Deleting and suspending users

You can delete and suspend users who should no longer be on your Tailscale network (known as a tailnet) in the admin console, to prevent them from using Tailscale without permanently deleting their devices.

Deleting users

You need to be an Owner, Admin, or IT admin of a tailnet in order to delete a user.

  1. Open the Users page of the admin console.
  2. Find the row corresponding to the user you are interested in.
  3. Click on the ellipsis icon at the far right and select the Delete user option.
  4. Done. The user is deleted.

When a user is deleted from your network:

  • User devices are deleted. The device keys are removed from the coordination server so that any further requests from those devices to connect to the network are blocked.
  • API access tokens and auth keys for the user stop working
  • These actions usually happens within seconds

To delete a user with the Owner role, you must first assign a different user as the tailnet Owner , then delete the desired user.

Suspending users

If you don’t want to delete a user from your network right away, but want to restrict them from using Tailscale, you can suspend the user.

You need to be an Owner, Admin, or IT admin of a tailnet in order to suspend and restore a user.

  1. Go to the Users page of the admin console.

  2. Find the row corresponding to the user you are interested in.

  3. Click on the ellipsis icon at the far right and select the Suspend user option.

    The user is shown as Suspended in the users page.

When a user is suspended, they cannot use Tailscale on this tailnet. That means:

  • Their devices are not able to connect to other devices in the tailnet, including other devices they own
  • They cannot add new devices to the tailnet. If they try to sign in on a device, they will get an error that they are suspended
  • They cannot access the admin console
  • Their API access tokens and auth keys stop working

If someone else has access to their devices, they can re-authenticate or tag these devices and use them in the same tailnet.

Pending users

If you have enabled user approval, new users are placed in a pending state. For information about removing a pending user, see Remove a pending user.

Restoring users

You can restore a user from the admin console by choosing the Restore user option.

When a user is restored, they regain access to Tailscale on this tailnet, including the devices they owned when they were restored. More specifically, restored users can do the following:

  • Reconnect to other devices in the tailnet, as allowed by ACLs
  • Add new devices to the tailnet
  • Access the admin console, if allowed based on their role
  • Use pre-existing API access tokens and auth keys, if they have not expired

Managing user resources

  • Machines for suspended users are suspended, and can be deleted or reassigned. Machines for deleted users are deleted. A machine can be re-assigned to a tag, or a new user can log into it. If new user logs into the machine, it’s recognized as a new machine.
  • API keys for suspended users are suspended. API keys for deleted users are automatically revoked. They cannot be reassigned. You must create a new API key or an OAuth client.
  • Auth keys for suspended users are suspended. Auth keys for deleted users are automatically revoked. They cannot be reassigned. You must create a new auth key or an OAuth client.

Managing inactive users

If a user does not own any devices and has not logged into Tailscale in more than 7 days, and is not an Owner, Admin, Network admin, or IT admin , they are shown as Inactive in the users page.

Leaving a tailnet

You cannot delete yourself from a network or leave a network. Ask your administrator to remove your account. You can, however, delete your account by contacting support.

Deleting a tailnet

If you decide you want to delete your entire tailnet, see the Deleting your tailnet article.

Last updated

On This Page