Fluency Agent Silent Authentication via Microsoft Entra ID

Overview

Silent authentication eliminates manual login for users on Entra-joined Windows devices. Instead of entering credentials or clicking through browser OAuth, the agent automatically authenticates using the user's existing Windows corporate account.

Benefits:

• Zero user interaction - no login prompts

• Seamless deployment - users launch and start working immediately

• Centralized identity - leverages existing Entra ID infrastructure

Prerequisites

IT Administrator Requirements

• Global Administrator or Application Administrator role in Microsoft Entra ID

• Access to Fluency admin portal

• Organization uses Microsoft Entra ID (Azure AD)

End User Device Requirements

• Windows 10 or later

• Device is Entra-joined (Azure AD joined)

• User signed into Windows with corporate account

Note: For devices that don't meet these requirements, the agent will fall back to standard browser-based login.

Network Requirements

For silent authentication to work reliably, ensure the following Microsoft authentication endpoints are accessible from your network:

• login.microsoftonline.com

• login.microsoft.com

Setup Instructions

Step 1: Grant Admin Consent (One-Time)

This connects your organization's Entra ID tenant to Fluency and allows silent authentication for all users.

1. Log into Fluency admin portal

2. Navigate to Settings → Authentication

3. Click "Connect Microsoft Entra ID"

4. Review permissions dialog:

   • openid - Basic authentication

   • profile - User's name and username

   • email - User's email address

5. Click "Accept" to grant consent

6. Verify connection shows "Microsoft Entra ID Connected"

Important: These are delegated permissions with no elevated access. Fluency cannot read user data, emails, or files - only basic identity information.

Step 2: Deploy Agent

Deploy the Fluency Agent using your standard MDM deployment process (Intune, SCCM, Group Policy). See the main deployment guide for detailed instructions.

No changes required - silent auth works automatically once admin consent is granted. The same installer and deployment commands apply.

Step 3: Verify

IT Administrator Verification:

• Check Fluency admin portal → Authentitcation

• Admin can see organization’s Entra ID and connected status.

End User Experience:

1. User launches Fluency Agent

2. Agent silently authenticates in background (2-3 seconds)

3. User can see Agent’s home page.

How It Works

Authentication Flow

When a user launches the Fluency Agent on an Entra-joined device:

1. Device Detection

   • Agent checks if device is Entra-joined: dsregcmd /status

   • Looks for AzureAdJoined: YES in output

2. Silent Token Acquisition

   • Agent requests authentication token via Windows Authentication Manager (WAM)

   • WAM uses Primary Refresh Token (PRT) from user's Windows login

   • PRT is device-bound and TPM-protected

   • Microsoft Entra ID validates:

     • PRT signature (cryptographic proof from device TPM)

     • Device compliance (if Conditional Access policies enabled)

     • Admin consent status for Fluency application

   • Returns ID token (JWT) to agent

3. Token Exchange

   • Agent sends Entra ID token to Fluency backend: POST /agent/enroll/entra

   • Backend validates token:

     • Verifies JWT signature against Microsoft's JWKS keys

     • Checks issuer, audience, expiration

     • Confirms tenant has granted admin consent

   • Provisions user account (just-in-time, if not already exists)

   • Generates Fluency vision token

   • Returns vision token + organization region to agent

4. Operation Begins

   • Agent stores vision token locally

   • Fetches monitoring policy from Fluency API

   • Begins observation based on policy

Total time: 2-5 seconds, completely transparent to user.

Fallback Behavior

If silent auth fails (device not Entra-joined, PRT unavailable, network issues), the agent automatically falls back to:

Browser-based OAuth2 flow - User clicks "Login" → browser opens → authenticates → returns to agent

Data Privacy

What Fluency accesses via Entra ID:

• User's email address

• User's display name

• User's Entra ID object ID (internal identifier)

FAQ

Q: Does this work on macOS? A: No, silent authentication via Entra ID is Windows-only. macOS users will see the standard browser login flow.

Q: What if a user's device is not Entra-joined? A: The agent automatically falls back to browser-based OAuth login. No configuration needed.

Q: How often does the user need to re-authenticate? A: Once per device. The vision token renews automatically.

Q: Can users opt out? A: Users on Entra-joined devices will automatically use silent auth. To opt out, they would need to use a non-Entra-joined device.

Q: What happens if admin consent is revoked? A: New devices cannot authenticate via silent auth. Existing devices continue working until their token expires.

Troubleshooting

Admin Consent Fails

1. Verify admin role:

   • Entra ID → Roles → Your user

   • Must be Global Admin or Application Admin

2. Check tenant settings:

   • Entra ID → Enterprise applications → Consent and permissions

   • Verify "Users can consent to apps accessing company data on their behalf" is not blocked

Documentation:

• Main deployment guide: https://support.usefluency.com/articles/6581619291-fluency-agent-it-deployment-guide

Contact:

• Email: oliver@usefluency.com

• Support portal: https://support.usefluency.com