User approval

User approval is a feature that allows Tailscale network administrators to review and approve new users before they can join the network.

This feature is available for all plans.
User approval is currently in beta.

When user approval is enabled, the first time a new user logs in to a tailnet, the user’s status is set to pending. While in a pending state, the user can connect their device to the Tailscale coordination server, but cannot connect to other devices on the tailnet. An Owner, Admin, or Network admin of the tailnet can review the user information and set the user status to approved, or remove the user.

User approval is disabled by default.

Enable user approval for your network

You need to be an Owner, Admin, or Network admin of a tailnet in order to enable user approval.

To enable user approval, open the User management page of the admin console and enable User Approval.

Once this setting is enabled, new users that access your network cannot send or receive traffic to other devices until they are approved. When a new user logs in, the user’s device appears in the Machines page of the admin console with the User needs approval badge. You can use a filter to find all machines that have the User needs approval badge.

Approve a pending user

You need to be an Owner, Admin, or Network admin of a tailnet in order to approve a user.

To approve a user, open the Users page of the admin console. At the top of the list you should see the user with a Needs approval badge beneath them. You can find the user by user name, and also use a filter to find users whose status is needs approval.

You can review details about the user before deciding whether to approve the user. You can also change the role to assign the user. For example, an Admin could change an unapproved user’s role from Member to IT admin, before approving the user.

When you’re ready to approve the user, click on the ellipsis icon menu and select Approve to allow the user to connect to your network.

After approval, the user will immediately be able to connect.

Remove a pending user

You need to be an Owner, Admin, or Network admin of a tailnet in order to remove a user whose status is pending.

To remove a user, open the Users page of the admin console. At the top of the list you should see the user with a Needs approval badge beneath them. You can find the user by user name, and also use a filter to find users whose status is needs approval.

For the user that your want to remove, click on the ellipsis icon menu and select Remove.

Note that removing a pending user does not prevent them from trying to log in (to a pending state) again.

Disable user approval for your network

You need to be an Owner, Admin, or Network admin of a tailnet in order to disable user approval.

To disable user approval, open the User management page of the admin console and disable User Approval.

Impact on other features

If you enable User & group provisioning for your tailnet, you cannot enable user approval because both cannot be enabled. If user approval is enabled, and then you enable User and group provisioning, the user approval feature will be disabled—you will need to manually approve or remove any pending users.

Limitations

A tailnet can enable either user approval or User & group provisioning, but not both.