Secure React and Spring Boot with Microsoft Entra SSO and Bearer Token Authentication

Introduction

Implementing secure, seamless login across a modern full-stack application is essential—but it doesn’t have to be complicated. In this guide, we’ll walk through how to integrate Microsoft Entra (formerly Azure AD) for Single Sign-On (SSO) in a React frontend and Spring Boot backend. The Spring Boot application acts as a resource server, validating JWT bearer tokens issued by Entra. Beyond authentication, we’ll also demonstrate how to map Microsoft Entra groups to internal application roles, dynamically fetched from your own database. Whether you're building internal tools or enterprise-grade platforms, this setup gives your app robust security, fine-grained access control, and a smooth user experience across services.

Problem

You need SSO in your frontend to allow users to login to your system and authorize the call of backend endpoints by sending the bearer token. In the backend we will get the user group attached to the currently log user and fetch the corresponding internal permissions which we will add as roles to the JWT.

Our schema will look like:

Prerequisites for this Exercise

• Microsoft Entrata account (https://entra.microsoft.com)
• Familiar with React
• Experience in Spring REST programming

Microsoft Entrata

If you haven't sign up yet visit Microsoft Entrata website and register a new account. After a successful registration you should be logged and redirect to the dashboard page where you can get the tenant id. Take a note because we will use it in the client and backend configuration later.

App Registration

Inside Entrata, under Manage / App Registrations click New Registrations. For this exercise since we will be doing the authentication in the frontend we need to register an app of type SPA. Don't forget to fill-in the redirect URI.

Take note of the Application (client) ID.

Expose an API

Now we need to add a scope that we will use during login. This will allow us to use the MS Graph version 2. Without a defined scope Entrata will use version 1 which will throw an error during JWT validation in the backend.

Update Token Version in the Manifest

In the left menu, find the Manifest.

In the JSON document, find the requestedAccessTokenVersion and set its value to 2.

Note that the change takes time to propagate.

Now, our Entrata app is ready for integration.

React SPA Client Application

This exercise will use a SPA project provided by Microsoft available at https://github.com/Azure-Samples/ms-identity-ciam-javascript-tutorial/tree/main/2-Authorization/1-call-api-react/SPA. It uses MSAL library to authenticate the users and access secured APIs by acquiring security tokens from Microsoft Entrata.

SPA Modifications

We need to do several updates on the project.

Open authConfig.js.

Replace the clientId with the value of Application (client) Id that we have generated when we register the app in Entrata.

Update the value of authority using the Directory / Tenant Id.

Then to enable Graph V2 when signing in, we need to request access to the scope which we defined earlier.

In the same file authConfig.js, at the end of the file.

The SPA is now ready to login via SSO using Microsoft Entrata.

Backend Spring Service

We will start with an empty Spring Boot project and add each piece.

Maven Dependencies

We need to have at least the following. This project will exchange Entrata group mapping it to an internal role map to permissions as shown in the diagram above. The permissions will be used as roles.

Convert Entrata Group to Internal Roles

In this step, we will be using our internal tables where roles and permissions are stored. The Entrata group's UUID is searched in the auth_role table and the role's permissions are added as authorities to the JWT token.

This converter is used as the AuthenticationConverter when setting up the oauth2ResourceServer in the securityFilterChain. Furthermore, we need to set the resourceserver's issuer-uri in the application yml file. This URL will be used when validating the token.

Testing 

To test the integration we will be creating a new controller with PreAuthorize annotated endpoints validating the authority bound to the JWT token.

To enable the method level security we need to annotate a configuration class with @EnableMethodSecurity.

Development and Support

The Spring project used in this tutorial is available at https://github.com/czetsuyatech/spring-ms-entrata-oauth.

Unlock the full coding experience! As a GitHub Sponsor, you gain exclusive access to the code behind this article—start learning and building today!

I'm available for contracting services and support. You can reach me at: https://www.czetsuyatech.com/p/consultation-services.html.