Hosted Microsoft 365 MCP server OAuth fails with AADSTS900971: No reply address provided

Resolved 💬 1 comment Opened Jun 1, 2026 by ssopotov-cai Closed Jul 5, 2026

Follow-up to #52730 (auto-closed as inactive). Re-tested on a current build; the OAuth flow for the hosted Microsoft 365 MCP server still fails, now with a different Azure AD error.

What happens

Adding the hosted Microsoft 365 server as a manual HTTP MCP server and starting authentication generates a valid-looking authorization URL, but Microsoft rejects it:

AADSTS900971: No reply address provided.

Notes on the previous bug (#52730)

The two issues reported in #52730 appear fixed in the generated URL:

  • prompt parameter is no longer duplicated (single prompt=consent).
  • redirect_uri is now a standard loopback: http://localhost:<dynamic-port>/callback.

So the URL is well-formed and does include a redirect_uri. AADSTS900971 ("No reply address provided") means Azure AD does not accept any reply address for this app registration — i.e. the loopback redirect URI is not registered on the Azure app (client_id=08ad6f98-a4f8-4635-bb8d-f1a3044760f0). This is on the server/app-registration side, not user-fixable.

Important distinction

There are two ways the same endpoint (https://microsoft365.mcp.claude.com/mcp) shows up:

  • Managed connector ("claude.ai Microsoft 365") — works, connects fine.
  • Manually added HTTP MCP server ("microsoft365", user scope) — triggers the loopback OAuth flow that fails with AADSTS900971.

So the managed connector path is healthy; the manual HTTP-server path is broken.

Reproduction

  1. claude mcp add --transport http microsoft365 https://microsoft365.mcp.claude.com/mcp (user scope)
  2. Trigger authentication for that server.
  3. Open the generated authorization URL in a browser and sign in.
  4. Microsoft shows: AADSTS900971: No reply address provided.

Environment

  • Claude Code: 2.1.153
  • OS: Windows 11 (10.0.26200.8390)

Generated authorization URL (port/state redacted)

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=08ad6f98-a4f8-4635-bb8d-f1a3044760f0&code_challenge=<redacted>&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A<port>%2Fcallback&state=<redacted>&scope=api%3A%2F%2F07c030f6-5743-41b7-ba00-0a6e85f37c17%2F.default+offline_access+openid+email&prompt=consent

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗