data demo;
  have='login.microsoftonline.com/common/oauth2code=abcdxy&session_state=ab123bf2345';
  length want $20;
  want=scan(have,2,'=&');
run;
proc print data=demo;
run;

The solution suggested by @Patrick only works if the "code=" is the first part after the actual net address. If that is not the case, I would suggest something like this:

data have; /* example data */
  url='login.microsoftonline.com/common/oauth2code=abcdxy&session_state=ab123bf2345';
run;

data want;
  set have;
  pos=prxmatch('/(?<=code\=)[[:alnum:]]+(?=&session_state)/',url);
  if pos then 
    code=scan(substr(url,pos),1,'&');
run;

The PRX expression looks for an alphanumeric string between "code=" and "&session_state". If it is found, we can then use SCAN to find the code. If your code can contain other characters that alphanumerics, take a look at the PRX documentation or just replace "[[:alnum:]]" with "." - the general wildcard.

Is it the code itself that is more than 700 characters? or is it that you have other HTML parameters between the code and the session_state?

In the first case, I do not see why you should not get the correct code.

In the second case, where you have e.g.

'login.microsoftonline.com/common/oauth2code=abcdxy&name=george&session_state=ab123bf2345';

you should try changing the PRX call to

pos=prxmatch('/(?<=code\=)[[:alnum:]]+(?=&)/',url);

- this will find any instance of code=[alphanumeric value], followed by another HTML parameter.

You need to create the variable with an appropriate length instead of SAS let it do implicitly. 

To create variable code with a length of 700

Or to create variable code with the same length as variable url which should always be sufficient: