Mistral Le Chat Login Error with Microsoft SSO: How to Fix It

You click "Sign in with Microsoft" on Mistral Le Chat's login page, get redirected to Microsoft's authentication portal, enter your credentials or confirm with your authenticator app, and then land back on chat.mistral.ai with an error. Sometimes it's a generic "Authentication failed" message. Sometimes it's error=access_denied in the URL. Sometimes the browser just loops back to the login page with no message at all. This is one of the more irritating errors in the AI tools space because the problem is split across two systems (Mistral and Microsoft), and neither company's error messages tell you which side is at fault.

What this error actually means

Mistral Le Chat uses OAuth 2.0 with Microsoft's identity platform (login.microsoftonline.com) for SSO authentication. When you sign in with Microsoft, your browser completes a redirect flow: Mistral sends you to Microsoft, Microsoft authenticates you and sends an authorization code back to Mistral, and Mistral exchanges that code for an access token tied to your account.

This flow can break at four different points: Microsoft refusing the authentication (account issue, Conditional Access policy), the redirect failing to reach Mistral's callback URL correctly, Mistral's token exchange failing, or Mistral's backend failing to match the Microsoft identity to a Le Chat account.

The most common error strings are: error=access_denied&error_description=AADSTS65001 (Microsoft admin consent not granted), error=invalid_grant (expired or invalid authorization code, usually from a slow redirect), and a silent redirect loop which typically indicates a cookie or CORS issue on Mistral's side.

Quick fix (when you need it working in 60 seconds)

1. Try an incognito or private browsing window. If login works there, the issue is local session state or a browser extension on your main profile.
2. Clear your browser cookies for both chat.mistral.ai and login.microsoftonline.com. In Chrome: Settings > Privacy and Security > Delete browsing data > filter by site, enter each domain, delete cookies only.
3. Check the URL on the error page for a specific error code. AADSTS65001 means your organization's Microsoft admin hasn't granted consent for Mistral to access your account. AADSTS50058 means your Microsoft session expired mid-redirect. AADSTS700016 means the Mistral application isn't registered in your tenant.
4. Try the alternative login method. On Mistral's login page, try "Sign in with Google" or email/password if you have an account. If those work, the Microsoft SSO path specifically is broken for your account.
5. Disable your VPN if you're using one. Microsoft's Conditional Access policies frequently block authentication attempts from VPN IP addresses that are flagged as suspicious.

Why this happens

Microsoft tenant restrictions are the most common enterprise-context cause. If you're using a Microsoft account tied to a work or school organization, your IT administrator may have a policy that requires admin approval before any third-party OAuth application (like Mistral Le Chat) can access org accounts. This is the AADSTS65001 error. Individual users can't bypass this. It requires the IT admin to grant tenant-wide consent in the Azure Active Directory admin center.

Personal Microsoft accounts (hotmail.com, outlook.com, live.com) can also trigger SSO failures if Microsoft's consumer identity service flags an unusual login pattern. Rapid consecutive login attempts, login from a new device or country, or a recently expired Microsoft password can all cause the redirect to fail.

Mistral-side issues occur when Le Chat's OAuth application registration with Microsoft hasn't been updated after a Mistral platform update. Mistral has changed its redirect URIs (https://chat.mistral.ai/auth/callback) in the past, and if the registered URI in Microsoft's app registration doesn't match exactly (including trailing slashes and exact subdomain), the OAuth callback fails with an AADSTS50011 error.

Browser state corruption is responsible for a significant share of the "silent redirect loop" cases. The OAuth flow sets specific cookies during the redirect sequence. If your browser blocks third-party cookies (Chrome's third-party cookie restrictions, Firefox's Enhanced Tracking Protection), the Microsoft-to-Mistral redirect can drop the state parameter that ties the response to your original request, causing an infinite loop.

Clock skew between your device and Microsoft's servers can also invalidate authorization codes. OAuth authorization codes are time-sensitive (usually valid for 60 to 90 seconds). If your system clock is more than a few minutes off, the code expires before Mistral can exchange it.

Permanent fix

1. For work or school Microsoft accounts: contact your IT administrator and ask them to grant tenant-wide consent for "Mistral AI" in Azure Active Directory (Entra ID). The app should appear in the "Enterprise applications" list under the Azure portal once consent is granted. Without this step, SSO will never work for managed accounts.
2. For personal Microsoft accounts: go to account.microsoft.com and confirm your account is in good standing. Check for any pending security alerts or required password resets. Complete any required actions, then retry Mistral login.
3. Check your browser's third-party cookie settings. In Chrome, go to chrome://settings/cookies and look for chat.mistral.ai in the "Sites that can always use cookies" list. If it's not there, add it. Also add login.microsoftonline.com.
4. Sync your system clock. On Windows: right-click the clock > "Adjust date/time" > "Sync now." On macOS: System Settings > General > Date and Time > set to "Set automatically." On Linux: timedatectl set-ntp true.
5. Disable browser extensions one by one in a test profile to identify whether a privacy extension is blocking cookies or redirects in the OAuth flow.
6. Try a different browser. If Safari fails, try Chrome. If Chrome fails, try Firefox. If a specific browser works, the issue is that browser's cookie or redirect settings.
7. If you previously signed up for Mistral Le Chat with a different method (email/password or Google), your Microsoft account may not be linked to your Le Chat account. Log into Le Chat via your original method, then go to chat.mistral.ai/settings/account and add your Microsoft account as a linked identity.
8. Check Mistral's status page before assuming the problem is on your end. Mistral SSO integrations are occasionally down during platform updates. Visit status.mistral.ai or their official communication channels for any active incident notifications.

Prevention

If you regularly switch between work devices (which use a managed Microsoft account) and personal devices (which use a personal Microsoft account), consider setting up Le Chat with email and password as your primary login method, with Microsoft SSO as a secondary option. This ensures you always have a working fallback that doesn't depend on organizational IT policies.

Keep your Microsoft account security methods current. An expired phone number for MFA verification, a disabled authenticator app, or a security key you no longer have access to can all break the SSO flow mid-authentication without a clear error message. Review your Microsoft account security info at account.microsoft.com/security quarterly.

For enterprise users: ask your IT admin to configure Mistral Le Chat in your organization's approved SSO application list before you need it. A pre-approved app with tenant consent already granted means the SSO path is always available to all org users.

After any major Windows or macOS system update, re-verify your clock synchronization settings. System updates occasionally change time synchronization settings, and an out-of-sync clock is a surprisingly common and hard-to-diagnose cause of OAuth failures.

When the fix doesn't work

If your IT admin has granted tenant consent and you're still getting AADSTS errors, the issue may be with how Mistral's app is registered in Microsoft's identity platform. Contact Mistral support at support.mistral.ai with the specific AADSTS error code and description from your browser's URL bar or the error page. Mistral's team can verify their app registration and redirect URIs on the Microsoft side.

For unresolvable SSO issues, use email and password login as your standard method while waiting for the SSO issue to be resolved. Go to chat.mistral.ai/signup and create a password-based account using the same email address. This gives you immediate access to Le Chat Pro features without depending on Microsoft SSO.

If Mistral's support is slow to respond and you need access urgently, the iOS and Android Le Chat apps sometimes have different session handling that bypasses the browser-based OAuth cookie issues. Try logging in via the mobile app while your browser SSO issue is being resolved.

Related issues you might hit next

• Compare Mistral Le Chat vs Claude for AI assistants
• Mistral Le Chat agent profile on agentbrisk.com
• Compare Mistral vs ChatGPT for AI chat tools