microsoft-365 MCP server generates invalid OAuth URL (duplicate prompt param + invalid PKCE code_challenge)
Resolved 💬 3 comments Opened May 8, 2026 by anifong Closed May 9, 2026
Description
The microsoft-365 MCP server generates a malformed OAuth authorization URL, causing Microsoft login to reject it with two errors:
- Duplicate prompt parameter — the URL contains both prompt=select_account (early in the query string) and &prompt=consent appended at the end. Microsoft rejects this as improperly formatted.
- Invalid PKCE code_challenge size — after removing the duplicate prompt param and retrying, Microsoft returns:
AADSTS501491: Invalid size of Code_Challenge parameter.
Steps to Reproduce
- Install the microsoft-365 MCP server in Claude Code
- Call mcp__microsoft-365__authenticate
- Open the returned URL in a browser
Expected Behavior
Browser opens Microsoft login and completes OAuth flow successfully.
Actual Behavior
Microsoft returns an error. Example of the malformed URL structure generated:
Note prompt appears twice.
Environment
- Claude Code on Windows 11 Pro
- microsoft-365 MCP server (HTTP at https://microsoft365.mcp.claude.com/mcp)
- Tested with two separate authenticate calls — both produced the same malformed URL
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗