Quickstart: Add sign-in with Microsoft to a Java web app

In this quickstart, you download and run a code sample that demonstrates how a Java web application can sign in users and call the Microsoft Graph API. Users from any Azure Active Directory (Azure AD) organization can sign in to the application.

For an overview, see the diagram of how the sample works.


To run this sample, you need:

Step 1: Configure your application in the Azure portal

To use the code sample in this quickstart:

  1. Add reply URLs https://localhost:8443/msal4jsample/secure/aad and https://localhost:8443/msal4jsample/graph/me.
  2. Create a client secret.

Already configured Your application is configured with these attributes.

Step 2: Download the code sample

Download the project and extract the .zip file into a folder near the root of your drive. For example, C:\Azure-Samples.

To use HTTPS with localhost, provide the server.ssl.key properties. To generate a self-signed certificate, use the keytool utility (included in JRE).

Here's an example:

  keytool -genkeypair -alias testCert -keyalg RSA -storetype PKCS12 -keystore keystore.p12 -storepass password


Put the generated keystore file in the resources folder.



Step 3: Run the code sample

To run the project, take one of these steps:

  • Run it directly from your IDE by using the embedded Spring Boot server.
  • Package it to a WAR file by using Maven, and then deploy it to a J2EE container solution like Apache Tomcat.
Running the project from an IDE

To run the web application from an IDE, select run, and then go to the home page of the project. For this sample, the standard home page URL is https://localhost:8443.

  1. On the front page, select the Login button to redirect users to Azure Active Directory and prompt them for credentials.

  2. After users are authenticated, they're redirected to https://localhost:8443/msal4jsample/secure/aad. They're now signed in, and the page will show information about the user account. The sample UI has these buttons:

    • Sign Out: Signs the current user out of the application and redirects that user to the home page.
    • Show User Info: Acquires a token for Microsoft Graph and calls Microsoft Graph with a request that contains the token, which returns basic information about the signed-in user.
Running the project from Tomcat

If you want to deploy the web sample to Tomcat, make a couple changes to the source code.

  1. Open ms-identity-java-webapp/src/main/java/com.microsoft.azure.msalwebsample/MsalWebSampleApplication.

    • Delete all source code and replace it with this code:

       package com.microsoft.azure.msalwebsample;
       import org.springframework.boot.SpringApplication;
       import org.springframework.boot.autoconfigure.SpringBootApplication;
       import org.springframework.boot.builder.SpringApplicationBuilder;
       import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
       public class MsalWebSampleApplication extends SpringBootServletInitializer {
        public static void main(String[] args) {
         SpringApplication.run(MsalWebSampleApplication.class, args);
        protected SpringApplicationBuilder configure(SpringApplicationBuilder builder) {
         return builder.sources(MsalWebSampleApplication.class);
  2. Tomcat's default HTTP port is 8080, but you need an HTTPS connection over port 8443. To configure this setting:

    • Go to tomcat/conf/server.xml.

    • Search for the <connector> tag, and replace the existing connector with this connector:

               port="8443" maxThreads="200"
               scheme="https" secure="true" SSLEnabled="true"
               keystoreFile="C:/Path/To/Keystore/File/keystore.p12" keystorePass="KeystorePassword"
               clientAuth="false" sslProtocol="TLS"/>
  3. Open a Command Prompt window. Go to the root folder of this sample (where the pom.xml file is located), and run mvn package to build the project.

    • This command will generate a msal-web-sample-0.1.0.war file in your /targets directory.
    • Rename this file to msal4jsample.war.
    • Deploy the WAR file by using Tomcat or any other J2EE container solution.
      • To deploy the msal4jsample.war file, copy it to the /webapps/ directory in your Tomcat installation, and then start the Tomcat server.
  4. After the file is deployed, go to https://localhost:8443/msal4jsample by using a browser.


This quickstart application uses a client secret to identify itself as a confidential client. Because the client secret is added as plain text to your project files, for security reasons we recommend that you use a certificate instead of a client secret before using the application in a production environment. For more information on how to use a certificate, see Certificate credentials for application authentication.

More information

How the sample works

Diagram that shows how the sample app generated by this quickstart works.


MSAL for Java (MSAL4J) is the Java library used to sign in users and request tokens that are used to access an API that's protected by the Microsoft identity platform.

Add MSAL4J to your application by using Maven or Gradle to manage your dependencies by making the following changes to the application's pom.xml (Maven) or build.gradle (Gradle) file.

In pom.xml:


In build.gradle:

compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.0.0'

Initialize MSAL

Add a reference to MSAL for Java by adding the following code at the start of the file where you'll be using MSAL4J:

import com.microsoft.aad.msal4j.*;

Help and support

If you need help, want to report an issue, or want to learn about your support options, see Help and support for developers.

Next steps

For a more in-depth discussion of building web apps that sign in users on the Microsoft identity platform, see the multipart scenario series: