Skip to main content

About Enterprise Managed Users

You can centrally manage identity and access for your enterprise members on GitHub from your identity provider.

About 企业托管用户

With 企业托管用户, you can control the user accounts of your enterprise members through your identity provider (IdP). Users assigned to the GitHub Enterprise 托管用户 application in your IdP are provisioned as new user accounts on GitHub and added to your enterprise. You control usernames, profile data, team membership, and repository access for the user accounts from your IdP.

In your IdP, you can give each 托管用户帐户 the role of user, enterprise owner, or billing manager. 托管用户帐户 can own organizations within your enterprise and can add other 托管用户帐户 to the organizations and teams within. For more information, see "Roles in an enterprise" and "About organizations."

Organization membership can be managed manually, or you can update membership automatically as 托管用户帐户 are added to IdP groups that are connected to teams within the organization. When a 托管用户帐户 is manually added to an organization, unassigning them from the GitHub Enterprise 托管用户 application on your IdP will suspend the user but not remove them from the organization. For more information about managing organization and team membership automatically, see "Managing team memberships with identity provider groups."

When your enterprise uses OIDC SSO, GitHub will automatically use your IdP's conditional access policy (CAP) IP conditions to validate user interactions with GitHub, when members change IP addresses, and each time a personal access token or SSH key is used. For more information, see "About support for your IdP's Conditional Access Policy."

You can grant 托管用户帐户 access to and the ability to contribute to repositories within your enterprise, but 托管用户帐户 cannot create public content or collaborate with other users, organizations, and enterprises on the rest of GitHub. For more information, see "Abilities and restrictions of 托管用户帐户."

The usernames of your enterprise's 托管用户帐户 and their profile information, such as display names and email addresses, are set by through your IdP and cannot be changed by the users themselves. For more information, see "Usernames and profile information."

托管用户帐户 不能复刻企业外部的存储库,也不能复刻内部存储库。 托管用户帐户 可以将企业中组织拥有的私有存储库复刻到企业拥有的其他组织中,或者作为 托管用户帐户 拥有的复刻。

Enterprise owners can audit all of the 托管用户帐户' actions on GitHub. For more information, see "Audit log events for your enterprise."

To use 企业托管用户, you need a separate type of enterprise account with 企业托管用户 enabled. For more information about creating this account, see "About enterprises with managed users."

Note: There are multiple options for identity and access management with GitHub Enterprise Cloud, and 企业托管用户 is not the best solution for every customer. For more information about whether 企业托管用户 is right for your enterprise, see "About authentication for your enterprise."

Identity provider support

企业托管用户 supports the following IdPs and authentication methods:

Azure Active Directory

Abilities and restrictions of 托管用户帐户

托管用户帐户 can only contribute to private and internal repositories within their enterprise and private repositories owned by their user account. 托管用户帐户 have read-only access to the wider GitHub community. These visibility and access restrictions for users and content apply to all requests, including API requests.

  • 托管用户帐户 cannot be invited to organizations or repositories outside of the enterprise, nor can the 托管用户帐户 be invited to other enterprises.
  • Outside collaborators are not supported by 企业托管用户.
  • 托管用户帐户 cannot create issues or pull requests in, comment or add reactions to, nor star, watch, or fork repositories outside of the enterprise.
  • 托管用户帐户 can view all public repositories on, but cannot push code to repositories outside of the enterprise.
  • 托管用户帐户 and the content they create is only visible to other members of the enterprise.
  • 托管用户帐户 cannot follow users outside of the enterprise.
  • 托管用户帐户 cannot create gists or comment on gists.
  • 托管用户帐户 cannot install GitHub 应用程序 on their user accounts.
  • Other GitHub users cannot see, mention, or invite a 托管用户帐户 to collaborate.
  • 托管用户帐户 can only own private repositories and 托管用户帐户 can only invite other enterprise members to collaborate on their owned repositories.
  • 托管用户帐户 不能复刻企业外部的存储库,也不能复刻内部存储库。 托管用户帐户 可以将企业中组织拥有的私有存储库复刻到企业拥有的其他组织中,或者作为 托管用户帐户 拥有的复刻。
  • Only private and internal repositories can be created in organizations owned by an 具有托管用户的企业, depending on organization and enterprise repository visibility settings.
  • 托管用户帐户 are limited in their use of GitHub Pages. For more information, see "About GitHub Pages."

Getting started with 企业托管用户

Before your developers can use GitHub Enterprise Cloud with 企业托管用户, you must follow a series of configuration steps.

  1. To use 企业托管用户, you need a separate type of enterprise account with 企业托管用户 enabled. To try out 企业托管用户 or to discuss options for migrating from your existing enterprise, please contact GitHub's Sales team.

    Your contact on the GitHub Sales team will work with you to create your new 具有托管用户的企业. You'll need to provide the email address for the user who will set up your enterprise and a short code that will be used as the suffix for your enterprise members' usernames. 短代码对于您的企业来说必须是唯一的,是一个三到八个字符的字母数字字符串,并且不包含任何特殊字符。 For more information, see "Usernames and profile information."

  2. After we create your enterprise, you will receive an email from GitHub inviting you to choose a password for your enterprise's setup user, which will be the first owner in the enterprise. Use an incognito or private browsing window when setting the password. The setup user is only used to configure single sign-on and SCIM provisioning integration for the enterprise. It will no longer have access to administer the enterprise account once SSO is successfully enabled. The setup user's username is your enterprise's shortcode suffixed with _admin.

    If you need to reset the password for your setup user, contact GitHub 支持 through the GitHub 支持门户.

  3. After you log in as the setup user, we recommend enabling two-factor authentication. For more information, see "Configuring two-factor authentication."

  4. To get started, configure how your members will authenticate. If you are using Azure Active Directory as your identity provider, you can choose between OpenID Connect (OIDC) and Security Assertion Markup Language (SAML). Both options provide a seamless sign-in experience for your members, but only OIDC includes support for Conditional Access Policies (CAP). If you are using Okta as your identity provider, you can use SAML to authenticate your members.

    To get started, read the guide for your chosen authentication method.

  5. Once you have configured SSO, you can configure SCIM provisioning. SCIM is how your identity provider will provision and manage member accounts and teams on For more information on configuring SCIM provisioning, see "Configuring SCIM provisioning for enterprise managed users."

  6. Once authentication and provisioning are configured, you can start provisioning members and managing teams. For more information, see "Managing team memberships with identity provider groups."

Authenticating as a 托管用户帐户

托管用户帐户 must authenticate through their identity provider. To authenticate, a 托管用户帐户 can visit their IdP application portal or use the login page on

如果 SAML 配置错误或身份提供程序 (IdP) 出现问题阻止您使用 SAML SSO,则可以使用恢复代码访问您的企业。 For more information, see "Managing recovery codes for your enterprise."

Authenticating as a 托管用户帐户 via

  1. Navigate to
  2. In the "Username or email address" text box, enter your username including the underscore and short code. Screenshot showing login form When the form recognizes your username, the form will update. You do not need to enter your password on this form.
  3. To continue to your identity provider, click Sign in with your identity provider. Screenshot showing "Sign in with your identity provider" button

Usernames and profile information

GitHub Enterprise Cloud automatically creates a username for each person by normalizing an identifier provided by your IdP. For more information, see "Username considerations for external authentication."

A conflict may occur when provisioning users if the unique parts of the identifier provided by your IdP are removed during normalization. If you're unable to provision a user due to a username conflict, you should modify the username provided by your IdP. For more information, see "Resolving username conflicts."

The profile name and email address of a 托管用户帐户 is also provided by the IdP. 托管用户帐户 cannot change their profile name or email address on GitHub, and the IdP can only provide a single email address.