Disable Local Authentication

If you prefer to delegate all credential storage and authentication to your IdP while still utilizing NetBird's new, simplified IdP connection flow, you can completely disable local (email/password) authentication.

This is useful when you want to:

• Enforce that all users authenticate via external identity providers only
• Simplify end user login by directing users to your external IdP when logging in to NetBird
• Prevent local password-based logins while still using NetBird's simplified IdP connection flow
• Maintain a single source of truth for user credentials in your external IdP

Prerequisites

Before disabling local authentication:

1. Configure an external IdP connector following the Authentication Guide.
2. Log out and log in with your new admin account via the external IdP. NetBird will notify you that the user requires approval.
3. Log back in as your original NetBird-local admin and navigate to Team > Users. You should see the new IdP user pending approval:

4. Approve the request, click on the user, select Owner as the role, confirm the ownership transfer, and save.

5. Verify you can log in via the external IdP with full owner access.

Configuration

Update your management.json to disable local authentication:

{
  "EmbeddedIdP": {
    "Enabled": true,
    "LocalAuthDisabled": true
  }
}

After updating the configuration, restart the Management service. The local login option will no longer appear on the login page—users will only see the configured external identity providers.

Re-enabling Local Authentication

To restore local authentication, set LocalAuthDisabled to false (or remove the option) and restart the Management service. All previously created local users will be able to log in again with their existing passwords.