Account domain best way to scale up?

New User says: Hi, we are in the process of scaling-up our use of Tailscale for the organisation and we have been using one domain. However, we manage a number of domains in our AzureAD. How can we manage our users with different domains from our single AAD Directory. Should we upgrade the plan?

Support says: The short answer is that our current backend doesn’t support making networks with a mix of users in different domains. Is that what you need? I might not be understanding the question.

We’ve done custom workarounds for other customers in the past to do such things, but we’re in the middle of changing our whole backend at the moment (in part to support such setups).

For now the easiest thing is to just administer each domain on Tailscale separately. But then each domain would be their own network, which may or may not be what you want.

New User: I would be happy to administer each domain separately for the short-term while you work on delivering this functionality, but there is a mix of domains used by our different engineers. How would they all have access to the different nodes, which are also associated to specific domain accounts, right?

Support: If your engineers need to regularly access a mix of domains, then you need one big network, not a network per domain. Otherwise they’d have to log out + log in every time they wanted to switch domains (and they’d need an account on each domain). Fast user switching and/or multi-login are also things we’d like to do later.

We have a few techniques for supporting multiple domains with our current infrastructure while we finish up generic (SAML) support. The easiest is if your company also happens to use Okta, we can direct authentication through it.

If not, we may be able to set something up using Azure AD, though it will require a little custom work on our end. Could you please send me a list of the domains you use for logging in?
// end