Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Get started
Login
© 2024

User & group provisioning for Google Workspace

This feature is available for the Enterprise plan.

Tailscale's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy including the Limited Use requirements.

Tailscale supports synchronizing Google Workspace users and groups for use in Tailscale access controls.

Prerequisites

  • You need a Google Workspace account.
  • You need a Tailscale network (known as a tailnet).
  • Your tailnet's identity provider needs to be Google.

Set up Google User & Group sync

You need to be an Owner, Admin, or IT admin in Tailscale to complete these steps.

  1. Open the Tailscale User management page.
  2. In the Google Sync section, select Enable.
  3. In the https://login.tailscale.com/googlesync/auth page, select Authorize with Google.
  4. In the Choose an account page, select your Google Workspace super user account.
  5. In the Sign in page, select Continue.
  6. When prompted to allow access to your tailnet, select Allow.

When you enable Google Sync for the very first time, no users or groups will be added unless you specify groups explicitly or select the Sync All Users option.

Sync All Users

By default, Google Sync only adds users from groups you selected. But if you'd like to mirror all of your Google Workspace users, then you can enable the Sync all users option which will immediately start provisioning users to your tailnet.

Manage Groups

By default, a group and its members does not sync into your tailnet unless you explicitly select it.

You need to be an Owner, Admin, or IT admin in Tailscale to complete these steps.

  1. Open the Tailscale User management page.
  2. In the Google Sync section, select the ellipsis icon menu and then select Manage groups.

If a group is renamed in Google Admin Console, the reference does not rename. You will always use the group email to reference the group in your Tailscale ACL rules.

Unsync Unassigned Users

After adding groups and their members to your tailnet, if you want to remove the users whom you previously added using the Sync all users option who are not part of the groups you added, you can use the option Unsync unassigned users.

You need to be an Owner, Admin, or IT admin in Tailscale to complete these steps.

  1. Open the Tailscale User management page.
  2. In the Google Sync section, select the ellipsis icon menu and then select Unsync unassigned users.

Force a sync

You need to be an Owner, Admin, or IT admin in Tailscale to complete these steps.

  1. Open the Tailscale User management page.
  2. In the Google Sync section, select the ellipsis icon menu and then select Force sync.

Disable Google User & Group sync

You need to be an Owner, Admin, or IT admin in Tailscale to complete these steps.

  1. Open the Tailscale User management page.
  2. In the Google Sync section, select the ellipsis icon menu and then select Disable.
  3. Follow the prompts to confirm and disable Google User & Group sync.

Limitations

  • The maximum number of groups that can be synced is 100.
  • After a new group is created in Google Workspace, a Tailscale Owner, Admin, or IT admin needs to open the Google Group Sync page and select the group to allow syncing of the group.
  • Users that do not share the same domain as the tailnet's domain are skipped.

Last updated Oct 16, 2024