I have configured Azure AD credentials in my Spring Boot project’s application.properties file using the dependency spring-cloud-azure-starter-active-directory. Here is the configuration:

spring.cloud.azure.active-directory.enabled=true
spring.cloud.azure.active-directory.profile.tenant-id=${TENANT_ID_ENV_VAR}
spring.cloud.azure.active-directory.credential.client-id=${CLIENT_ID_ENV_VAR}
spring.cloud.azure.active-directory.credential.client-secret=${CLIENT_SECRET_ENV_VAR}
spring.cloud.azure.active-directory.redirect-uri-template=https://www.custdomain.com/login/oauth2/code/

Application Code:

@RestController
public class HelloWorldController {
    @GetMapping("/")
    public String helloWorld() {
        return "Greetings! from Webapp";
    }
}

Current Behavior
In my local environment, the authentication flow works perfectly:

1. A request to http://localhost:8080/ redirects to http://localhost:8080/oauth2/authorization/azure.
2. This endpoint redirects the user to the Azure AD login page: https://login.microsoftonline.com/....
3. After successful login, the user is redirected back to the configured redirect URI.

However, in the production environment:

• The application is hosted in Azure App Service (ASP).
• Due to security requirements, a private endpoint is enabled on Azure App Service, and the application is exposed via a WAF (Web Application Firewall) server.
  • WAF URL: https://www.custdomain.com/
  • Backend App Service URL: https://webapp0101.azurewebsites.net/
    When a user makes a request to https://www.custdomain.com/, it is forwarded by the WAF to the backend app at https://webapp0101.azurewebsites.net/.
    Due to the authentication configuration on the backend, the application redirects the user to:
    https://webapp0101.azurewebsites.net/oauth2/authorization/azure.

Since the backend is now private and not publicly accessible, the user receives a 403 Forbidden error.

Desired Outcome

Is it possible to configure the application to bypass the intermediate step of redirecting to the backend’s /oauth2/authorization/azure endpoint and instead redirect the user directly to the Azure AD login page (https://login.microsoftonline.com/...)?

Additional Notes

• The redirect URI configured in Azure AD is https://www.custdomain.com/login/oauth2/code/.
• The goal is to maintain this architecture while adhering to security best practices with the private endpoint and WAF.

How can I achieve this setup?