About Enterprise Managed Users

You can centrally manage identity and access for your enterprise members on GitHub from your identity provider.

To manage users in your enterprise with your identity provider, your enterprise must be enabled for Enterprise Managed Users, which are available with GitHub Enterprise Cloud. For more information, see "About Enterprise Managed Users."

About Enterprise Managed Users

With Enterprise Managed Users, you can control the user accounts of your enterprise members through your identity provider (IdP). You can simplify authentication with SAML single sign-on (SSO) and provision, update, and deprovision user accounts for your enterprise members. Users assigned to the GitHub Enterprise Managed User application in your IdP are provisioned as new user accounts on GitHub and added to your enterprise. You control usernames, profile data, team membership, and repository access from your IdP.

In your IdP, you can give each managed user the role of user, enterprise owner, or billing manager. Managed users can own organizations within your enterprise and can add other managed users to the organizations and teams within. For more information, see "Roles in an enterprise" and "About organizations."

You can also manage team membership within an organization in your enterprise directly through your IdP, allowing you to manage repository access using groups in your IdP. Organization membership can be managed manually or updated automatically as managed users are added to teams within the organization. For more information, see "Managing team memberships with identity provider groups."

You can grant managed users access and the ability to contribute to repositories within your enterprise, but managed users cannot create public content or collaborate with other users, organizations, and enterprises on the rest of GitHub. The managed users provisioned for your enterprise cannot be invited to organizations or repositories outside of the enterprise, nor can the managed users be invited to other enterprises. Outside collaborators are not supported by Enterprise Managed Users.

The usernames of your enterprise's managed users and their profile information, such as display names and email addresses, are set by through your IdP and cannot be changed by the users themselves. For more information, see "Usernames and profile information."

Managed users cannot fork repositories from outside of the enterprise or fork internal repositories. Managed users can fork private repositories owned by organizations in the enterprise into other organizations owned by the enterprise, or as a fork owned by the managed user.

Enterprise owners can audit all of the managed users' actions on GitHub.

To use Enterprise Managed Users, you need a separate type of enterprise account with Enterprise Managed Users enabled. For more information about creating this account, see "About enterprises with managed users."

Identity provider support

Enterprise Managed Users supports the following IdPs:

  • Azure Active Directory (Azure AD)
  • Okta

Abilities and restrictions of managed users

Managed users can only contribute to private and internal repositories within their enterprise and private repositories owned by their user account. Managed users have read-only access to the wider GitHub community.

  • Managed users cannot create issues or pull requests in, comment or add reactions to, nor star, watch, or fork repositories outside of the enterprise.
  • Managed users cannot push code to repositories outside of the enterprise.
  • Managed users and the content they create is only visible to other members of the enterprise.
  • Managed users cannot follow users outside of the enterprise.
  • Managed users cannot create gists or comment on gists.
  • Managed users cannot install GitHub Apps on their user accounts.
  • Other GitHub users cannot see, mention, or invite a managed user to collaborate.
  • Managed users can only own private repositories and managed users can only invite other enterprise members to collaborate on their owned repositories.
  • Only private and internal repositories can be created in organizations owned by an enterprise with managed users, depending on organization and enterprise repository visibility settings.

About enterprises with managed users

To use Enterprise Managed Users, you need a separate type of enterprise account with Enterprise Managed Users enabled. To try out Enterprise Managed Users or to discuss options for migrating from your existing enterprise, please contact GitHub's Sales team.

Your contact on the GitHub Sales team will work with you to create your new enterprise with managed users. You'll need to provide the email address for the user who will set up your enterprise and a short code that will be used as the suffix for your enterprise members' usernames. The short code must be unique to your enterprise, a three-to-eight character alphanumeric string, and contain no special characters. For more information, see "Usernames and profile information."

After we create your enterprise, you will receive an email from GitHub inviting you to choose a password for your enterprise's setup user, which will be the first owner in the enterprise. The setup user is only used to configure SAML single sign-on and SCIM provisioning integration for the enterprise. It will no longer have access to administer the enterprise account once SAML is successfully enabled.

The setup user's username is your enterprise's shortcode suffixed with _admin. After you log in to your setup user, you can get started by configuring SAML SSO for your enterprise. For more information, see "Configuring SAML single sign-on for Enterprise Managed Users."

If you need to reset the password for your setup user, use an incognito or private browsing window to request a new password. When the email arrives with the link to reset your password, copy the link into your browser. For more information on resetting your password, see "Requesting a new password ."

Authenticating as a managed user

Managed users must authenticate through their identity provider.

To authenticate, managed users must visit their IdP application portal or https://github.com/enterprises/ENTERPRISE_NAME, replacing ENTERPRISE_NAME with your enterprise's name.

Usernames and profile information

When your enterprise with managed users is created, you will choose a short code that will be used as the suffix for your enterprise member's usernames. The short code must be unique to your enterprise, a three-to-eight character alphanumeric string, and contain no special characters. The setup user who configures SAML SSO has a username in the format of @SHORT-CODE_admin.

When you provision a new user from your identity provider, the new managed user will have a GitHub Enterprise Cloud username in the format of @IDP-USERNAME_SHORT-CODE. When using Azure Active Directory (Azure AD), IDP-USERNAME is formed by normalizing the characters preceding the @ character in the UPN (User Principal Name) provided by Azure AD. When using Okta, IDP-USERNAME is the normalized username attribute provided by Okta.

The username of the new account provisioned on GitHub Enterprise Cloud, including underscore and short code, must not exceed 39 characters.

The profile name and email address of a managed user is also provided by the IdP. Managed users cannot change their profile name or email address on GitHub.

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.