Hosted Microsoft 365 MCP server OAuth fails with AADSTS900971: No reply address provided
Follow-up to #52730 (auto-closed as inactive). Re-tested on a current build; the OAuth flow for the hosted Microsoft 365 MCP server still fails, now with a different Azure AD error.
What happens
Adding the hosted Microsoft 365 server as a manual HTTP MCP server and starting authentication generates a valid-looking authorization URL, but Microsoft rejects it:
AADSTS900971: No reply address provided.
Notes on the previous bug (#52730)
The two issues reported in #52730 appear fixed in the generated URL:
promptparameter is no longer duplicated (singleprompt=consent).redirect_uriis now a standard loopback:http://localhost:<dynamic-port>/callback.
So the URL is well-formed and does include a redirect_uri. AADSTS900971 ("No reply address provided") means Azure AD does not accept any reply address for this app registration — i.e. the loopback redirect URI is not registered on the Azure app (client_id=08ad6f98-a4f8-4635-bb8d-f1a3044760f0). This is on the server/app-registration side, not user-fixable.
Important distinction
There are two ways the same endpoint (https://microsoft365.mcp.claude.com/mcp) shows up:
- Managed connector ("claude.ai Microsoft 365") — works, connects fine.
- Manually added HTTP MCP server ("microsoft365", user scope) — triggers the loopback OAuth flow that fails with AADSTS900971.
So the managed connector path is healthy; the manual HTTP-server path is broken.
Reproduction
claude mcp add --transport http microsoft365 https://microsoft365.mcp.claude.com/mcp(user scope)- Trigger authentication for that server.
- Open the generated authorization URL in a browser and sign in.
- Microsoft shows:
AADSTS900971: No reply address provided.
Environment
- Claude Code: 2.1.153
- OS: Windows 11 (10.0.26200.8390)
Generated authorization URL (port/state redacted)
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=08ad6f98-a4f8-4635-bb8d-f1a3044760f0&code_challenge=<redacted>&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A<port>%2Fcallback&state=<redacted>&scope=api%3A%2F%2F07c030f6-5743-41b7-ba00-0a6e85f37c17%2F.default+offline_access+openid+email&prompt=consentThis issue has 1 comment on GitHub. Read the full discussion on GitHub ↗