diff --git a/sdk/spring/azure-spring-boot-starter-active-directory/README.md b/sdk/spring/azure-spring-boot-starter-active-directory/README.md
index 830298b984a79..494f65ed014bc 100644
--- a/sdk/spring/azure-spring-boot-starter-active-directory/README.md
+++ b/sdk/spring/azure-spring-boot-starter-active-directory/README.md
@@ -91,6 +91,8 @@ Resource server accesses other resource servers which are protected by Azure AD.
Refer to different samples for different authentication ways.
+**Note**: `AADAppRoleStatelessAuthenticationFilter` and `AADAuthenticationFilter` will be deprecated. [Click here](https://github.com/Azure/azure-sdk-for-java/issues/17860) to replace it.
+
### Authenticate in backend
Please refer to [azure-spring-boot-sample-active-directory-backend](https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/README.md) for authenticate in backend. Or [azure-spring-boot-sample-active-directory-backend-v2](https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend-v2/README.md) to use Microsoft Graph API instead of Azure Active Directory Graph API.
@@ -156,6 +158,7 @@ public class AADAuthenticationFilterConfigSample extends WebSecurityConfigurerAd
* Role-based Authorization with annotation `@PreAuthorize("hasRole('GROUP_NAME')")`
* Role-based Authorization with method `isMemberOf()`
+
### Authenticate stateless APIs using AAD app roles
This scenario fits best for stateless Spring backends exposing an API to SPAs ([OAuth 2.0 implicit grant flow](https://docs.microsoft.com/azure/active-directory/develop/v1-oauth2-implicit-grant-flow))
or service-to-service access using the [client credentials grant flow](https://docs.microsoft.com/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow).
diff --git a/sdk/spring/azure-spring-boot/CHANGELOG.md b/sdk/spring/azure-spring-boot/CHANGELOG.md
index 63734ab6c6727..ebc5e99a2011f 100644
--- a/sdk/spring/azure-spring-boot/CHANGELOG.md
+++ b/sdk/spring/azure-spring-boot/CHANGELOG.md
@@ -1,7 +1,7 @@
# Release History
## 3.0.0-beta.2 (Unreleased)
-
+- Deprecated `AADAppRoleStatelessAuthenticationFilter` and `AADAuthenticationFilter`
## 3.0.0-beta.1 (2020-11-18)
### Breaking Changes
diff --git a/sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAppRoleStatelessAuthenticationFilter.java b/sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAppRoleStatelessAuthenticationFilter.java
index e04e8a645c7ff..f05b58d7b7b77 100644
--- a/sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAppRoleStatelessAuthenticationFilter.java
+++ b/sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAppRoleStatelessAuthenticationFilter.java
@@ -3,9 +3,22 @@
package com.azure.spring.autoconfigure.aad;
+import static com.azure.spring.autoconfigure.aad.Constants.DEFAULT_AUTHORITY_SET;
+import static com.azure.spring.autoconfigure.aad.Constants.ROLE_PREFIX;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jwt.proc.BadJWTException;
+import java.io.IOException;
+import java.text.ParseException;
+import java.util.Collection;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpHeaders;
@@ -18,26 +31,18 @@
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.text.ParseException;
-import java.util.Collection;
-import java.util.Optional;
-import java.util.Set;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
-
-import static com.azure.spring.autoconfigure.aad.Constants.DEFAULT_AUTHORITY_SET;
-import static com.azure.spring.autoconfigure.aad.Constants.ROLE_PREFIX;
-
/**
* A stateless authentication filter which uses app roles feature of Azure Active Directory. Since it's a stateless
* implementation so the principal will not be stored in session. By using roles claim in the token it will not call
* Microsoft Graph to retrieve users' groups.
+ *
+ *
+ * @deprecated For AADAppRoleStatelessAuthenticationFilter, suggest use spring-security resource-server directly and
+ * include azure-spring-boot-starter-active-directory dependencies into your project. Automatic configuration of the
+ * associated AAD will be started, they will work well together.
+ * See the Alternative method.
*/
+@Deprecated
public class AADAppRoleStatelessAuthenticationFilter extends OncePerRequestFilter {
private static final Logger LOGGER = LoggerFactory.getLogger(AADAppRoleStatelessAuthenticationFilter.class);
diff --git a/sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAuthenticationFilter.java b/sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAuthenticationFilter.java
index e9a2881ad3001..9446b3bbbb276 100644
--- a/sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAuthenticationFilter.java
+++ b/sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAuthenticationFilter.java
@@ -3,12 +3,23 @@
package com.azure.spring.autoconfigure.aad;
+import static com.azure.spring.autoconfigure.aad.Constants.BEARER_PREFIX;
import com.microsoft.aad.msal4j.MsalServiceException;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.jwk.source.JWKSetCache;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.util.ResourceRetriever;
import com.nimbusds.jwt.proc.BadJWTException;
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.text.ParseException;
+import java.util.Optional;
+import javax.naming.ServiceUnavailableException;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpHeaders;
@@ -19,24 +30,17 @@
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.web.filter.OncePerRequestFilter;
-import javax.naming.ServiceUnavailableException;
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
-import java.io.IOException;
-import java.net.MalformedURLException;
-import java.text.ParseException;
-import java.util.Optional;
-
-import static com.azure.spring.autoconfigure.aad.Constants.BEARER_PREFIX;
-
/**
* A stateful authentication filter which uses Microsoft Graph groups to authorize. Both ID token and access token are
* supported. In the case of access token, only access token issued for the exact same application this filter used for
* could be accepted, e.g. access token issued for Microsoft Graph could not be processed by users' application.
+ *
+ *
+ * @deprecated For AADAuthenticationFilter, in normal case, resource-server not support session. So
+ * AADAuthenticationFilter will not supported in the future.
+ * See the Alternative method.
*/
+@Deprecated
public class AADAuthenticationFilter extends OncePerRequestFilter {
private static final Logger LOGGER = LoggerFactory.getLogger(AADAuthenticationFilter.class);
private static final String CURRENT_USER_PRINCIPAL = "CURRENT_USER_PRINCIPAL";