User & group provisioning for Google Workspace

This feature is available for the Enterprise plan.

Google Workspace User & group provisioning is currently in beta.

Tailscale's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy including the Limited Use requirements.

Tailscale supports synchronizing Google Workspace users and groups for use in Tailscale access controls.

With group sync, you can refer to a group from Google in your tailnet policy file, with a human-readable name.
With user sync, you can onboard and offboard users easily to Tailscale. For related information, see Offboarding when using user & group provisioning.

Prerequisites

You need a Google Workspace account.
You need a Tailscale network (known as a tailnet).
Your tailnet's identity provider needs to be Google.

Set up Google User & Group sync

You need to be an Owner, Admin, or IT admin in Tailscale to complete these steps.

Open the Tailscale User management page.
In the Google Sync section, select Enable.
In the https://login.tailscale.com/googlesync/auth page, select Authorize with Google.
In the Choose an account page, select your Google Workspace super user account.
In the Sign in page, select Continue.
When prompted to allow access to your tailnet, select Allow.

Note that currently all users in your Google Workspace will become users of your tailnet regardless of whether they are in a group that you select.

If a group is renamed in Google Admin Console, the reference does not rename. You will always use the group email to reference the group in your Tailscale ACL rules.

Force a sync

You need to be an Owner, Admin, or IT admin in Tailscale to complete these steps.

Open the Tailscale User management page.
In the Google Sync section, select the menu and then select Force sync.

Disable Google User & Group sync

You need to be an Owner, Admin, or IT admin in Tailscale to complete these steps.

Open the Tailscale User management page.
In the Google Sync section, select the menu and then select Disable.
Follow the prompts to confirm and disable Google User & Group sync.

Limitations

All users in your Google Workspace will become users of your tailnet regardless of whether they are in a group you selected.
The maximum number of groups that can be synced is 100.
After a new group is created in Google Workspace, a Tailscale Owner, Admin, or IT admin needs to open the Google Group Sync page and select the group to allow syncing of the group.