OAuth token exchange fails with AADSTS900144 (missing 'scope') when using --client-id for Entra ID MCP server
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Description:
When connecting to an MCP server protected by Microsoft Entra ID using a pre-registered public client (via --client-id, since Entra doesn't support Dynamic Client Registration), the initial authorization request succeeds and correctly includes scope — but the subsequent token exchange request fails with:
AADSTS900144: The request body must contain the following parameter: 'scope'.
What Should Happen?
Token exchange request should carry forward the same scope used in the authorization request.
Error Messages/Logs
Sorry, but we’re having trouble signing you in.
AADSTS900144: The request body must contain the following parameter: 'scope'.
Steps to Reproduce
Register a public client app in Entra ID with delegated Power BI Service permissions (Item.Read.All, Workspace.Read.All), "Allow public client flows" enabled.
Add the MCP server:
claude mcp add fabric --transport http https://api.fabric.microsoft.com/v1/mcp/core --client-id <APP_ID> --callback-port 9876 --scope user
Add matching redirect URI http://localhost:9876/callback in Azure.
Run /mcp → select fabric → Authenticate.
Browser authorization request correctly includes scope=https://analysis.windows.net/powerbi/api/.default offline_access.
After signing in, browser shows: AADSTS900144: The request body must contain the following parameter: 'scope'.
Claude Model
Sonnet (default)
Is this a regression?
No, this never worked
Last Working Version
_No response_
Claude Code Version
2.1.183
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
PowerShell
Additional Information
Actual: Token exchange request appears to omit scope, causing Entra to reject it.
Related issues: #38102, #26675, #22909 — all describe related --client-id / non-DCR auth server gaps.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗