Skip to main content
Silent authentication eliminates manual login for users on Entra-joined Windows devices. Instead of entering credentials or clicking through browser OAuth, the Fluency Agent automatically authenticates using the user’s existing Windows corporate account. Benefits:
  • Zero user interaction: no login prompts.
  • Seamless deployment: users launch and start working immediately.
  • Centralized identity: leverages your existing Entra ID infrastructure.

Prerequisites

IT Administrator Requirements

  • Global Administrator or Application Administrator role in Microsoft Entra ID
  • Access to the Fluency admin portal
  • Organization uses Microsoft Entra ID (Azure AD)

End User Device Requirements

  • Windows 10 or later
  • Device is Entra-joined (Azure AD joined)
  • User signed into Windows with their corporate account
For devices that don’t meet these requirements, the agent falls back to standard browser-based login.

Network Requirements

For silent authentication to work reliably, ensure the following Microsoft authentication endpoints are accessible from your network:
  • login.microsoftonline.com
  • login.microsoft.com

Setup Instructions

This connects your organization’s Entra ID tenant to Fluency and enables silent authentication for all users.
  1. Log into the Fluency admin portal at dashboard.usefluency.com.
  2. Navigate to Settings → Authentication.
  3. Click Connect Microsoft Entra ID.
  4. Review the permissions dialog:
    • openid - Basic authentication
    • profile - User’s name and username
    • email - User’s email address
  5. Click Accept to grant consent.
  6. Verify the connection shows Microsoft Entra ID Connected.
These are delegated permissions with no elevated access. Fluency cannot read user data, emails, or files. Only basic identity information.

2. Deploy the Agent

Deploy the Fluency Agent using your standard MDM deployment process (Intune, SCCM, Group Policy). See the IT - Deploying Fluency Agent guide for detailed instructions. No changes are required. Silent auth works automatically once admin consent is granted. The same installer and deployment commands apply.

3. Verify

IT administrator verification:
  • Open the Fluency admin portal → Authentication.
  • Confirm your organization’s Entra ID appears with a connected status.
End user experience:
  1. User launches the Fluency Agent.
  2. Agent silently authenticates in the background (2–3 seconds).
  3. User sees the agent’s home page.

How It Works

When a user launches the Fluency Agent on an Entra-joined device, authentication proceeds through four stages.

1. Device Detection

  • Agent checks whether the device is Entra-joined using dsregcmd /status.
  • Looks for AzureAdJoined: YES in the output.

2. Silent Token Acquisition

  • Agent requests an authentication token via the Windows Authentication Manager (WAM).
  • WAM uses the Primary Refresh Token (PRT) from the user’s Windows login.
  • The PRT is device-bound and TPM-protected.
Microsoft Entra ID validates:
  • PRT signature (cryptographic proof from the device TPM)
  • Device compliance (if Conditional Access policies are enabled)
  • Admin consent status for the Fluency application
Entra ID then returns an ID token (JWT) to the agent.

3. Token Exchange

  • Agent sends the Entra ID token to the Fluency backend: POST /agent/enroll/entra.
  • Backend validates the token by:
    • Verifying the JWT signature against Microsoft’s JWKS keys
    • Checking issuer, audience, and expiration
    • Confirming the tenant has granted admin consent
  • Provisions the user account just-in-time if it doesn’t already exist.
  • Generates a Fluency vision token.
  • Returns the vision token and organization region to the agent.

4. Operation Begins

  • Agent stores the vision token locally.
  • Fetches the monitoring policy from the Fluency API.
  • Begins observation based on that policy.
Total time: 2–5 seconds, completely transparent to the user.

Fallback Behavior

If silent auth fails (for example, the device is not Entra-joined, the PRT is unavailable, or there are network issues) the agent automatically falls back to a browser-based OAuth2 flow. The user clicks Login, the browser opens for authentication, and then returns control to the agent.

Data Privacy

What Fluency accesses via Entra ID:
  • User’s email address
  • User’s display name
  • User’s Entra ID object ID (internal identifier)

FAQ

Does this work on macOS? No. Silent authentication via Entra ID is Windows-only. macOS users will see the standard browser login flow. What if a user’s device is not Entra-joined? The agent automatically falls back to browser-based OAuth login. No configuration is needed. How often does the user need to re-authenticate? Once per device. The vision token renews automatically. Can users opt out? Users on Entra-joined devices will automatically use silent auth. To opt out, they would need to use a non-Entra-joined device. What happens if admin consent is revoked? New devices cannot authenticate via silent auth. Existing devices continue working until their token expires.

Troubleshooting

Verify admin role:
  • Go to Entra ID → Roles → Your user.
  • Confirm the user has the Global Administrator or Application Administrator role.
Check tenant settings:
  • Go to Entra ID → Enterprise applications → Consent and permissions.
  • Verify that Users can consent to apps accessing company data on their behalf is not blocked.

Support & Contacts

Oliver Farnill (Co-Founder) oliver@usefluency.com We will get back to you as soon as possible.