User & group provisioning for Azure AD
Tailscale supports System for Cross-domain Identity Management (SCIM) to integrate with Microsoft Azure Active Directory (Azure AD).
With group sync, you can refer to a group from Azure AD in your tailnet policy file, with a human-readable name.
With user sync, you can onboard and offboard users easily to Tailscale. For related information, see Offboarding when using user & group provisioning.
- When a user is deleted in Azure AD, they are first ‘soft’ deleted, which suspends the user in Tailscale. The user is then ‘hard’ deleted 30 days later in Azure AD, which causes them to be deleted in Tailscale.
- When a user is disabled in Azure AD, they are suspended in Tailscale.
The following provisioning features are supported:
- Create users in Tailscale from Azure AD
- Update user attributes in Tailscale from Azure AD
- Delete users in Azure AD to first suspend them in Tailscale, then after 30 days, delete them in Tailscale
- Disable users in Azure AD to suspend them in Tailscale
- Group push from Azure AD to Tailscale
- You need a Microsoft Azure Active Directory subscription.
- You need a tailnet.
- Your tailnet’s identity provider needs to be Azure AD. If your tailnet is not using Azure AD and you want to use it, contact support to migrate from your current identity provider to Azure AD.
Step-by-Step Configuration Instructions
You need to be an Owner, Admin, or IT admin in Tailscale to complete these steps.
Generate a SCIM API key
In the User management page of the admin console, click Enable Provisioning.
Copy the generated key to the clipboard.
Save the key information in a secure spot. You will need to use it when you configure Azure AD.
In Azure AD
You need to have an admin role for the Microsoft Azure portal to complete these steps.
Log in to the Microsoft Azure portal.
Click Azure Active Directory.
Under Manage in the left-hand navigation, click Enterprise applications.
Click New application.
In the Browse Azure AD Gallery page, click Create your own application.
In the Create your own application dialog:
- Enter a name for your application.
- Ensure that Integrate any other application you don’t find in the gallery (Non-gallery) is checked.
- Click Create.
In the application Overview page, under Manage in the left-hand navigation, click Provisioning.
Click Get started.
Set Provisioning Mode to Automatic.
Under Admin Credentials, for Tenant URL, enter
Note that the trailing parameter,
?aadOptscim062020, is required. For information about this parameter, see the Azure AD topic Flags to alter the SCIM behavior.
For Secret Token, enter the SCIM API key that you generated in the Tailscale admin console.
Click Test Connection.
A popup will display a message about whether the supplied credentials are authorized to enable provisioning.
In the Settings section, ensure Send an email notification when an error occurs is checked, and provide an email to use for the notification.
In the Settings section, choose to sync all users and groups, or only users and groups that are assigned the application. If you choose to only sync users and groups that are assigned the application, you will need to assign these under the Users and groups section in the left-hand navigation.
Ensure that Provisioning Status is set to On.
Return to the application’s Provisioning page. In the top menu, click Start Provisioning.
If you encounter issues after provisioning, open the application’s Overview page and then click Restart Provisioning.
Updating Azure AD Group Names
If you change the name of your group in Azure AD, the Tailscale ACLs for that group will no longer apply. The ACL is dependent on the name you configured in Azure AD, not on a group reference. Tailscale will fail closed, and you will see an error message in the admin console.
If you modified the name of the group, update the group in the ACL rule to the new group name. You can also revert the name change in Azure AD if this was unintentional.
- Currently you need to create your own application in the Microsoft Azure portal. We are working on a pre-integrated app.
- Azure AD syncs with Tailscale every 40 minutes. You cannot change this interval.
- Azure AD takes 30 days from ‘soft’ deletion to ‘hard’ deletion of a user. You cannot change this interval.
- Tailscale groups are parsed lowercased in the tailnet policy file, so any casing in Azure AD is ignored.
- If the name of your group changes, the ACLs for that group will no longer apply and Tailscale will fail closed.
- A user suspended in Azure AD will remain logged into Tailscale, and maintain access to all of their nodes and permissions granted by ACLs. They will only lose access as their device keys expire and they are blocked from re-authenticating new sessions with Azure AD.
- Groups unlinked in Azure AD that are retained in Tailscale are not synced to Tailscale.
- You cannot use group sync to assign Tailscale admins or other user roles.