M365 MCP OAuth flow broken: duplicate 'prompt' parameter causes AADSTS900971
Open 💬 0 comments Opened Jul 3, 2026 by coreyshort
Summary
The M365 MCP server (microsoft365.mcp.claude.com) OAuth flow is broken due to a duplicate prompt parameter in the generated authorization URL, which causes Azure AD to return AADSTS900971: No reply address provided.
Environment
- Platform: WSL2 (Linux 6.6.87.2-microsoft-standard-WSL2)
- Claude Code in VS Code extension
- MCP config:
{ "url": "https://microsoft365.mcp.claude.com/mcp", "type": "http" }
Steps to Reproduce
- Call
mcp__m365__authenticate - Open the generated authorization URL in a browser
Observed Behavior
The generated URL contains prompt twice:
?prompt=select_account&...&prompt=consent
This triggers Azure AD error:
AADSTS9000411: The request is not properly formatted. The parameter 'prompt' is duplicated.
Removing one prompt parameter manually gets past that error, but Azure AD then returns:
AADSTS900971: No reply address provided.
This second error appears to be caused by Microsoft's auth backend corrupting the request state (losing the redirect_uri) as a result of the malformed original request.
Expected Behavior
The authorization URL should contain prompt only once, and the OAuth flow should complete successfully, redirecting to http://localhost:<port>/callback.
Additional Notes
- The
redirect_uri=http%3A%2F%2Flocalhost%3A<port>%2Fcallbackis present in the URL but is not received by Azure AD after sign-in - The error occurs consistently across multiple auth attempts with different ports
- WSL2
localhostForwarding=truewas confirmed set in.wslconfig