User & group provisioning for Google Workspace

This feature is available for the Enterprise plan.

Google Workspace User & group provisioning is currently in beta.

Tailscale's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy including the Limited Use requirements.

Tailscale supports synchronizing Google Workspace users and groups for use in Tailscale access controls.

With group sync, you can refer to a group from Google in your tailnet policy file, with a human-readable name.
With user sync, you can onboard and offboard users easily to Tailscale. For related information, see Offboarding when using user & group provisioning.

Prerequisites

You need a Google Workspace account.
You need a Tailscale network (known as a tailnet).
Your tailnet's identity provider needs to be Google.

Set up Google User & Group sync

You need to be an Owner, Admin, or IT admin in Tailscale to complete these steps.

Open the Tailscale User management page.
In the Google Sync section, select Enable.
In the https://login.tailscale.com/googlesync/auth page, select Authorize with Google.
In the Choose an account page, select your Google Workspace super user account.
In the Sign in page, select Continue.
When prompted to allow access to your tailnet, select Allow.

When you enable Google Sync for the very first time, no users or groups will be added unless you specify groups explicitly or select the Sync All Users option.

By default, Google Sync only adds users from groups you selected. But if you'd like to mirror all of your Google Workspace users, then you can enable the Sync all users option which will immediately start provisioning users to your tailnet.

Manage Groups

By default, a group and its members does not sync into your tailnet unless you explicitly select it.

You need to be an Owner, Admin, or IT admin in Tailscale to complete these steps.

Open the Tailscale User management page.
In the Google Sync section, select the menu and then select Manage groups.

If a group is renamed in Google Admin Console, the reference does not rename. You will always use the group email to reference the group in your Tailscale ACL rules.

Force a sync

You need to be an Owner, Admin, or IT admin in Tailscale to complete these steps.

Open the Tailscale User management page.
In the Google Sync section, select the menu and then select Force sync.

Disable Google User & Group sync

You need to be an Owner, Admin, or IT admin in Tailscale to complete these steps.

Open the Tailscale User management page.
In the Google Sync section, select the menu and then select Disable.
Follow the prompts to confirm and disable Google User & Group sync.

Limitations

The maximum number of groups that can be synced is 100.
After a new group is created in Google Workspace, a Tailscale Owner, Admin, or IT admin needs to open the Google Group Sync page and select the group to allow syncing of the group.
Users that do not share the same domain as the tailnet's domain are skipped.