Deleting and suspending users
You can delete and suspend users who should no longer be on your Tailscale network (known as a tailnet) in the admin console, to prevent them from using Tailscale without permanently deleting their devices.
You need to be an Owner, Admin, or IT admin of a tailnet in order to delete a user.
- Open the Users page of the admin console.
- Find the row corresponding to the user you are interested in.
- Click on the menu at the far right and select the Delete user option.
- Done. The user is deleted.
When a user is deleted from your network:
- User devices are deleted. The device keys are removed from the coordination server so that any further requests from those devices to connect to the network are blocked.
- API access tokens and auth keys for the user stop working
- These actions usually happens within seconds
To delete a user with the Owner role, you must first assign a different user as the tailnet Owner, then delete the desired user.
If you have user & group provisioning enabled on your tailnet, we recommend you use SCIM to automatically deprovision users.
- If using Okta, deactivate the user in Okta. This will automatically suspend the user in Tailscale. Then, you can delete the suspended user in Tailscale.
- If using Microsoft Entra ID, delete the user in Microsoft Entra ID. This will automatically suspend the user in Tailscale, and approximately 30 days later they are deleted in Tailscale.
If you don’t want to delete a user from your network right away, but want to restrict them from using Tailscale, you can suspend the user.
You need to be an Owner, Admin, or IT admin of a tailnet in order to suspend and restore a user.
Find the row corresponding to the user you are interested in.
Click on the menu at the far right and select the Suspend user option.
The user is shown as Suspended in the users page.
When a user is suspended, they cannot use Tailscale on this tailnet. That means:
- Their devices are not able to connect to other devices in the tailnet, including other devices they own
- They cannot add new devices to the tailnet. If they try to sign in on a device, they will get an error that they are suspended
- They cannot access the admin console
- Their API access tokens and auth keys stop working
If someone else has access to their devices, they can re-authenticate or tag these devices and use them in the same tailnet.
You can restore a user from the admin console by choosing the Restore user option.
When a user is restored, they regain access to Tailscale on this tailnet, including the devices they owned when they were restored. More specifically, restored users can do the following:
- Reconnect to other devices in the tailnet, as allowed by ACLs
- Add new devices to the tailnet
- Access the admin console, if allowed based on their role
- Use pre-existing API access tokens and auth keys, if they have not expired
- Machines for suspended users are suspended, and can be deleted or reassigned. Machines for deleted users are deleted. A machine can be re-assigned to a tag, or a new user can log into it. If new user logs into the machine, it’s recognized as a new machine.
- API keys for suspended users are suspended. API keys for deleted users are automatically revoked. They cannot be reassigned. You must create a new API key or an OAuth client.
- Auth keys for suspended users are suspended. Auth keys for deleted users are automatically revoked. They cannot be reassigned. You must create a new auth key or an OAuth client.
If a user is not the Owner and has not signed in or used Tailscale for more than 7 days, they are shown as Idle in the Users page of the admin console.
You cannot delete yourself from a network or leave a network. Ask your administrator to remove your account. You can, however, delete your account by contacting support.
If you decide you want to delete your entire tailnet, see the Deleting your tailnet article.