Deleting and suspending users

You can delete and suspend users who should no longer be on your Tailscale network (known as a tailnet) in the admin console, to prevent them from using Tailscale without permanently deleting their devices.

Deleting users

You need to be an Owner, Admin, or IT admin of a tailnet in order to delete a user.

Open the Users page of the admin console.
Find the row corresponding to the user you are interested in.
Click on the menu at the far right and select the Delete user option.
Done. The user is deleted.

When a user is deleted from your network:

User devices are deleted. The device keys are removed from the coordination server so that any further requests from those devices to connect to the network are blocked.
API access tokens and auth keys for the user stop working
These actions usually happens within seconds

To delete a user with the Owner role, you must first assign a different user as the tailnet Owner, then delete the desired user.

When using user & group provisioning

If you have user & group provisioning enabled on your tailnet, we recommend you use SCIM to automatically deprovision users.

If using Okta, deactivate the user in Okta. This will automatically suspend the user in Tailscale. Then, you can delete the suspended user in Tailscale.
If using Microsoft Entra ID, delete the user in Microsoft Entra ID. This will automatically suspend the user in Tailscale, and approximately 30 days later they are deleted in Tailscale.

Suspending users

If you don’t want to delete a user from your network right away, but want to restrict them from using Tailscale, you can suspend the user.

You need to be an Owner, Admin, or IT admin of a tailnet in order to suspend and restore a user.

Go to the Users page of the admin console.
Find the row corresponding to the user you are interested in.
Click on the menu at the far right and select the Suspend user option.

The user is shown as Suspended in the users page.

When a user is suspended, they cannot use Tailscale on this tailnet. That means:

Their devices are not able to connect to other devices in the tailnet, including other devices they own
They cannot add new devices to the tailnet. If they try to sign in on a device, they will get an error that they are suspended
They cannot access the admin console
Their API access tokens and auth keys stop working

If someone else has access to their devices, they can re-authenticate or tag these devices and use them in the same tailnet.

Pending users

If you have enabled user approval, new users are placed in a pending state. For information about removing a pending user, see Remove a pending user.

Restoring users

You can restore a user from the admin console by choosing the Restore user option.

When a user is restored, they regain access to Tailscale on this tailnet, including the devices they owned when they were restored. More specifically, restored users can do the following:

Reconnect to other devices in the tailnet, as allowed by ACLs
Add new devices to the tailnet
Access the admin console, if allowed based on their role
Use pre-existing API access tokens and auth keys, if they have not expired

Managing user resources

Machines for suspended users are suspended, and can be deleted or reassigned. Machines for deleted users are deleted. A machine can be re-assigned to a tag, or a new user can log into it. If new user logs into the machine, it’s recognized as a new machine.
API keys for suspended users are suspended. API keys for deleted users are automatically revoked. They cannot be reassigned. You must create a new API key or an OAuth client.
Auth keys for suspended users are suspended. Auth keys for deleted users are automatically revoked. They cannot be reassigned. You must create a new auth key or an OAuth client.