OAuth token exchange fails with AADSTS900144 (missing 'scope') when using --client-id for Entra ID MCP server

Open 💬 4 comments Opened Jun 19, 2026 by upt75

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Description:

When connecting to an MCP server protected by Microsoft Entra ID using a pre-registered public client (via --client-id, since Entra doesn't support Dynamic Client Registration), the initial authorization request succeeds and correctly includes scope — but the subsequent token exchange request fails with:
AADSTS900144: The request body must contain the following parameter: 'scope'.

What Should Happen?

Token exchange request should carry forward the same scope used in the authorization request.

Error Messages/Logs

Sorry, but we’re having trouble signing you in.

AADSTS900144: The request body must contain the following parameter: 'scope'.

Steps to Reproduce

Register a public client app in Entra ID with delegated Power BI Service permissions (Item.Read.All, Workspace.Read.All), "Allow public client flows" enabled.
Add the MCP server:

claude mcp add fabric --transport http https://api.fabric.microsoft.com/v1/mcp/core --client-id <APP_ID> --callback-port 9876 --scope user

Add matching redirect URI http://localhost:9876/callback in Azure.
Run /mcp → select fabric → Authenticate.
Browser authorization request correctly includes scope=https://analysis.windows.net/powerbi/api/.default offline_access.
After signing in, browser shows: AADSTS900144: The request body must contain the following parameter: 'scope'.

Claude Model

Sonnet (default)

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

2.1.183

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

PowerShell

Additional Information

Actual: Token exchange request appears to omit scope, causing Entra to reject it.
Related issues: #38102, #26675, #22909 — all describe related --client-id / non-DCR auth server gaps.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗