Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Schedule a demo
Get started - it's free!
Log in
© 2026

Setting up a custom Microsoft Entra application to work with Tailscale

Last validated:

Custom Microsoft Login is currently in private alpha. Therefore, this topic is currently hidden.

To set up a new Microsoft enterprise application for use with Tailscale follow these steps. These steps are for customers who are using an alternate environment (such as Azure Government), or who need to set up a custom Microsoft Entra application for some other reason.

The screenshots and links featured in this topic are for Azure Commercial. Adapt as necessary for other Azure environments.

Customers using the standard commercial version of Azure should typically follow the standard Microsoft Entra ID instructions.

Create a new Microsoft Entra application

  1. Create a new Enterprise Application in the Azure Portal.

  2. From the Entra App Gallery, select Create your own application at the top left of the page.

  3. Enter an application name.

  4. Select Create.

    The 'Create your own application' modal.

  5. Select Manage and then Properties in the sidebar.

  6. Configure the application as desired on this page (whether to require user assignment and so on).

    The application 'Properties' page.

  7. Select application registration in the second paragraph at the top of the page.

  8. On the following page, select Manage and then Authentication in the sidebar.

  9. Select Add a platform and then Web.

  10. Enter the Redirect URL:

    https://login.tailscale.com/a/oauth_response.

  11. Select Configure.

    The 'Configure Web' 'Redirect URIs' modal.

  12. Select Certificates & secrets in the sidebar.

  13. Select New client secret.

  14. Enter a description and an expiration date.

    Entra only supports an expiration date of up to 2 years. You will have to create a new credential and provide it to Tailscale before this date.

  15. Select Add.

    The 'Add a client secret' modal.

  16. Take note of the Secret Value on the next screen to share with Tailscale Support later.

  17. Select Overview in the sidebar.

  18. Take note of both the Application (client) ID and the Directory (tenant) ID to share with Tailscale Support later.

    The 'Application overview' page detailing the name, secret, redirect, Application ID, Object ID, and Directory ID.

Open a Tailscale support ticket

  1. Open a ticket with Tailscale Support to create or change your identity provider.

  2. Select New SSO with Okta or OneLogin.

  3. Set the SSO identity provider to Okta.

    Tailscale Support will be able to determine that the request is for Microsoft and not Okta.

  4. Add the SSO issuer domain:

    https://login.microsoftonline.com/{tenantID}/v2.0

    For Azure Government, use the login.microsoftonline.us domain.

    Replace {tenantID} with your "Directory (tenant) ID".

  5. Add the Client ID - your "Application (client) ID".

  6. Add the Client secret - your Secret Value.

The Tailscale support form.

(Optional) Configure SCIM provisioning

Refer to the System for Cross-domain Identity Management (SCIM) with a standard Entra ID topic to perform steps for other administrative functionality.

Enable Provisioning

In Tailscale

You need to be an Owner, Admin, or IT admin in Tailscale to complete these steps.

Generate a SCIM API key

  1. In the User management page of the admin console, under SCIM Provisioning, select Enable Provisioning.

  2. Copy the generated key to the clipboard.

In Azure Portal

  1. In the application Overview page, under Manage in the sidebar, select Provisioning.

  2. Select Connect your application.

    The application overview preview page with Provisioning in the sidebar.

  3. Under Admin Credentials, for Tenant URL, enter:

    https://controlplane.tailscale.com/scim/v2/?aadOptscim062020

    The trailing parameter, ?aadOptscim062020, is required. For information about this parameter, see the Microsoft Entra ID topic Flags to alter the SCIM behavior.

  4. For Secret Token, enter the SCIM API key that you generated in the Tailscale admin console.