microsoft-365 MCP server generates invalid OAuth URL (duplicate prompt param + invalid PKCE code_challenge)

Resolved 💬 3 comments Opened May 8, 2026 by anifong Closed May 9, 2026

Description

The microsoft-365 MCP server generates a malformed OAuth authorization URL, causing Microsoft login to reject it with two errors:

  1. Duplicate prompt parameter — the URL contains both prompt=select_account (early in the query string) and &prompt=consent appended at the end. Microsoft rejects this as improperly formatted.
  1. Invalid PKCE code_challenge size — after removing the duplicate prompt param and retrying, Microsoft returns:

AADSTS501491: Invalid size of Code_Challenge parameter.

Steps to Reproduce

  1. Install the microsoft-365 MCP server in Claude Code
  2. Call mcp__microsoft-365__authenticate
  3. Open the returned URL in a browser

Expected Behavior

Browser opens Microsoft login and completes OAuth flow successfully.

Actual Behavior

Microsoft returns an error. Example of the malformed URL structure generated:

Note prompt appears twice.

Environment

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗