Managing team synchronization for organizations in your enterprise

You can enable team synchronization between an identity provider (IdP) and GitHub Enterprise Cloud to allow organizations owned by your enterprise account to manage team membership through IdP groups.

Enterprise owners can manage team synchronization for an enterprise account.

Enterprise accounts are available with GitHub Enterprise Cloud and GitHub Enterprise Server. For more information, see "About enterprise accounts."

Note: If your enterprise uses Enterprise Managed Users, you cannot use team synchronization and must instead configure SCIM to manage membership with your identity provider. For more information, see "Configuring SCIM provisioning for Enterprise Managed Users."

About team synchronization for enterprise accounts

If you use Azure AD as your IdP, you can enable team synchronization for your enterprise account to allow organization owners and team maintainers to synchronize teams in the organizations owned by your enterprise accounts with IdP groups.

When you synchronize a GitHub team with an IdP group, changes to the IdP group are reflected on GitHub Enterprise Cloud automatically, reducing the need for manual updates and custom scripts. You can use an IdP with team synchronization to manage administrative tasks such as onboarding new members, granting new permissions for movements within an organization, and removing member access to the organization.

After you enable team synchronization, team maintainers and organization owners can connect a team to an IdP group on GitHub or through the API. For more information, see "Synchronizing a team with an identity provider group" and "Team synchronization."

Warning: When you disable team synchronization, any team members that were assigned to a GitHub team through the IdP group are removed from the team and may lose access to repositories.

You can also configure and manage team synchronization for an individual organization. For more information, see "Managing team synchronization for your organization."

Usage limits

There are usage limits for the team synchonization feature. Exceeding these limits will lead to a degredation in performance and may cause synchronization failures.

  • Maximum number of members in a GitHub team: 5,000
  • Maximum number of members in a GitHub organization: 10,000
  • Maximum number of teams in a GitHub organization: 1,500

Prerequisites

You or your Azure AD administrator must be a Global administrator or a Privileged Role administrator in Azure AD.

You must enforce SAML single sign-on for organizations in your enterprise account with your supported IdP. For more information, see "Configuring SAML single sign-on for your enterprise."

You must authenticate to your enterprise account using SAML SSO and the supported IdP. For more information, see "Authenticating with SAML single sign-on."

Managing team synchronization for Azure AD

To enable team synchronization for Azure AD, your Azure AD installation needs the following permissions.

  • Read all users’ full profiles
  • Sign in and read user profile
  • Read directory data
  1. In the top-right corner of GitHub.com, click your profile photo, then click Your enterprises. "Your enterprises" in drop-down menu for profile photo on GitHub Enterprise Cloud

  2. In the list of enterprises, click the enterprise you want to view. Name of an enterprise in list of your enterprises

  3. In the enterprise account sidebar, click Settings. Settings tab in the enterprise account sidebar

  4. In the left sidebar, click Security. Security tab in the enterprise account settings sidebar

  5. Confirm that SAML SSO is enabled. For more information, see "Managing SAML single sign-on for your organization."

  6. Under "Team synchronization", click Enable for Azure AD. Enable team synchronization button on security settings page

  7. Confirm team synchronization.

    • If you have IdP access, click Enable team synchronization. You'll be redirected to your identity provider's SAML SSO page and asked to select your account and review the requested permissions.
    • If you don't have IdP access, copy the IdP redirect link and share it with your IdP administrator to continue enabling team synchronization. Enable team synchronization redirect button
  8. Review the details for the IdP tenant you want to connect to your enterprise account, then click Approve. Pending request to enable team synchronization to a specific IdP tenant with option to approve or cancel request

  9. To disable team synchronization, click Disable team synchronization. Disable team synchronization

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.