M365 MCP OAuth flow broken: duplicate 'prompt' parameter causes AADSTS900971

Open 💬 0 comments Opened Jul 3, 2026 by coreyshort

Summary

The M365 MCP server (microsoft365.mcp.claude.com) OAuth flow is broken due to a duplicate prompt parameter in the generated authorization URL, which causes Azure AD to return AADSTS900971: No reply address provided.

Environment

  • Platform: WSL2 (Linux 6.6.87.2-microsoft-standard-WSL2)
  • Claude Code in VS Code extension
  • MCP config: { "url": "https://microsoft365.mcp.claude.com/mcp", "type": "http" }

Steps to Reproduce

  1. Call mcp__m365__authenticate
  2. Open the generated authorization URL in a browser

Observed Behavior

The generated URL contains prompt twice:

?prompt=select_account&...&prompt=consent

This triggers Azure AD error:

AADSTS9000411: The request is not properly formatted. The parameter 'prompt' is duplicated.

Removing one prompt parameter manually gets past that error, but Azure AD then returns:

AADSTS900971: No reply address provided.

This second error appears to be caused by Microsoft's auth backend corrupting the request state (losing the redirect_uri) as a result of the malformed original request.

Expected Behavior

The authorization URL should contain prompt only once, and the OAuth flow should complete successfully, redirecting to http://localhost:<port>/callback.

Additional Notes

  • The redirect_uri=http%3A%2F%2Flocalhost%3A<port>%2Fcallback is present in the URL but is not received by Azure AD after sign-in
  • The error occurs consistently across multiple auth attempts with different ports
  • WSL2 localhostForwarding=true was confirmed set in .wslconfig

View original on GitHub ↗