Summary
The powerbi-remote MCP server (Fabric Power BI endpoint) fails to re-authenticate after the access token expires (~1 hour), producing AADSTS50011 (redirect URI mismatch). This blocks all Power BI tool calls in sessions longer than 1 hour.
Dataverse MCP servers do not have this issue because they receive refresh tokens.
Reproduction
- Start a new CLI session with a plugin that defines a
type: "http" Power BI MCP server:
{
"powerbi-remote": {
"type": "http",
"url": "https://api.fabric.microsoft.com/v1/mcp/powerbi"
}
}
- Authenticate when the browser prompt appears at session start — this succeeds.
- Wait ~1 hour for the access token to expire (or work in the session until it expires naturally).
- Call any Power BI tool (e.g.,
ExecuteQuery, GetSemanticModelSchema).
- A new browser login prompt appears, then fails with:
AADSTS50011: The redirect URI 'http://127.0.0.1:60759/' specified in the request
does not match the redirect URIs configured for the application 'aebc6443-996d-45c2-90f0-388ff96faa56'.
Root Cause
Inspecting ~/.copilot/mcp-oauth-config/, the cached OAuth data reveals the difference:
| Property |
Power BI (Fabric) |
Dataverse |
accessToken |
Present |
Present |
refreshToken |
Missing |
Present |
| Re-auth on expiry |
Full browser flow, FAILS |
Silent token refresh, works |
When the Power BI access token expires:
- There is no refresh token, so the CLI must do a full authorization code flow.
- The CLI opens a local HTTP server on a new random port (e.g.,
:60759).
- The Azure AD app (
aebc6443-...) only has the original port (e.g., :53820 from session start) registered.
- Azure AD rejects the new redirect URI.
Dataverse avoids this entirely by issuing a refresh token, allowing silent renewal without a browser flow.
Expected Behavior
Power BI tools should continue working after the initial 1-hour token expires, either by:
- Obtaining a refresh token from the Fabric endpoint (preferred — matches Dataverse behavior)
- Reusing the original redirect URI port when re-authentication is required
- Re-registering the new redirect URI via Dynamic Client Registration before attempting re-auth
Environment
- CLI Version: 1.0.4
- OS: Windows 11
- Plugins affected: Any plugin using
type: "http" with the Fabric Power BI endpoint
- Not affected: Dataverse MCP servers (they have refresh tokens), stdio MCP servers
Workaround
Restart the CLI session to get a fresh token. All Power BI calls must complete within ~1 hour of session start.
Summary
The
powerbi-remoteMCP server (Fabric Power BI endpoint) fails to re-authenticate after the access token expires (~1 hour), producing AADSTS50011 (redirect URI mismatch). This blocks all Power BI tool calls in sessions longer than 1 hour.Dataverse MCP servers do not have this issue because they receive refresh tokens.
Reproduction
type: "http"Power BI MCP server:{ "powerbi-remote": { "type": "http", "url": "https://api.fabric.microsoft.com/v1/mcp/powerbi" } }ExecuteQuery,GetSemanticModelSchema).Root Cause
Inspecting
~/.copilot/mcp-oauth-config/, the cached OAuth data reveals the difference:accessTokenrefreshTokenWhen the Power BI access token expires:
:60759).aebc6443-...) only has the original port (e.g.,:53820from session start) registered.Dataverse avoids this entirely by issuing a refresh token, allowing silent renewal without a browser flow.
Expected Behavior
Power BI tools should continue working after the initial 1-hour token expires, either by:
Environment
type: "http"with the Fabric Power BI endpointWorkaround
Restart the CLI session to get a fresh token. All Power BI calls must complete within ~1 hour of session start.