User & group provisioning for Google Workspace

This feature is available for the Free and Enterprise plans.

Google Workspace User & group provisioning is currently in private alpha. Therefore, this topic is currently hidden.

Tailscale’s use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy including the Limited Use requirements.

Tailscale supports synchronizing Google Workspace users and groups for use in Tailscale access controls.

With group sync, you can refer to a group from Google in your tailnet policy file, with a human-readable name.
With user sync, you can onboard and offboard users easily to Tailscale. For related information, see Offboarding when using user & group provisioning.

Setup

While this feature is in Alpha, contact support to enable synchronizing your Google Workspace users and groups.
Login with a Google Workspace super admin account.
Enable the Admin SDK, which provides the APIs used to sync between Google and Tailscale.
1. Open https://console.cloud.google.com.
2. If you do not have a Google Cloud Project, create one.
3. Search for Admin SDK.
4. Select Enable.
Add the Tailscale app to your Google Workspace:
1. Open https://admin.google.com.
2. Click Security, click Access and data control, click API controls, and then click Manage Third-Party App Access. If you do not see a Security tab, click Show more.
3. Add the app: 923467998409-avhhsu3j9043drh8s798htd48jo27ki8.apps.googleusercontent.com
Connect Tailscale to your Google Workspace:
1. Open https://login.tailscale.com as your Google Workspace super user.
2. Once logged in, directly visit the URL https://login.tailscale.com/googlesync/auth.
3. Follow the prompt and login to start Google User & Group sync.