling Microsoft-hosted endpoint with the same client app):
| Claude Code name | Endpoint suffix |
|---|---|
| microsoft-teams | mcp_TeamsTools |
| microsoft-word | mcp_WordTools |
| microsoft-sentinel | mcp_SentinelTools |
| microsoft-foundry | mcp.ai.azure.com (separate host, same client app) |
| m365-admin | mcp_AdminTools |
| m365-calendar | mcp_CalendarTools |
| m365-mail | mcp_MailTools |
| m365-user | mcp_MeServer |
| m365-copilot-chat | mcp_M365Copilot |
| onedrive-sharepoint | mcp_OneDriveSharePointTools |
| sharepoint-lists | mcp_SharePointListsTools |
| fabric-rti | mcp_FabricRTITools |
Error
AADSTS50011: The redirect URI 'http://localhost:55174/callback' specified
in the request does not match the redirect URIs configured for the
application 'aebc6443-996d-45c2-90f0-388ff96faa56'.
Side-by-side proof — same machine, same client app, different tools
| Tool | redirect_uri actually sent | Persisted OAuth state | Result |
|---|---|---|---|
| Claude Code (CLI) | http://localhost:55174/callback | ~/.claude/mcp-tokens/microsoft-teams.json | ✗ AADSTS50011 |
| GitHub Copilot CLI | http://127.0.0.1:60803/ | ~/.copilot/mcp-oauth-config/572c4acb….json | ✓ token issued |
Both store client_id = aebc6443-996d-45c2-90f0-388ff96faa56. The only differing variable is the redirect URI shape:
- Claude Code path:
/callback - Copilot CLI path:
/(root)
Azure AD's loopback rule allows any port on localhost / 127.0.0.1, but the path must match a registered URI literally. The aebc6443-… app registration has root-path loopback URIs registered (http://localhost/, http://127.0.0.1/) but not …/callback. Same architectural root cause as #42765 (RFC 8252 §7.3 prefers 127.0.0.1 + root path).
Reproduction
- Add a Microsoft-hosted MCP server to
~/.claude.json:
``json``
"microsoft-teams": {
"type": "http",
"url": "https://agent365.svc.cloud.microsoft/agents/tenants/{your-tenant-id}/servers/mcp_TeamsTools",
"oauth": { "clientId": "aebc6443-996d-45c2-90f0-388ff96faa56" }
}
- Restart Claude Code.
- Run
/mcp→ selectmicrosoft-teams→ Authenticate. - Browser opens Microsoft login → sign-in + consent succeed → final redirect fails with AADSTS50011.
DCR test (Option: remove oauth.clientId to force Dynamic Client Registration)
Removed the oauth block from ~/.claude.json and restarted Claude Code. Result on next /mcp → Authenticate:
OAuth auth failed: Incompatible auth server: does not support dynamic client registration
The agent365 endpoint locks clients to the pre-registered aebc6443-… clientId. There is no client-side workaround.
Suggested fix
Change Claude Code's MCP HTTP OAuth loopback redirect URI from http://localhost:<port>/callback to either:
http://127.0.0.1:<port>/(preferred per RFC 8252 §7.3 — see #42765), orhttp://localhost:<port>/(root path)
This matches the convention used by Azure CLI, gh CLI, VS Code, GitHub Copilot CLI, and MSAL public clients in general. A single change unblocks all 12 Microsoft 365 first-party MCP servers AND the Anthropic-hosted M365 variant (#47975, #52730).
Workaround for affected users today
Use GitHub Copilot CLI for Microsoft 365 MCP work — it has the same servers configured and authenticates successfully against the same aebc6443-… app because it uses the standard root-path loopback redirect URI.
Related issues
- #47975 — Microsoft 365 MCP connector: redirect URI mismatch (Anthropic-hosted, clientId
08ad6f98-…) - #52730 — Hosted Microsoft 365 MCP server OAuth fails: duplicate prompt param + unregistered redirect URIs
- #42765 — OAuth redirect_uri uses localhost instead of 127.0.0.1, violating RFC 8252 §7.3 (architectural framing)
- #45993 — Closed as duplicate, same error code
Environment
- OS: macOS 14 (Darwin 25.4.0), Apple Silicon
- Claude Code: latest CLI
- Tenant: Microsoft Corp Entra
- Date: 2026-04-25
Happy to test a candidate fix on macOS against these endpoints.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗