{"slug":"user-group-provisioning-for-microsoft-entra-id","title":"User & group provisioning for Microsoft Entra ID","tags":["tailscale"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# User & group provisioning for Microsoft Entra ID\r\n\r\nLast validated: Jan 5, 2026\r\n\r\nThis featureis available for [the Standard, Premium, and Enterprise plans](https://tailscale.com/pricing).\r\n\r\nTailscale supports System for Cross-domain Identity Management (SCIM) to integrate with Microsoft Entra ID (previously known as Azure AD).\r\n\r\n- With group sync, you can refer to a group from Microsoft Entra ID in your tailnet policy file, with a human-readable name.\r\n  - You can also refer to a group from Microsoft Entra ID in your tailnet policy file using the `externalGroupId`.\r\n- With user sync, you can quickly onboard and offboard users to Tailscale. For related information, refer to [Offboarding when using user & group provisioning](https://tailscale.com/docs/features/sharing/how-to/offboard#offboarding-when-using-user--group-provisioning-scim).\r\n  - When a user is deleted in Microsoft Entra ID, [they are first 'soft' deleted](https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/how-provisioning-works#incremental-cycles), which [suspends](https://tailscale.com/docs/features/sharing/how-to/remove-team-members#suspending-users) the user in Tailscale. The user is then 'hard' deleted approximately 30 days later in Microsoft Entra ID, which causes them to be [deleted](https://tailscale.com/docs/features/sharing/how-to/remove-team-members#deleting-users) in Tailscale.\r\n  - When a user is disabled in Microsoft Entra ID, they are suspended in Tailscale.\r\n\r\nThis topic shows you how to set up Microsoft Entra ID as a SCIM-integrated identity provider for Tailscale. You can also refer to the\r\nMicrosoft tutorial [Configure Tailscale for automatic user provisioning](https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/tailscale-provisioning-tutorial).\r\n\r\n## [Features](https://tailscale.com/docs/integrations/identity/entra/entra-id-scim\\#features)\r\n\r\nThe following provisioning features are supported:\r\n\r\n- **Create users** in Tailscale from Microsoft Entra ID\r\n- **Update user attributes** in Tailscale from Microsoft Entra ID\r\n- **Delete users** in Microsoft Entra ID to first suspend them in Tailscale; after approximately 30 days they are automatically deleted in Tailscale\r\n- **Disable users** in Microsoft Entra ID to suspend them in Tailscale\r\n- **Group push** from Microsoft Entra ID to Tailscale\r\n\r\n## [Requirements](https://tailscale.com/docs/integrations/identity/entra/entra-id-scim\\#requirements)\r\n\r\n- You need a Microsoft Entra ID subscription.\r\n- You need a tailnet.\r\n- Your tailnet's identity provider needs to be Microsoft Entra ID. If your tailnet is not\r\nusing Microsoft Entra ID and you want to use it, [contact support](https://tailscale.com/contact/support?type=sso) to\r\nmigrate from your current identity provider to Microsoft Entra ID.\r\n\r\n## [Step-by-Step Configuration Instructions](https://tailscale.com/docs/integrations/identity/entra/entra-id-scim\\#step-by-step-configuration-instructions)\r\n\r\n### [Enable Provisioning](https://tailscale.com/docs/integrations/identity/entra/entra-id-scim\\#enable-provisioning)\r\n\r\n#### [In Tailscale](https://tailscale.com/docs/integrations/identity/entra/entra-id-scim\\#in-tailscale)\r\n\r\nYou need to be an [Owner, Admin, or IT admin](https://tailscale.com/docs/reference/user-roles) in Tailscale to complete these\r\nsteps.\r\n\r\n**Generate a SCIM API key**\r\n\r\n1. In the [User management](https://login.tailscale.com/admin/settings/user-management) page of the admin console, under **SCIM Provisioning**, select **Enable Provisioning**.\r\n\r\n2. Copy the generated key to the clipboard.\r\n![Generate SCIM API key](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fcopy-generated-api-key.c8b01a34.png&w=1080&q=75)\r\n3. Save the key information in a secure spot. You will need to use it when you configure Microsoft Entra ID. Note that Tailscale-generated SCIM API keys are case-sensitive.\r\n\r\n\r\n#### [In Microsoft Entra ID](https://tailscale.com/docs/integrations/identity/entra/entra-id-scim\\#in-microsoft-entra-id)\r\n\r\nYou need to have an admin role for the Microsoft Azure portal to complete these steps.\r\n\r\n01. Log in to the [Microsoft Azure portal](https://portal.azure.com/).\r\n\r\n02. Select **Microsoft Entra ID**.\r\n\r\n03. Under **Manage** in the left-hand navigation, select **Enterprise applications**.\r\n\r\n04. Select **New application**.\r\n\r\n05. In the **Browse Microsoft Entra Gallery** page, search for **Tailscale** and then select **Tailscale**.\r\n\r\n06. Select **Sign up for Tailscale**.\r\n\r\n    You will be redirected to sign up for Tailscale. If you already have a Tailscale account, proceed\r\n    to the next step. Otherwise, follow the prompts to sign up for Tailscale.\r\n\r\n07. In the application **Overview** page, under **Manage** in the left-hand navigation, select **Provisioning**.\r\n\r\n08. Select **Get started**.\r\n\r\n09. Set **Provisioning Mode** to **Automatic**.\r\n\r\n10. Under **Admin Credentials**, for **Tenant URL**, enter\r\n    `https://controlplane.tailscale.com/scim/v2/?aadOptscim062020`.\r\n\r\n    Note that the trailing parameter, `?aadOptscim062020`, is required. For\r\n    information about this parameter, refer to the Microsoft Entra ID topic\r\n    [Flags to alter the SCIM behavior](https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior).\r\n\r\n11. For **Secret Token**, enter the SCIM API key that you generated in the Tailscale admin console.\r\n    ![Provide credentials to Microsoft Entra ID](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fentra-id-credentials.4aa37fbd.jpg&w=3840&q=75)\r\n12. Select **Test Connection**.\r\n\r\n    A popup will display a message about whether the supplied credentials\r\n    are authorized to enable provisioning.\r\n\r\n13. In the **Settings** section, ensure **Send an email notification when**\r\n    **an error occurs** is checked, and provide an email to use for the\r\n    notification.\r\n\r\n14. In the **Settings** section, under **Scope**, choose to sync all users and groups, or only users and groups that are assigned the application. If you choose to only sync users and groups that are assigned the application, you will need to [assign these](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal?pivots=portal) under the **Users and groups** section in the left-hand navigation.\r\n\r\n15. Ensure that **Provisioning Status** is set to **On**.\r\n    ![Provision Microsoft Entra ID](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fentra-id-provisioning.f52b6256.jpg&w=3840&q=75)\r\n16. Select **Save**.\r\n\r\n17. Return to the application's **Provisioning** page. In the top menu, select **Start Provisioning**.\r\n\r\n\r\nIf you encounter issues after provisioning, open the application's **Overview** page and then select\r\n**Restart Provisioning**.\r\n\r\n#### [Restricting access to the Tailscale application](https://tailscale.com/docs/integrations/identity/entra/entra-id-scim\\#restricting-access-to-the-tailscale-application)\r\n\r\nBy default all users in the Entra directory service will be allowed to access the Tailscale app.\r\nTo control which users are allowed to access Tailscale, go to **Enterprise Applications** >\r\n**Tailscale** \\> **Properties** and set **Assignment Required?** to Yes.\r\n\r\n![Assignment Required?](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fentra-assignment-required.d296c8e1.png&w=1920&q=75)\r\n\r\nWhen this setting is enabled, only users who are assigned to the Tailscale application will be\r\nable to access it.\r\n\r\n#### [Supported attribute mappings](https://tailscale.com/docs/integrations/identity/entra/entra-id-scim\\#supported-attribute-mappings)\r\n\r\nTailscale supports SCIM attributes from the core [\"User\"](https://www.rfc-editor.org/rfc/rfc7643.html#section-4.1) and [\"Group\" SCIM resources](https://www.rfc-editor.org/rfc/rfc7643.html#section-4.2). Tailscale only uses the following attributes for Tailscale's functionality; other attributes are stored without being used:\r\n\r\n| Attribute | SCIM attribute type | Use in Tailscale |\r\n| --- | --- | --- |\r\n| `externalId` | Common | Required |\r\n| `userName` | Core user | Required |\r\n| `emails` | Core user | Optional |\r\n| `name.givenName` | Core user | Optional |\r\n| `name.familyName` | Core user | Optional |\r\n| `name.formatted` | Core user | Optional |\r\n| `displayName` | Core user | Optional |\r\n| `active` | Core user | Optional |\r\n| `preferredLanguage` | Core user | Optional |\r\n\r\n`userName` must map to the email used by the user to sign in to the tailnet.\r\n\r\n`photos` are not an attribute that can be synced, but are populated for users on login.\r\n\r\nTailscale does not support the SCIM [Enterprise User Schema Extension](https://www.rfc-editor.org/rfc/rfc7643.html#section-4.3). If any additional user attribute from these extensions is specified, the request will fail.\r\n\r\n### [Referring to Microsoft Entra ID groups in your tailnet policy file](https://tailscale.com/docs/integrations/identity/entra/entra-id-scim\\#referring-to-microsoft-entra-id-groups-in-your-tailnet-policy-file)\r\n\r\nYou can refer to a group from Microsoft Entra ID in your tailnet policy file using either the human-readable name or the Microsoft Entra ID group ID. For example:\r\n\r\n```json\r\n{\r\n  \"grants\": [\\\r\n    {\\\r\n      \"src\": [\"group:groupname@example.com\"],\\\r\n      \"dst\": [\"*\"],\\\r\n      \"ip\": [\"*\"]\\\r\n    },\\\r\n    {\\\r\n      \"src\": [\"group:all employees@example.com\"],\\\r\n      \"dst\": [\"autogroup:self\"],\\\r\n      \"ip\": [\"*\"]\\\r\n    },\\\r\n    {\\\r\n      \"src\": [\"group:3ac067a2-f424-87b0-14a3-926482d83980@example.com\"],\\\r\n      \"dst\": [\"tag:logging\"],\\\r\n      \"ip\": [\"*\"]\\\r\n    }\\\r\n  ]\r\n}\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n#### [Updating Microsoft Entra ID Group Names](https://tailscale.com/docs/integrations/identity/entra/entra-id-scim\\#updating-microsoft-entra-id-group-names)\r\n\r\nIf you are using the group name (not the group ID) in your tailnet policy file, and you change the name of your group in Microsoft Entra ID, the Tailscale access rules for that group will no longer apply. Tailscale will fail closed, and you will receive an error message in the\r\nadmin console.\r\n\r\nIf you modified the name of the group, update the group in the tailnet policy file to the new group name. You can also revert the\r\nname change in Microsoft Entra ID if this was unintentional.\r\n\r\nIf you are using the group ID in your tailnet policy file, renaming the group will not affect the Tailscale access rules for that group.\r\n\r\n### [Disable Provisioning](https://tailscale.com/docs/integrations/identity/entra/entra-id-scim\\#disable-provisioning)\r\n\r\nYou need to have an admin role for the Microsoft Azure portal to complete these steps.\r\n\r\n#### [In Microsoft Entra ID](https://tailscale.com/docs/integrations/identity/entra/entra-id-scim\\#in-microsoft-entra-id-1)\r\n\r\n1. Log in to the [Microsoft Azure portal](https://portal.azure.com/).\r\n2. Select **Microsoft Entra ID**.\r\n3. Under **Manage** in the left-hand navigation, select **Enterprise applications**.\r\n4. Search for the **Tailscale** application and select it.\r\n5. Under **Manage**, select **Properties**.\r\n6. Select **Delete** and then select **Yes**.\r\n\r\n#### [In Tailscale](https://tailscale.com/docs/integrations/identity/entra/entra-id-scim\\#in-tailscale-1)\r\n\r\n1. In the [User management](https://login.tailscale.com/admin/settings/user-management) page of the admin console, under **SCIM Provisioning**, select **Disable provisioning**, and then select **Disable provisioning** to confirm.\r\n\r\n2. In the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console, update your rules to no\r\nlonger reference any group which is no longer pushed.\r\n\r\n3. If you no longer want to keep the SCIM API key that you used for Microsoft Entra ID, [revoke the key](https://tailscale.com/docs/features/access-control/auth-keys#revoke-an-auth-key).\r\n\r\n\r\n### [Known Limitations](https://tailscale.com/docs/integrations/identity/entra/entra-id-scim\\#known-limitations)\r\n\r\n- Microsoft Entra ID syncs with Tailscale every 40 minutes. This is a [limitation from Microsoft Entra ID](https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user#how-long-will-it-take-to-provision-users) and you cannot change this interval. To force the sync of a user, for example, as part of offboarding, use Microsoft Entra ID [on-demand provisioning](https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/provision-on-demand). This should sync the user in less than 30 seconds.\r\n- Microsoft Entra ID takes approximately 30 days from 'soft' deletion to 'hard' deletion of a user. You cannot change this interval.\r\n- Microsoft Entra ID [doesn't automatically restore the dynamic membership group](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/how-provisioning-works#deprovisioning) entries when a user goes from 'soft' deleted to active. If this causes issues, you can **Restart provisioning** from Entra ID's app provisioning page to force a refresh.\r\n- Tailscale does not support the SCIM [Enterprise User Schema Extension](https://www.rfc-editor.org/rfc/rfc7643.html#section-4.3). If any additional user attribute from these extensions is specified, the request will fail.\r\n- Tailscale groups are parsed lowercased in the tailnet policy file, so any casing in Microsoft Entra ID is ignored.\r\n- Groups from Microsoft Entra ID cannot contain the `@` symbol.\r\n- If you are referring to the group name in your tailnet policy file, and the name of your group changes, the access control policy for that group will no longer apply and Tailscale will fail closed. If instead, you use the group ID in your tailnet policy file, renaming the group will not affect the Tailscale access rules for that group.\r\n- Groups unlinked in Microsoft Entra ID that are retained in Tailscale are not synced to Tailscale.\r\n- You cannot use group sync to assign Tailscale admins or other [user roles](https://tailscale.com/docs/reference/user-roles).\r\n- Parent groups of [nested groups](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-manage-groups#add-or-remove-a-group-from-another-group) do not aggregate members of their nested groups. In other words, you cannot use a parent of a nested group in your access control policies and expect it to contain all members of the nested groups.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>User &#x26; group provisioning for Microsoft Entra ID</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p>This featureis available for <a href=\"https://tailscale.com/pricing\">the Standard, Premium, and Enterprise plans</a>.</p>\n<p>Tailscale supports System for Cross-domain Identity Management (SCIM) to integrate with Microsoft Entra ID (previously known as Azure AD).</p>\n<ul>\n<li>With group sync, you can refer to a group from Microsoft Entra ID in your tailnet policy file, with a human-readable name.\n<ul>\n<li>You can also refer to a group from Microsoft Entra ID in your tailnet policy file using the <code>externalGroupId</code>.</li>\n</ul>\n</li>\n<li>With user sync, you can quickly onboard and offboard users to Tailscale. For related information, refer to <a href=\"https://tailscale.com/docs/features/sharing/how-to/offboard#offboarding-when-using-user--group-provisioning-scim\">Offboarding when using user &#x26; group provisioning</a>.\n<ul>\n<li>When a user is deleted in Microsoft Entra ID, <a href=\"https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/how-provisioning-works#incremental-cycles\">they are first 'soft' deleted</a>, which <a href=\"https://tailscale.com/docs/features/sharing/how-to/remove-team-members#suspending-users\">suspends</a> the user in Tailscale. The user is then 'hard' deleted approximately 30 days later in Microsoft Entra ID, which causes them to be <a href=\"https://tailscale.com/docs/features/sharing/how-to/remove-team-members#deleting-users\">deleted</a> in Tailscale.</li>\n<li>When a user is disabled in Microsoft Entra ID, they are suspended in Tailscale.</li>\n</ul>\n</li>\n</ul>\n<p>This topic shows you how to set up Microsoft Entra ID as a SCIM-integrated identity provider for Tailscale. You can also refer to the\r\nMicrosoft tutorial <a href=\"https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/tailscale-provisioning-tutorial\">Configure Tailscale for automatic user provisioning</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/identity/entra/entra-id-scim#features\">Features</a></h2>\n<p>The following provisioning features are supported:</p>\n<ul>\n<li><strong>Create users</strong> in Tailscale from Microsoft Entra ID</li>\n<li><strong>Update user attributes</strong> in Tailscale from Microsoft Entra ID</li>\n<li><strong>Delete users</strong> in Microsoft Entra ID to first suspend them in Tailscale; after approximately 30 days they are automatically deleted in Tailscale</li>\n<li><strong>Disable users</strong> in Microsoft Entra ID to suspend them in Tailscale</li>\n<li><strong>Group push</strong> from Microsoft Entra ID to Tailscale</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/integrations/identity/entra/entra-id-scim#requirements\">Requirements</a></h2>\n<ul>\n<li>You need a Microsoft Entra ID subscription.</li>\n<li>You need a tailnet.</li>\n<li>Your tailnet's identity provider needs to be Microsoft Entra ID. If your tailnet is not\r\nusing Microsoft Entra ID and you want to use it, <a href=\"https://tailscale.com/contact/support?type=sso\">contact support</a> to\r\nmigrate from your current identity provider to Microsoft Entra ID.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/integrations/identity/entra/entra-id-scim#step-by-step-configuration-instructions\">Step-by-Step Configuration Instructions</a></h2>\n<h3><a href=\"https://tailscale.com/docs/integrations/identity/entra/entra-id-scim#enable-provisioning\">Enable Provisioning</a></h3>\n<h4><a href=\"https://tailscale.com/docs/integrations/identity/entra/entra-id-scim#in-tailscale\">In Tailscale</a></h4>\n<p>You need to be an <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or IT admin</a> in Tailscale to complete these\r\nsteps.</p>\n<p><strong>Generate a SCIM API key</strong></p>\n<ol>\n<li>\n<p>In the <a href=\"https://login.tailscale.com/admin/settings/user-management\">User management</a> page of the admin console, under <strong>SCIM Provisioning</strong>, select <strong>Enable Provisioning</strong>.</p>\n</li>\n<li>\n<p>Copy the generated key to the clipboard.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fcopy-generated-api-key.c8b01a34.png&#x26;w=1080&#x26;q=75\" alt=\"Generate SCIM API key\"></p>\n</li>\n<li>\n<p>Save the key information in a secure spot. You will need to use it when you configure Microsoft Entra ID. Note that Tailscale-generated SCIM API keys are case-sensitive.</p>\n</li>\n</ol>\n<h4><a href=\"https://tailscale.com/docs/integrations/identity/entra/entra-id-scim#in-microsoft-entra-id\">In Microsoft Entra ID</a></h4>\n<p>You need to have an admin role for the Microsoft Azure portal to complete these steps.</p>\n<ol>\n<li>\n<p>Log in to the <a href=\"https://portal.azure.com/\">Microsoft Azure portal</a>.</p>\n</li>\n<li>\n<p>Select <strong>Microsoft Entra ID</strong>.</p>\n</li>\n<li>\n<p>Under <strong>Manage</strong> in the left-hand navigation, select <strong>Enterprise applications</strong>.</p>\n</li>\n<li>\n<p>Select <strong>New application</strong>.</p>\n</li>\n<li>\n<p>In the <strong>Browse Microsoft Entra Gallery</strong> page, search for <strong>Tailscale</strong> and then select <strong>Tailscale</strong>.</p>\n</li>\n<li>\n<p>Select <strong>Sign up for Tailscale</strong>.</p>\n<p>You will be redirected to sign up for Tailscale. If you already have a Tailscale account, proceed\r\nto the next step. Otherwise, follow the prompts to sign up for Tailscale.</p>\n</li>\n<li>\n<p>In the application <strong>Overview</strong> page, under <strong>Manage</strong> in the left-hand navigation, select <strong>Provisioning</strong>.</p>\n</li>\n<li>\n<p>Select <strong>Get started</strong>.</p>\n</li>\n<li>\n<p>Set <strong>Provisioning Mode</strong> to <strong>Automatic</strong>.</p>\n</li>\n<li>\n<p>Under <strong>Admin Credentials</strong>, for <strong>Tenant URL</strong>, enter\r\n<code>https://controlplane.tailscale.com/scim/v2/?aadOptscim062020</code>.</p>\n<p>Note that the trailing parameter, <code>?aadOptscim062020</code>, is required. For\r\ninformation about this parameter, refer to the Microsoft Entra ID topic\r\n<a href=\"https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior\">Flags to alter the SCIM behavior</a>.</p>\n</li>\n<li>\n<p>For <strong>Secret Token</strong>, enter the SCIM API key that you generated in the Tailscale admin console.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fentra-id-credentials.4aa37fbd.jpg&#x26;w=3840&#x26;q=75\" alt=\"Provide credentials to Microsoft Entra ID\"></p>\n</li>\n<li>\n<p>Select <strong>Test Connection</strong>.</p>\n<p>A popup will display a message about whether the supplied credentials\r\nare authorized to enable provisioning.</p>\n</li>\n<li>\n<p>In the <strong>Settings</strong> section, ensure <strong>Send an email notification when</strong>\r\n<strong>an error occurs</strong> is checked, and provide an email to use for the\r\nnotification.</p>\n</li>\n<li>\n<p>In the <strong>Settings</strong> section, under <strong>Scope</strong>, choose to sync all users and groups, or only users and groups that are assigned the application. If you choose to only sync users and groups that are assigned the application, you will need to <a href=\"https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal?pivots=portal\">assign these</a> under the <strong>Users and groups</strong> section in the left-hand navigation.</p>\n</li>\n<li>\n<p>Ensure that <strong>Provisioning Status</strong> is set to <strong>On</strong>.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fentra-id-provisioning.f52b6256.jpg&#x26;w=3840&#x26;q=75\" alt=\"Provision Microsoft Entra ID\"></p>\n</li>\n<li>\n<p>Select <strong>Save</strong>.</p>\n</li>\n<li>\n<p>Return to the application's <strong>Provisioning</strong> page. In the top menu, select <strong>Start Provisioning</strong>.</p>\n</li>\n</ol>\n<p>If you encounter issues after provisioning, open the application's <strong>Overview</strong> page and then select\r\n<strong>Restart Provisioning</strong>.</p>\n<h4><a href=\"https://tailscale.com/docs/integrations/identity/entra/entra-id-scim#restricting-access-to-the-tailscale-application\">Restricting access to the Tailscale application</a></h4>\n<p>By default all users in the Entra directory service will be allowed to access the Tailscale app.\r\nTo control which users are allowed to access Tailscale, go to <strong>Enterprise Applications</strong> >\r\n<strong>Tailscale</strong> > <strong>Properties</strong> and set <strong>Assignment Required?</strong> to Yes.</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fentra-assignment-required.d296c8e1.png&#x26;w=1920&#x26;q=75\" alt=\"Assignment Required?\"></p>\n<p>When this setting is enabled, only users who are assigned to the Tailscale application will be\r\nable to access it.</p>\n<h4><a href=\"https://tailscale.com/docs/integrations/identity/entra/entra-id-scim#supported-attribute-mappings\">Supported attribute mappings</a></h4>\n<p>Tailscale supports SCIM attributes from the core <a href=\"https://www.rfc-editor.org/rfc/rfc7643.html#section-4.1\">\"User\"</a> and <a href=\"https://www.rfc-editor.org/rfc/rfc7643.html#section-4.2\">\"Group\" SCIM resources</a>. Tailscale only uses the following attributes for Tailscale's functionality; other attributes are stored without being used:</p>\n<p>| Attribute | SCIM attribute type | Use in Tailscale |\r\n| --- | --- | --- |\r\n| <code>externalId</code> | Common | Required |\r\n| <code>userName</code> | Core user | Required |\r\n| <code>emails</code> | Core user | Optional |\r\n| <code>name.givenName</code> | Core user | Optional |\r\n| <code>name.familyName</code> | Core user | Optional |\r\n| <code>name.formatted</code> | Core user | Optional |\r\n| <code>displayName</code> | Core user | Optional |\r\n| <code>active</code> | Core user | Optional |\r\n| <code>preferredLanguage</code> | Core user | Optional |</p>\n<p><code>userName</code> must map to the email used by the user to sign in to the tailnet.</p>\n<p><code>photos</code> are not an attribute that can be synced, but are populated for users on login.</p>\n<p>Tailscale does not support the SCIM <a href=\"https://www.rfc-editor.org/rfc/rfc7643.html#section-4.3\">Enterprise User Schema Extension</a>. If any additional user attribute from these extensions is specified, the request will fail.</p>\n<h3><a href=\"https://tailscale.com/docs/integrations/identity/entra/entra-id-scim#referring-to-microsoft-entra-id-groups-in-your-tailnet-policy-file\">Referring to Microsoft Entra ID groups in your tailnet policy file</a></h3>\n<p>You can refer to a group from Microsoft Entra ID in your tailnet policy file using either the human-readable name or the Microsoft Entra ID group ID. For example:</p>\n<pre><code class=\"language-json\">{\r\n  \"grants\": [\\\r\n    {\\\r\n      \"src\": [\"group:groupname@example.com\"],\\\r\n      \"dst\": [\"*\"],\\\r\n      \"ip\": [\"*\"]\\\r\n    },\\\r\n    {\\\r\n      \"src\": [\"group:all employees@example.com\"],\\\r\n      \"dst\": [\"autogroup:self\"],\\\r\n      \"ip\": [\"*\"]\\\r\n    },\\\r\n    {\\\r\n      \"src\": [\"group:3ac067a2-f424-87b0-14a3-926482d83980@example.com\"],\\\r\n      \"dst\": [\"tag:logging\"],\\\r\n      \"ip\": [\"*\"]\\\r\n    }\\\r\n  ]\r\n}\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<h4><a href=\"https://tailscale.com/docs/integrations/identity/entra/entra-id-scim#updating-microsoft-entra-id-group-names\">Updating Microsoft Entra ID Group Names</a></h4>\n<p>If you are using the group name (not the group ID) in your tailnet policy file, and you change the name of your group in Microsoft Entra ID, the Tailscale access rules for that group will no longer apply. Tailscale will fail closed, and you will receive an error message in the\r\nadmin console.</p>\n<p>If you modified the name of the group, update the group in the tailnet policy file to the new group name. You can also revert the\r\nname change in Microsoft Entra ID if this was unintentional.</p>\n<p>If you are using the group ID in your tailnet policy file, renaming the group will not affect the Tailscale access rules for that group.</p>\n<h3><a href=\"https://tailscale.com/docs/integrations/identity/entra/entra-id-scim#disable-provisioning\">Disable Provisioning</a></h3>\n<p>You need to have an admin role for the Microsoft Azure portal to complete these steps.</p>\n<h4><a href=\"https://tailscale.com/docs/integrations/identity/entra/entra-id-scim#in-microsoft-entra-id-1\">In Microsoft Entra ID</a></h4>\n<ol>\n<li>Log in to the <a href=\"https://portal.azure.com/\">Microsoft Azure portal</a>.</li>\n<li>Select <strong>Microsoft Entra ID</strong>.</li>\n<li>Under <strong>Manage</strong> in the left-hand navigation, select <strong>Enterprise applications</strong>.</li>\n<li>Search for the <strong>Tailscale</strong> application and select it.</li>\n<li>Under <strong>Manage</strong>, select <strong>Properties</strong>.</li>\n<li>Select <strong>Delete</strong> and then select <strong>Yes</strong>.</li>\n</ol>\n<h4><a href=\"https://tailscale.com/docs/integrations/identity/entra/entra-id-scim#in-tailscale-1\">In Tailscale</a></h4>\n<ol>\n<li>\n<p>In the <a href=\"https://login.tailscale.com/admin/settings/user-management\">User management</a> page of the admin console, under <strong>SCIM Provisioning</strong>, select <strong>Disable provisioning</strong>, and then select <strong>Disable provisioning</strong> to confirm.</p>\n</li>\n<li>\n<p>In the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console, update your rules to no\r\nlonger reference any group which is no longer pushed.</p>\n</li>\n<li>\n<p>If you no longer want to keep the SCIM API key that you used for Microsoft Entra ID, <a href=\"https://tailscale.com/docs/features/access-control/auth-keys#revoke-an-auth-key\">revoke the key</a>.</p>\n</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/integrations/identity/entra/entra-id-scim#known-limitations\">Known Limitations</a></h3>\n<ul>\n<li>Microsoft Entra ID syncs with Tailscale every 40 minutes. This is a <a href=\"https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user#how-long-will-it-take-to-provision-users\">limitation from Microsoft Entra ID</a> and you cannot change this interval. To force the sync of a user, for example, as part of offboarding, use Microsoft Entra ID <a href=\"https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/provision-on-demand\">on-demand provisioning</a>. This should sync the user in less than 30 seconds.</li>\n<li>Microsoft Entra ID takes approximately 30 days from 'soft' deletion to 'hard' deletion of a user. You cannot change this interval.</li>\n<li>Microsoft Entra ID <a href=\"https://learn.microsoft.com/en-us/entra/identity/app-provisioning/how-provisioning-works#deprovisioning\">doesn't automatically restore the dynamic membership group</a> entries when a user goes from 'soft' deleted to active. If this causes issues, you can <strong>Restart provisioning</strong> from Entra ID's app provisioning page to force a refresh.</li>\n<li>Tailscale does not support the SCIM <a href=\"https://www.rfc-editor.org/rfc/rfc7643.html#section-4.3\">Enterprise User Schema Extension</a>. If any additional user attribute from these extensions is specified, the request will fail.</li>\n<li>Tailscale groups are parsed lowercased in the tailnet policy file, so any casing in Microsoft Entra ID is ignored.</li>\n<li>Groups from Microsoft Entra ID cannot contain the <code>@</code> symbol.</li>\n<li>If you are referring to the group name in your tailnet policy file, and the name of your group changes, the access control policy for that group will no longer apply and Tailscale will fail closed. If instead, you use the group ID in your tailnet policy file, renaming the group will not affect the Tailscale access rules for that group.</li>\n<li>Groups unlinked in Microsoft Entra ID that are retained in Tailscale are not synced to Tailscale.</li>\n<li>You cannot use group sync to assign Tailscale admins or other <a href=\"https://tailscale.com/docs/reference/user-roles\">user roles</a>.</li>\n<li>Parent groups of <a href=\"https://learn.microsoft.com/en-us/entra/fundamentals/how-to-manage-groups#add-or-remove-a-group-from-another-group\">nested groups</a> do not aggregate members of their nested groups. In other words, you cannot use a parent of a nested group in your access control policies and expect it to contain all members of the nested groups.</li>\n</ul>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}