Getting started: Enterprise Managed Users

Configuring GitHub Enterprise Cloud with Enterprise Managed Users will require coordination between a number of potentially different roles within your company. This guide will provide you with the high level aspects you need to be aware of to get the right people to come together to successfully configure your GitHub Enterprise environment.

After you provide your account team with the necessary information of:

  • Initial admin user email address (we recommend a service account user for group distribution list, rather than being tied to a specific user inside your company)

  • The enterprise slug (the short identifier for your enterprise account in the URL https://github.com/enterprises/<your slug>)

  • The enterprise managed users namespace (also referred to as short code) which must be globally unique and be between 4 and 8 alphanumeric characters. It will be appended to everyone’s username in the form of username_namespace

The initial admin user account email address will receive an activation email that will require the receiver to respond and set a password on within 24 hours. Failure to do this will result in a need to obtain a password reset which is additional friction to your set up.

There are two major areas of responsibility that are required to be working together in your company to be able to easily set up your GitHub Enterprise account with EMUs. These are your Identity Management team and the team responsible for running and administrating your GitHub Enterprise account.

Authentication

The GitHub Enterprise Admin user is utilized to bind the GitHub Enterprise account to your IdP of choice, in this guide we are focusing on Entra ID (formerly known as Azure AD).

There are two potential authentication bindings that you can configure, OIDC and SAML. The OIDC binding provides additional support for Entra ID Conditional Access Policies (CAP) IP conditions over the SAML binding. If you configure the authentication using OIDC then you can leverage Entra ID CAP IP conditions to validate user interactions with GitHub.

The set up and binding process for the recommended OIDC option will require the following:

  • GitHub EMU admin account  (named short-code_admin) with the password set

  • A user account in Entra ID with Global Admin rights 

Note that if the user for Entra ID and GitHub are owned by different parties in your company then you will need to share and communicate configuration options as you configure the Enterprise Application in Entra ID and then the GitHub Enterprise Authentication security settings.

Once the GitHub EMU admin account is logged in and as navigated to the Enterprise (https://github.com/enterprises/<your slug>), initiate the OIDC setup on the Settings >> Authentication security page. See the documentation to configuring OIDC for Enterprise Managed Users for detailed information. 

User provisioning

After the authentication has been configured you can then add the provisioning of users aspects to GitHub. This allows user accounts for selected Entra ID users to be automatically created on the GitHub Enterprise Cloud platform. 

In order for provisioning to work, it’s essential to establish a connection between the Entra ID Enterprise application for GitHub and your GitHub Enterprise account. To set up this connection, you will need the following:

  • An Entra ID user account with permissions to configure the provisioning which requires one of the following permissions: Application Administrator, Cloud Application Administrator, Application Owner or Global Administrator

    • If using Application Administrator or Application Owner, make sure that the permission applies to the GitHub Application for authentication you created

  • A PAT token for the default GitHub Administrator account with admin:enterprise permission (do not use a personal user account for this, otherwise if/when that user is deprovisioned then the bindings will break)

  • One or more Entra ID users assigned (or able to be assigned) to the Enterprise Application to provision them and test the SCIM provisioning

Refer to the steps to create the PAT and the steps to configure the provisioning within Azure AD with this PAT. 

Once provisioning is configured, you can now add users to the GitHub Enterprise Managed User (OIDC) application in Entra ID and either wait for the next provisioning cycle or use manual provisioning. Make sure to assign the Enterprise Owner role to a couple users so that they can administer the GitHub Enterprise account. 

At this point, login to GitHub with one of the provisioned users (with username login_short-code) will redirect to Entra ID for the authentication and you should successfully access this user’s GitHub profile.

Still need help?

Check out the documentation on how to centrally manage identity and access for your enterprise members on GitHub from your identity provider (IdP).

Explore docs