MCP HTTP OAuth fails on Microsoft `agent365` MCP catalog (12 first-party M365 servers) — `/callback` redirect path not in `aebc6443-…` allowlist; DCR unsupported

Resolved 💬 4 comments Opened Apr 25, 2026 by xjli1972 Closed May 5, 2026

Summary

Claude Code's MCP HTTP OAuth uses redirect URIs of the form http://localhost:<port>/callback. Microsoft's first-party MCP servers hosted at https://agent365.svc.cloud.microsoft/agents/tenants/{tenant}/servers/mcp_*Tools mandate the pre-registered Microsoft public client aebc6443-996d-45c2-90f0-388ff96faa56, whose Azure AD redirect-URI allowlist does not include the /callback path. Result: AADSTS50011 on every Microsoft 365 first-party MCP server (12 servers).

The endpoint also rejects Dynamic Client Registration, so there is no client-side escape hatch. The fix must come from Claude Code aligning its loopback redirect URI with the convention used by every other Microsoft-OAuth-friendly client.

This complements the existing reports for the Anthropic-hosted M365 variant (#47975, #52730, #45993). Filing separately because the affected tenant is Microsoft's managed app (aebc6443-…), not Anthropic's (08ad6f98-…), proving the bug is general to Claude Code's MCP HTTP OAuth implementation rather than tenant-specific.

Affected MCP servers (12)

All under the same agent365.svc.cloud.microsoft host (Foundry uses a sibling Microsoft-hosted endpoint with the same client app):

| Claude Code name | Endpoint suffix |
|---|---|
| microsoft-teams | mcp_TeamsTools |
| microsoft-word | mcp_WordTools |
| microsoft-sentinel | mcp_SentinelTools |
| microsoft-foundry | mcp.ai.azure.com (separate host, same client app) |
| m365-admin | mcp_AdminTools |
| m365-calendar | mcp_CalendarTools |
| m365-mail | mcp_MailTools |
| m365-user | mcp_MeServer |
| m365-copilot-chat | mcp_M365Copilot |
| onedrive-sharepoint | mcp_OneDriveSharePointTools |
| sharepoint-lists | mcp_SharePointListsTools |
| fabric-rti | mcp_FabricRTITools |

Error

AADSTS50011: The redirect URI 'http://localhost:55174/callback' specified
in the request does not match the redirect URIs configured for the
application 'aebc6443-996d-45c2-90f0-388ff96faa56'.

Side-by-side proof — same machine, same client app, different tools

| Tool | redirect_uri actually sent | Persisted OAuth state | Result |
|---|---|---|---|
| Claude Code (CLI) | http://localhost:55174/callback | ~/.claude/mcp-tokens/microsoft-teams.json | ✗ AADSTS50011 |
| GitHub Copilot CLI | http://127.0.0.1:60803/ | ~/.copilot/mcp-oauth-config/572c4acb….json | ✓ token issued |

Both store client_id = aebc6443-996d-45c2-90f0-388ff96faa56. The only differing variable is the redirect URI shape:

  • Claude Code path: /callback
  • Copilot CLI path: / (root)

Azure AD's loopback rule allows any port on localhost / 127.0.0.1, but the path must match a registered URI literally. The aebc6443-… app registration has root-path loopback URIs registered (http://localhost/, http://127.0.0.1/) but not …/callback. Same architectural root cause as #42765 (RFC 8252 §7.3 prefers 127.0.0.1 + root path).

Reproduction

  1. Add a Microsoft-hosted MCP server to ~/.claude.json:

``json
"microsoft-teams": {
"type": "http",
"url": "https://agent365.svc.cloud.microsoft/agents/tenants/{your-tenant-id}/servers/mcp_TeamsTools",
"oauth": { "clientId": "aebc6443-996d-45c2-90f0-388ff96faa56" }
}
``

  1. Restart Claude Code.
  2. Run /mcp → select microsoft-teamsAuthenticate.
  3. Browser opens Microsoft login → sign-in + consent succeed → final redirect fails with AADSTS50011.

DCR test (Option: remove oauth.clientId to force Dynamic Client Registration)

Removed the oauth block from ~/.claude.json and restarted Claude Code. Result on next /mcp → Authenticate:

OAuth auth failed: Incompatible auth server: does not support dynamic client registration

The agent365 endpoint locks clients to the pre-registered aebc6443-… clientId. There is no client-side workaround.

Suggested fix

Change Claude Code's MCP HTTP OAuth loopback redirect URI from http://localhost:<port>/callback to either:

  • http://127.0.0.1:<port>/ (preferred per RFC 8252 §7.3 — see #42765), or
  • http://localhost:<port>/ (root path)

This matches the convention used by Azure CLI, gh CLI, VS Code, GitHub Copilot CLI, and MSAL public clients in general. A single change unblocks all 12 Microsoft 365 first-party MCP servers AND the Anthropic-hosted M365 variant (#47975, #52730).

Workaround for affected users today

Use GitHub Copilot CLI for Microsoft 365 MCP work — it has the same servers configured and authenticates successfully against the same aebc6443-… app because it uses the standard root-path loopback redirect URI.

Related issues

  • #47975 — Microsoft 365 MCP connector: redirect URI mismatch (Anthropic-hosted, clientId 08ad6f98-…)
  • #52730 — Hosted Microsoft 365 MCP server OAuth fails: duplicate prompt param + unregistered redirect URIs
  • #42765 — OAuth redirect_uri uses localhost instead of 127.0.0.1, violating RFC 8252 §7.3 (architectural framing)
  • #45993 — Closed as duplicate, same error code

Environment

  • OS: macOS 14 (Darwin 25.4.0), Apple Silicon
  • Claude Code: latest CLI
  • Tenant: Microsoft Corp Entra
  • Date: 2026-04-25

Happy to test a candidate fix on macOS against these endpoints.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗