User Management¶
Identity Providers¶
Tailscale authenticates users through identity providers (IdPs):
| Provider | Features |
|---|---|
| Workspace, personal accounts | |
| Microsoft | Azure AD, Microsoft 365, personal |
| GitHub | Organizations, personal |
| Okta | Enterprise SSO |
| OneLogin | Enterprise SSO |
| OIDC | Custom OpenID Connect |
User Types¶
Owner¶
- Full administrative access
- Can manage billing
- Can delete tailnet
- Cannot be removed
Admin¶
- Manage devices and users
- Configure ACLs
- Manage DNS and settings
- Cannot manage billing
Member¶
- Connect devices
- Access based on ACLs
- Cannot manage tailnet
Network Admin (Personal+)¶
- Subset of admin permissions
- Configured via admin console
User Roles Configuration¶
Admin Console¶
- Go to Users
- Click on user
- Select role: Owner, Admin, Member
Via ACLs¶
Grant specific capabilities:
{
"grants": [
{
"src": ["alice@example.com"],
"dst": ["*"],
"app": {
"tailscale.com/cap/admin-api-access": [{
"endpoints": ["devices", "dns"]
}]
}
}
]
}
User Invitations¶
Invite New Users¶
- Go to Users → Invite users
- Enter email addresses
- Users receive invitation email
- They authenticate with their IdP
Domain-Wide Access¶
For Google Workspace or Microsoft 365:
- Settings → User access
- Enable "Allow any user with a @domain.com email"
- No individual invitations needed
Device Limits¶
Per-User Limits¶
Configure maximum devices per user:
- Settings → User access
- Set "Device limit per user"
Personal vs Shared Devices¶
| Type | Ownership | Expiry |
|---|---|---|
| Personal | Tied to user | With user |
| Tagged | Organization-owned | Never (unless key expires) |
User Provisioning¶
SCIM (Enterprise)¶
Automatic user provisioning:
Supported: - Okta - Azure AD - OneLogin
Manual¶
Invite/remove users through admin console.
Removing Users¶
Remove User Access¶
- Go to Users
- Click user → Remove access
- User's devices disconnected
Remove Devices Only¶
- Go to Machines
- Select user's devices
- Remove individually
Multi-User Tailnets¶
Personal Accounts¶
Single user tailnet, invite others as needed.
Organization/Team¶
- Multiple admins
- Group management
- SCIM provisioning
- SSO enforcement
Guest Access¶
Temporary Access¶
Use auth keys with expiry:
- Create reusable auth key with short expiry
- Share with guest
- Key expires, access ends
Shared Devices¶
Tag devices for shared access:
ACL controls who accesses shared devices.
User Activity¶
View Active Sessions¶
Machines tab shows: - Which users are connected - Device names - Last seen times
Audit Logs (Enterprise)¶
Logs tab shows: - Authentication events - Device registrations - Configuration changes
Best Practices¶
- Use groups in ACLs, not individual users
- Regular audits: Remove inactive users
- SSO enforcement: For compliance
- Device tagging: For shared/service devices
- Least privilege: Grant minimum needed access
- Document roles: Who has admin access and why