v25.9.1 expands identity and overlay capabilities — group-based ACLs, M365 directory sync, gated resources via access screens, and Tailscale integration for distributed deployments.
Highlights
ACLs by user group
Permissions can now be written against user groups instead of individual users. A group like Operators or Maintenance Vendors resolves to its current members at policy evaluation time. When a user joins or leaves a group in the directory, ACL coverage follows automatically — no per-policy rewrite.
Microsoft 365 identity synchronization
Access Gate now synchronizes users and groups directly from Microsoft 365. Identity updates propagate without manual re-import; group membership stays in sync with the source of truth. Combined with group-based ACLs above, the whole access posture follows the directory.
Gate resources via access screens
Access screens can now front individual resources — not just the broad enclave. Operators can require explicit user approval before a session reaches a specific asset, with per-resource policy and audit.
Tailscale integration for overlay
Assets and tailnets synchronize bidirectionally with Tailscale via its API. The Virtual IP settings screen lists every tailnet available on the account, and assets observed in a tailnet appear in the Access Gate inventory without manual entry. Useful for distributed deployments where Tailscale already carries overlay traffic.
Dedicated overlay network
A dedicated network is now available to carry packets to the overlay, separated from general LAN traffic. Simplifies firewall rules and makes overlay-bound traffic clearly identifiable for monitoring.
Scheduled background tasks
Administrative tasks can now be scheduled on a cron-like timer — backups, log rotations, health checks — without external automation.
Feature additions
- IP no longer mandatory to create a user — create user records in advance of IP assignment; the user can be provisioned without waiting for network presence.
Bug fixes
UI / consistency
- Users/Assets page consistency fixes — unified table layout and sorting behavior between the two views.
Upgrade notes
- M365 sync requires an admin consent grant the first time it's configured. Existing users are not disturbed on upgrade; sync is opt-in per tenant.
- ACL policies written against individual users continue to work; the group form is an addition, not a replacement.
- Tailscale integration is opt-in and requires an API token configured per tenant.