- Zero user interaction: no login prompts.
- Seamless deployment: users launch and start working immediately.
- Centralized identity: leverages your existing Entra ID infrastructure.
Prerequisites
IT Administrator Requirements
- Global Administrator or Application Administrator role in Microsoft Entra ID
- Access to the Fluency admin portal
- Organization uses Microsoft Entra ID (Azure AD)
End User Device Requirements
- Windows 10 or later
- Device is Entra-joined (Azure AD joined)
- User signed into Windows with their corporate account
For devices that don’t meet these requirements, the agent falls back to standard browser-based login.
Network Requirements
For silent authentication to work reliably, ensure the following Microsoft authentication endpoints are accessible from your network:login.microsoftonline.comlogin.microsoft.com
Setup Instructions
1. Grant Admin Consent (One-Time)
This connects your organization’s Entra ID tenant to Fluency and enables silent authentication for all users.- Log into the Fluency admin portal at dashboard.usefluency.com.
- Navigate to Settings → Authentication.
- Click Connect Microsoft Entra ID.
- Review the permissions dialog:
openid- Basic authenticationprofile- User’s name and usernameemail- User’s email address
- Click Accept to grant consent.
- Verify the connection shows Microsoft Entra ID Connected.
These are delegated permissions with no elevated access. Fluency cannot read user data, emails, or files. Only basic identity information.
2. Deploy the Agent
Deploy the Fluency Agent using your standard MDM deployment process (Intune, SCCM, Group Policy). See the IT - Deploying Fluency Agent guide for detailed instructions. No changes are required. Silent auth works automatically once admin consent is granted. The same installer and deployment commands apply.3. Verify
IT administrator verification:- Open the Fluency admin portal → Authentication.
- Confirm your organization’s Entra ID appears with a connected status.
- User launches the Fluency Agent.
- Agent silently authenticates in the background (2–3 seconds).
- User sees the agent’s home page.
How It Works
When a user launches the Fluency Agent on an Entra-joined device, authentication proceeds through four stages.1. Device Detection
- Agent checks whether the device is Entra-joined using
dsregcmd /status. - Looks for
AzureAdJoined: YESin the output.
2. Silent Token Acquisition
- Agent requests an authentication token via the Windows Authentication Manager (WAM).
- WAM uses the Primary Refresh Token (PRT) from the user’s Windows login.
- The PRT is device-bound and TPM-protected.
- PRT signature (cryptographic proof from the device TPM)
- Device compliance (if Conditional Access policies are enabled)
- Admin consent status for the Fluency application
3. Token Exchange
- Agent sends the Entra ID token to the Fluency backend:
POST /agent/enroll/entra. - Backend validates the token by:
- Verifying the JWT signature against Microsoft’s JWKS keys
- Checking issuer, audience, and expiration
- Confirming the tenant has granted admin consent
- Provisions the user account just-in-time if it doesn’t already exist.
- Generates a Fluency vision token.
- Returns the vision token and organization region to the agent.
4. Operation Begins
- Agent stores the vision token locally.
- Fetches the monitoring policy from the Fluency API.
- Begins observation based on that policy.
Fallback Behavior
If silent auth fails (for example, the device is not Entra-joined, the PRT is unavailable, or there are network issues) the agent automatically falls back to a browser-based OAuth2 flow. The user clicks Login, the browser opens for authentication, and then returns control to the agent.Data Privacy
What Fluency accesses via Entra ID:- User’s email address
- User’s display name
- User’s Entra ID object ID (internal identifier)
FAQ
Does this work on macOS? No. Silent authentication via Entra ID is Windows-only. macOS users will see the standard browser login flow. What if a user’s device is not Entra-joined? The agent automatically falls back to browser-based OAuth login. No configuration is needed. How often does the user need to re-authenticate? Once per device. The vision token renews automatically. Can users opt out? Users on Entra-joined devices will automatically use silent auth. To opt out, they would need to use a non-Entra-joined device. What happens if admin consent is revoked? New devices cannot authenticate via silent auth. Existing devices continue working until their token expires.Troubleshooting
Admin Consent Fails
Verify admin role:- Go to Entra ID → Roles → Your user.
- Confirm the user has the Global Administrator or Application Administrator role.
- Go to Entra ID → Enterprise applications → Consent and permissions.
- Verify that Users can consent to apps accessing company data on their behalf is not blocked.