Enable two-factor and multi-factor auth (2FA/MFA)

Tailscale relies on your existing identity provider to authenticate users. Any authentication settings from your identity provider are automatically used by Tailscale, including MFA.

To enable MFA for your domain, simply enable it from your identity provider. We have links to instructions for each provider below.

Gmail / Google Workspace / GSuite

Google provides in-depth instructions on how to enable multi-factor authentication (“2-Step Verification”) in their documentation.

Microsoft / Office365 / Active Directory (Azure AD)

Microsoft’s has documentation describing how to enable MFA for your whole domain or for individual users.


Okta admins can configure MFA for their entire organization or only for Tailscale by setting a “multifactor policy.”


OneLogin users can enable MFA for the domain by creating a new authentication factor, assigning it to a security policy, and assigning that policy to their users. OneLogin provides documentation on how to enable MFA.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2023 Tailscale Inc.

Privacy & Terms