Enable multi-factor auth (MFA)

Tailscale relies on your existing identity provider to authenticate users. Any authentication settings from your identity provider are automatically used by Tailscale, including MFA.

To enable MFA for your domain, simply enable it from your identity provider. We have links to instructions for each provider below.


Google provides in-depth instructions on how to enable multi-factor authentication (“2-Step Verification”) in their documentation.

Office365 / ActiveDirectory

Microsoft’s has documentation describing how to enable MFA for your whole domain or for individual users.


Okta admins can configure MFA for their entire organization or only for Tailscale by setting a “multifactor policy.”


OneLogin users can enable MFA for the domain by creating a new authentication factor, assigning it to a security policy, and assigning that policy to their users. OneLogin provides documentation on how to do this here.

Ping Identity

Ping Identity’s documentation provides instructions on how to configure Policy Contracts to enable MFA for your network.

SAP Identity Manager

SAP’s blog provides instructions on how to enable SMS-based MFA from your Tenant settings.

Last updated