Deleting and suspending users
You can delete and suspend users who should no longer be on your Tailscale network (known as a tailnet) in the admin console, to prevent them from using Tailscale without permanently deleting their devices.
Deleting users
You need to be an Owner, Admin, or IT admin of a tailnet in order to delete a user.
- Open the Users page of the admin console.
- Find the row corresponding to the user you are interested in.
- Click on the
at the far right and select the Delete user option.
- Done. The user is deleted.
When a user is deleted from your network:
- User devices are deleted. The device keys are removed from the coordination server so that any further requests from those devices to connect to the network are blocked.
- API access tokens and auth keys for the user stop working
- These actions usually happens within seconds
To delete a user with the Owner role, you must first assign a different user as the tailnet Owner , then delete the desired user.
Suspending users
If you don’t want to delete a user from your network right away, but want to restrict them from using Tailscale, you can suspend the user.
You need to be an Owner, Admin, or IT admin of a tailnet in order to suspend and restore a user.
-
Go to the Users page of the admin console.
-
Find the row corresponding to the user you are interested in.
-
Click on the
at the far right and select the Suspend user option.
The user is shown as Suspended in the users page.
When a user is suspended, they cannot use Tailscale on this tailnet. That means:
- Their devices are not able to connect to other devices in the tailnet, including other devices they own
- They cannot add new devices to the tailnet. If they try to sign in on a device, they will get an error that they are suspended
- They cannot access the admin console
- Their API access tokens and auth keys stop working
If someone else has access to their devices, they can re-authenticate or tag these devices and use them in the same tailnet.
Pending users
If you have enabled user approval, new users are placed in a pending state. For information about removing a pending user, see Remove a pending user.
Restoring users
You can restore a user from the admin console by choosing the Restore user option.
When a user is restored, they regain access to Tailscale on this tailnet, including the devices they owned when they were restored. More specifically, restored users can do the following:
- Reconnect to other devices in the tailnet, as allowed by ACLs
- Add new devices to the tailnet
- Access the admin console, if allowed based on their role
- Use pre-existing API access tokens and auth keys, if they have not expired
Managing user resources
- Machines for suspended users are suspended, and can be deleted or reassigned. Machines for deleted users are deleted. A machine can be re-assigned to a tag, or a new user can log into it. If new user logs into the machine, it’s recognized as a new machine.
- API keys for suspended users are suspended. API keys for deleted users are automatically revoked. They cannot be reassigned. You must create a new API key or an OAuth client.
- Auth keys for suspended users are suspended. Auth keys for deleted users are automatically revoked. They cannot be reassigned. You must create a new auth key or an OAuth client.
Managing inactive users
If a user does not own any devices and has not logged into Tailscale in more than 7 days, and is not an Owner, Admin, Network admin, or IT admin , they are shown as Inactive in the users page.
Leaving a tailnet
You cannot delete yourself from a network or leave a network. Ask your administrator to remove your account. You can, however, delete your account by contacting support.
Deleting a tailnet
If you decide you want to delete your entire tailnet, see the Deleting your tailnet article.