Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article shows you how to deploy a Tomcat app with sign-in by Microsoft Entra account to Azure App Service.
This article assumes that you completed one of the following articles using only the Run locally tab, and you now want to deploy to Azure. These instructions are the same as the ones in the Deploy to Azure tab in these articles:
- Enable sign-in for Java Tomcat apps using Microsoft Entra ID
- Enable sign-in for Java Tomcat apps using MSAL4J with Azure Active Directory B2C
- Enable Java Tomcat apps to sign in users and access Microsoft Graph
- Secure Java Tomcat apps using roles and role claims
- Secure Java Tomcat apps using groups and group claims
Prerequisites
- Maven Plugin for Azure App Service apps - If Maven isn't your preferred development tool, see the following similar tutorials that use other tools: 
Configure the Maven plugin
When you deploy to Azure App Service, the deployment automatically uses your Azure credentials from the Azure CLI. If the Azure CLI isn't installed locally, then the Maven plugin authenticates with OAuth or device sign-in. For more information, see authentication with Maven plugins.
Use the following steps to configure the plugin:
- Run the following command to configure the deployment. This command helps you to set up the Azure App Service operating system, Java version, and Tomcat version. - mvn com.microsoft.azure:azure-webapp-maven-plugin:2.13.0:config
- For Create new run configuration, press Y, then press Enter. 
- For Define value for OS, press 1 for Windows, or 2 for Linux, then press Enter. 
- For Define value for javaVersion, press 2 for Java 11, then press Enter. 
- For Define value for webContainer, press 4 for Tomcat 9.0, then press Enter. 
- For Define value for pricingTier, press Enter to select the default P1v2 tier. 
- For Confirm, press Y, then press Enter. 
The following example shows the output of the deployment process:
Please confirm webapp properties
AppName : msal4j-servlet-auth-1707209552268
ResourceGroup : msal4j-servlet-auth-1707209552268-rg
Region : centralus
PricingTier : P1v2
OS : Linux
Java Version: Java 11
Web server stack: Tomcat 9.0
Deploy to slot : false
Confirm (Y/N) [Y]: [INFO] Saving configuration to pom.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  37.112 s
[INFO] Finished at: 2024-02-06T08:53:02Z
[INFO] ------------------------------------------------------------------------
After you've confirmed your choices, the plugin adds the required plugin element and settings to your project's pom.xml file to configure your app to run in Azure App Service.
The relevant portion of the pom.xml file should look similar to the following example:
<build>
    <plugins>
        <plugin>
            <groupId>com.microsoft.azure</groupId>
            <artifactId>>azure-webapp-maven-plugin</artifactId>
            <version>x.xx.x</version>
            <configuration>
                <schemaVersion>v2</schemaVersion>
                <resourceGroup>your-resourcegroup-name</resourceGroup>
                <appName>your-app-name</appName>
            ...
            </configuration>
        </plugin>
    </plugins>
</build>
You can modify the configurations for App Service directly in your pom.xml. Some common configurations are listed in the following table:
| Property | Required | Description | 
|---|---|---|
| subscriptionId | false | The subscription ID. | 
| resourceGroup | true | The Azure resource group for your app. | 
| appName | true | The name of your app. | 
| region | false | The region in which to host your app. The default value is centralus. For valid regions, see Supported Regions. | 
| pricingTier | false | The pricing tier for your app. The default value is P1v2for a production workload. The recommended minimum value for Java development and testing isB2. For more information, see App Service Pricing. | 
| runtime | false | The runtime environment configuration. For more information, see Configuration Details. | 
| deployment | false | The deployment configuration. For more information, see Configuration Details. | 
For the complete list of configurations, see the plugin reference documentation. All the Azure Maven plugins share a common set of configurations. For these configurations, see Common Configurations. For configurations specific to Azure App Service, see Azure app: Configuration Details.
Be sure to save aside the appName and resourceGroup values for later use.
Prepare the app for deployment
When you deploy your application to App Service, your redirect URL changes to the redirect URL of your deployed app instance. Use the following steps to change these settings in your properties file:
- Navigate to your app's authentication.properties file and change the value of - app.homePageto your deployed app's domain name, as shown in the following example. For example, if you chose- example-domainfor your app name in the previous step, you must now use- https://example-domain.azurewebsites.netfor the- app.homePagevalue. Be sure that you've also changed the protocol from- httpto- https.- # app.homePage is by default set to dev server address and app context path on the server # for apps deployed to azure, use https://your-sub-domain.azurewebsites.net app.homePage=https://<your-app-name>.azurewebsites.net
- After saving this file, use the following command to rebuild your app: - mvn clean package
Update your Microsoft Entra ID app registration
Because the redirect URI changes to your deployed app to Azure App Service, you also need to change the redirect URI in your Microsoft Entra ID app registration. Use the following steps to make this change:
- Navigate to the Microsoft identity platform for developers App registrations page. 
- Use the search box to search for your app registration - for example, - java-servlet-webapp-authentication.
- Open your app registration by selecting its name. 
- Select Authentication from the menu. 
- In the Web - Redirect URIs section, select Add URI. 
- Fill out the URI of your app, appending - /auth/redirect- for example,- https://<your-app-name>.azurewebsites.net/auth/redirect.
- Select Save. 
Deploy the app
You're now ready to deploy your app to Azure App Service. Use the following command to make sure you're signed in to your Azure environment to execute the deployment:
az login
With all the configuration ready in your pom.xml file, you can now use the following command to deploy your Java app to Azure:
mvn package azure-webapp:deploy
After deployment is completed, your application is ready at http://<your-app-name>.azurewebsites.net/. Open the URL with your local web browser, where you should see the start page of the msal4j-servlet-auth application.
Remove secret values
The authentication.properties file of the application currently holds the value of your client secret in the aad.secret parameter. It isn't good practice to keep this value in this file. You might also be taking a risk if you commit it to a Git repository.
As an security extra step, you can store this value in Azure Key Vault and use Key Vault References to make it available in your application.
Use the following steps to move the value of aad.secret to Key Vault and use it in your code:
- Use the following commands to create an Azure Key Vault instance: - export RESOURCE_GROUP=<your-resource-group-name> export KEY_VAULT=<your-key-vault-name> az keyvault create \ --resource-group $RESOURCE_GROUP \ --name $KEY_VAULT
- Use the following commands to add the secret value of - aad.secretto your key vault as a new secret:- az keyvault secret set \ --vault-name $KEY_VAULT \ --name "AADSECRET" \ --value "<the-value-of-your-client-secret>"
- You now need to give your app access to your key vault. To do this task, first create a new identity for your app by using the following commands: - export WEB_APP_NAME=<your-web-app-name> az webapp identity assign \ --resource-group $RESOURCE_GROUP \ --name $WEB_APP_NAME
- Use the following commands to give this identity - getand- listpermission on the secrets in your Key Vault:- export IDENTITY=$(az webapp identity show \ --resource-group $RESOURCE_GROUP \ --name $WEB_APP_NAME \ --query principalId \ --output tsv) az keyvault set-policy \ --resource-group $RESOURCE_GROUP \ --name $KEY_VAULT \ --secret-permissions get list \ --object-id $IDENTITY
- Use the following command to create an application setting in your app that uses a key vault reference to the secret in your key vault. This setting makes the value of the secret available to your app as an environment variable. - az webapp config appsettings set \ --resource-group $RESOURCE_GROUP \ --name $WEB_APP_NAME \ --settings AADSECRET='@Microsoft.KeyVault(VaultName=$KEY_VAULT;SecretName=AADSECRET)'
- Use the following code to load this value from the environment variables. In the \src\main\java\com\microsoft\azuresamples\msal4j\helpers\Config.java file, on line 41, change the current statement to the following line: - public static final String SECRET = System.getenv("AADSECRET");
- You can now delete the - aad.secretkey and value from the authentication.properties file.
- Rebuild the code by using the following command: - mvn clean package
- Redeploy the application by using the following command: - mvn package azure-webapp:deploy
Your deployment is now complete.
More information
- Microsoft Authentication Library (MSAL) for Java
- Microsoft identity platform (Microsoft Entra ID for developers)
- Quickstart: Register an application with the Microsoft identity platform
- Understanding Microsoft Entra ID application consent experiences
- Understand user and admin consent
- MSAL code samples