{"slug":"user-group-provisioning","title":"User & group provisioning","tags":["tailscale"],"agent_summary":"Last validated: Dec 8, 2025","trigger_phrases":[],"runnable":false,"markdown":"\r\n# User & group provisioning\r\n\r\nLast validated: Dec 8, 2025\r\n\r\nThis featureis available for [the Standard, Premium, and Enterprise plans](https://tailscale.com/pricing).\r\n\r\nTailscale supports [System for Cross-domain Identity Management](https://tailscale.com/learn/what-is-scim) (SCIM) to integrate with several identity providers, as described in the following topics:\r\n\r\n- [User & group provisioning for Google Workspace](https://tailscale.com/docs/integrations/google-sync)\r\n- [User & group provisioning for Microsoft Entra ID](https://tailscale.com/docs/integrations/identity/entra/entra-id-scim)\r\n- [User & group provisioning for Okta](https://tailscale.com/docs/integrations/identity/okta/okta-scim)\r\n\r\n## [Impact of enabling SCIM in a tailnet that already has users](https://tailscale.com/docs/features/user-group-provisioning\\#impact-of-enabling-scim-in-a-tailnet-that-already-has-users)\r\n\r\nWhen you enable SCIM, if you already had any users from your identity provider using Tailscale, the users stay in Tailscale. You can review these users when you enable SCIM in your identity provider, such as Okta or Microsoft Entra ID, and decide what action to take for them.\r\n\r\n## [SSO and SCIM considerations](https://tailscale.com/docs/features/user-group-provisioning\\#sso-and-scim-considerations)\r\n\r\nIf you are _using the same app for single sign-on (SSO) and SCIM_ (that is, you're not using a custom Microsoft Entra ID app), users can sign up for Tailscale only if they are allowed to by the identity provider (if they have the app assigned).\r\n\r\nIf you are using different apps for SSO and SCIM, we recommend you use\r\n[user approval](https://tailscale.com/docs/features/access-control/user-approval) to restrict which users are authorized to join your tailnet.\r\n\r\n## [Inviting users](https://tailscale.com/docs/features/user-group-provisioning\\#inviting-users)\r\n\r\n- You can still [invite users](https://tailscale.com/docs/features/sharing/how-to/invite-team-members) from other domains and identity providers. You need to be an [Owner, Admin, or IT admin](https://tailscale.com/docs/reference/user-roles) to invite users.\r\n\r\n## [Syncing a user suspension](https://tailscale.com/docs/features/user-group-provisioning\\#syncing-a-user-suspension)\r\n\r\nWhen syncing a user suspension:\r\n\r\n- For Okta, if you deactivate a user in Okta they are suspended in Tailscale. If you suspend a user in Okta, nothing happens in Tailscale—only deactivation.\r\n- For Microsoft Entra ID, if you delete (soft delete) the user in Microsoft Entra ID they are suspended in Tailscale.\r\n- For Google Workspace, if you suspend a user, they are suspended in Tailscale.\r\n\r\n## [Syncing a user deletion](https://tailscale.com/docs/features/user-group-provisioning\\#syncing-a-user-deletion)\r\n\r\nWhen syncing a user deletion:\r\n\r\n- For Okta, you cannot sync deletions from Okta to Tailscale.\r\n\r\n- For Microsoft Entra ID, when you delete a user, they are first soft deleted (suspended in Tailscale), then 30 days later they are hard deleted (deleted in Tailscale).\r\n\r\n- For Google Workspace, if you delete a user, they are suspended in Tailscale. When you recreate a previously deleted user in Google Workspace, Tailscale treats them as a new user.\r\n\r\n\r\nYou can also manually delete users from your tailnet, including users created prior to enabling provisioning, synced users who have been suspended in Tailscale, and users from other domains. You cannot manually delete users who are being synced, as they will get recreated at the next sync.\r\n\r\n## [Syncing group membership](https://tailscale.com/docs/features/user-group-provisioning\\#syncing-group-membership)\r\n\r\nTailscale syncs group membership from SCIM-integrated identity providers to Tailscale. You can use the same\r\nhuman-readable group names you have in a SCIM-integrated identity provider to refer to groups in your\r\n[access control policies](https://tailscale.com/docs/features/access-control/acls). For example, if Alice and Bob are in the \"security-team\" group in a SCIM-integrated\r\nidentity provider, then the [access rule](https://tailscale.com/docs/reference/syntax/policy-file#acls) can refer to the \"security-team\" group:\r\n\r\n```json\r\n{\r\n  \"grants\": [\\\r\n    {\\\r\n      \"src\": [\"group:security-team@example.com\"],\\\r\n      \"dst\": [\"tag:logging\"],\\\r\n      \"ip\": [\"*\"]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:logging\": [\"group:security-team@example.com\"]\r\n  }\r\n}\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\nWhen someone's role changes, instead of updating their permissions in every application you manage, you\r\ncan instead make a single change in the SCIM-integrated identity provider, to update what applications\r\nthey should have access to, and with which permissions.\r\n\r\nSynced groups cannot be used to assign [user roles](https://tailscale.com/docs/reference/user-roles).\r\n\r\n## [Known Limitations](https://tailscale.com/docs/features/user-group-provisioning\\#known-limitations)\r\n\r\n- A user suspended in a SCIM-integrated identity provider will remain logged into Tailscale, and maintain access to all of their nodes and permissions granted by access control policies. They will only lose access as their device keys expire and they are blocked from re-authenticating new sessions with the SCIM-integrated identity provider. Instead, disable the user in the SCIM-integrated identity provider to suspend them in Tailscale.\r\n- For additional limitations, refer to the specific topics for each identity provider.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>User &#x26; group provisioning</h1>\n<p>Last validated: Dec 8, 2025</p>\n<p>This featureis available for <a href=\"https://tailscale.com/pricing\">the Standard, Premium, and Enterprise plans</a>.</p>\n<p>Tailscale supports <a href=\"https://tailscale.com/learn/what-is-scim\">System for Cross-domain Identity Management</a> (SCIM) to integrate with several identity providers, as described in the following topics:</p>\n<ul>\n<li><a href=\"https://tailscale.com/docs/integrations/google-sync\">User &#x26; group provisioning for Google Workspace</a></li>\n<li><a href=\"https://tailscale.com/docs/integrations/identity/entra/entra-id-scim\">User &#x26; group provisioning for Microsoft Entra ID</a></li>\n<li><a href=\"https://tailscale.com/docs/integrations/identity/okta/okta-scim\">User &#x26; group provisioning for Okta</a></li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/features/user-group-provisioning#impact-of-enabling-scim-in-a-tailnet-that-already-has-users\">Impact of enabling SCIM in a tailnet that already has users</a></h2>\n<p>When you enable SCIM, if you already had any users from your identity provider using Tailscale, the users stay in Tailscale. You can review these users when you enable SCIM in your identity provider, such as Okta or Microsoft Entra ID, and decide what action to take for them.</p>\n<h2><a href=\"https://tailscale.com/docs/features/user-group-provisioning#sso-and-scim-considerations\">SSO and SCIM considerations</a></h2>\n<p>If you are <em>using the same app for single sign-on (SSO) and SCIM</em> (that is, you're not using a custom Microsoft Entra ID app), users can sign up for Tailscale only if they are allowed to by the identity provider (if they have the app assigned).</p>\n<p>If you are using different apps for SSO and SCIM, we recommend you use\r\n<a href=\"https://tailscale.com/docs/features/access-control/user-approval\">user approval</a> to restrict which users are authorized to join your tailnet.</p>\n<h2><a href=\"https://tailscale.com/docs/features/user-group-provisioning#inviting-users\">Inviting users</a></h2>\n<ul>\n<li>You can still <a href=\"https://tailscale.com/docs/features/sharing/how-to/invite-team-members\">invite users</a> from other domains and identity providers. You need to be an <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or IT admin</a> to invite users.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/features/user-group-provisioning#syncing-a-user-suspension\">Syncing a user suspension</a></h2>\n<p>When syncing a user suspension:</p>\n<ul>\n<li>For Okta, if you deactivate a user in Okta they are suspended in Tailscale. If you suspend a user in Okta, nothing happens in Tailscale—only deactivation.</li>\n<li>For Microsoft Entra ID, if you delete (soft delete) the user in Microsoft Entra ID they are suspended in Tailscale.</li>\n<li>For Google Workspace, if you suspend a user, they are suspended in Tailscale.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/features/user-group-provisioning#syncing-a-user-deletion\">Syncing a user deletion</a></h2>\n<p>When syncing a user deletion:</p>\n<ul>\n<li>\n<p>For Okta, you cannot sync deletions from Okta to Tailscale.</p>\n</li>\n<li>\n<p>For Microsoft Entra ID, when you delete a user, they are first soft deleted (suspended in Tailscale), then 30 days later they are hard deleted (deleted in Tailscale).</p>\n</li>\n<li>\n<p>For Google Workspace, if you delete a user, they are suspended in Tailscale. When you recreate a previously deleted user in Google Workspace, Tailscale treats them as a new user.</p>\n</li>\n</ul>\n<p>You can also manually delete users from your tailnet, including users created prior to enabling provisioning, synced users who have been suspended in Tailscale, and users from other domains. You cannot manually delete users who are being synced, as they will get recreated at the next sync.</p>\n<h2><a href=\"https://tailscale.com/docs/features/user-group-provisioning#syncing-group-membership\">Syncing group membership</a></h2>\n<p>Tailscale syncs group membership from SCIM-integrated identity providers to Tailscale. You can use the same\r\nhuman-readable group names you have in a SCIM-integrated identity provider to refer to groups in your\r\n<a href=\"https://tailscale.com/docs/features/access-control/acls\">access control policies</a>. For example, if Alice and Bob are in the \"security-team\" group in a SCIM-integrated\r\nidentity provider, then the <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#acls\">access rule</a> can refer to the \"security-team\" group:</p>\n<pre><code class=\"language-json\">{\r\n  \"grants\": [\\\r\n    {\\\r\n      \"src\": [\"group:security-team@example.com\"],\\\r\n      \"dst\": [\"tag:logging\"],\\\r\n      \"ip\": [\"*\"]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:logging\": [\"group:security-team@example.com\"]\r\n  }\r\n}\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p>When someone's role changes, instead of updating their permissions in every application you manage, you\r\ncan instead make a single change in the SCIM-integrated identity provider, to update what applications\r\nthey should have access to, and with which permissions.</p>\n<p>Synced groups cannot be used to assign <a href=\"https://tailscale.com/docs/reference/user-roles\">user roles</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/user-group-provisioning#known-limitations\">Known Limitations</a></h2>\n<ul>\n<li>A user suspended in a SCIM-integrated identity provider will remain logged into Tailscale, and maintain access to all of their nodes and permissions granted by access control policies. They will only lose access as their device keys expire and they are blocked from re-authenticating new sessions with the SCIM-integrated identity provider. Instead, disable the user in the SCIM-integrated identity provider to suspend them in Tailscale.</li>\n<li>For additional limitations, refer to the specific topics for each identity provider.</li>\n</ul>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}