Note: If your enterprise uses Enterprise Managed Users, you cannot use team synchronization and must instead configure SCIM to manage membership with your identity provider. For more information, see "Configuring SCIM provisioning for Enterprise Managed Users."
If you use Azure AD as your IdP, you can enable team synchronization for your enterprise account to allow organization owners and team maintainers to synchronize teams in the organizations owned by your enterprise accounts with IdP groups.
When you synchronize a GitHub team with an IdP group, changes to the IdP group are reflected on GitHub Enterprise Cloud automatically, reducing the need for manual updates and custom scripts. You can use an IdP with team synchronization to manage administrative tasks such as onboarding new members, granting new permissions for movements within an organization, and removing member access to the organization.
After you enable team synchronization, team maintainers and organization owners can connect a team to an IdP group on GitHub or through the API. For more information, see "Synchronizing a team with an identity provider group" and "Team synchronization."
Warning: When you disable team synchronization, any team members that were assigned to a GitHub team through the IdP group are removed from the team and may lose access to repositories.
You can also configure and manage team synchronization for an individual organization. For more information, see "Managing team synchronization for your organization."
There are usage limits for the team synchonization feature. Exceeding these limits will lead to a degredation in performance and may cause synchronization failures.
- Maximum number of members in a GitHub team: 5,000
- Maximum number of members in a GitHub organization: 10,000
- Maximum number of teams in a GitHub organization: 1,500
You or your Azure AD administrator must be a Global administrator or a Privileged Role administrator in Azure AD.
You must enforce SAML single sign-on for organizations in your enterprise account with your supported IdP. For more information, see "Configuring SAML single sign-on for your enterprise."
You must authenticate to your enterprise account using SAML SSO and the supported IdP. For more information, see "Authenticating with SAML single sign-on."
To enable team synchronization for Azure AD, your Azure AD installation needs the following permissions.
- Read all users’ full profiles
- Sign in and read user profile
- Read directory data
In the top-right corner of GitHub.com, click your profile photo, then click Your enterprises.
In the list of enterprises, click the enterprise you want to view.
In the enterprise account sidebar, click Settings.
In the left sidebar, click Security.
Confirm that SAML SSO is enabled. For more information, see "Managing SAML single sign-on for your organization."
Under "Team synchronization", click Enable for Azure AD.
Confirm team synchronization.
- If you have IdP access, click Enable team synchronization. You'll be redirected to your identity provider's SAML SSO page and asked to select your account and review the requested permissions.
- If you don't have IdP access, copy the IdP redirect link and share it with your IdP administrator to continue enabling team synchronization.
Review the details for the IdP tenant you want to connect to your enterprise account, then click Approve.
To disable team synchronization, click Disable team synchronization.