Skip to content

Power BI MCP: re-auth fails after token expiry (no refresh token from Fabric endpoint) #1965

New issue
New issue
Open
Open
Power BI MCP: re-auth fails after token expiry (no refresh token from Fabric endpoint)#1965
Labels
triage
@ericchansen

Description

@ericchansen
ericchansen
opened on Mar 10, 2026

Summary

The powerbi-remote MCP server (Fabric Power BI endpoint) fails to re-authenticate after the access token expires (~1 hour), producing AADSTS50011 (redirect URI mismatch). This blocks all Power BI tool calls in sessions longer than 1 hour.

Dataverse MCP servers do not have this issue because they receive refresh tokens.

Reproduction

  1. Start a new CLI session with a plugin that defines a type: "http" Power BI MCP server: 
    {
  "powerbi-remote": {
    "type": "http",
    "url": "https://api.fabric.microsoft.com/v1/mcp/powerbi"
  }
}
  2. Authenticate when the browser prompt appears at session start — this succeeds.
  3. Wait ~1 hour for the access token to expire (or work in the session until it expires naturally).
  4. Call any Power BI tool (e.g., ExecuteQuery, GetSemanticModelSchema).
  5. A new browser login prompt appears, then fails with: 
    AADSTS50011: The redirect URI 'http://127.0.0.1:60759/' specified in the request
does not match the redirect URIs configured for the application 'aebc6443-996d-45c2-90f0-388ff96faa56'.

Root Cause

Inspecting ~/.copilot/mcp-oauth-config/, the cached OAuth data reveals the difference:

Property Power BI (Fabric) Dataverse
accessToken Present Present
refreshToken Missing Present
Re-auth on expiry Full browser flow, FAILS Silent token refresh, works

When the Power BI access token expires:

  1. There is no refresh token, so the CLI must do a full authorization code flow.
  2. The CLI opens a local HTTP server on a new random port (e.g., :60759).
  3. The Azure AD app (aebc6443-...) only has the original port (e.g., :53820 from session start) registered.
  4. Azure AD rejects the new redirect URI.

Dataverse avoids this entirely by issuing a refresh token, allowing silent renewal without a browser flow.

Expected Behavior

Power BI tools should continue working after the initial 1-hour token expires, either by:

  1. Obtaining a refresh token from the Fabric endpoint (preferred — matches Dataverse behavior)
  2. Reusing the original redirect URI port when re-authentication is required
  3. Re-registering the new redirect URI via Dynamic Client Registration before attempting re-auth

Environment

  • CLI Version: 1.0.4
  • OS: Windows 11
  • Plugins affected: Any plugin using type: "http" with the Fabric Power BI endpoint
  • Not affected: Dataverse MCP servers (they have refresh tokens), stdio MCP servers

Workaround

Restart the CLI session to get a fresh token. All Power BI calls must complete within ~1 hour of session start.

Metadata

Metadata

Assignees

No one assigned

    Labels

    triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions