About Enterprise Managed Users

You can centrally manage identity and access for your enterprise members on GitHub from your identity provider.

To manage users in your enterprise with your identity provider, your enterprise must be enabled for Enterprise Managed Users, which are available with GitHub Enterprise Cloud. For more information, see "About Enterprise Managed Users."

About Enterprise Managed Users

With Enterprise Managed Users, you can control the user accounts of your enterprise members through your identity provider (IdP). You can simplify authentication with SAML single sign-on (SSO) and provision, update, and deprovision user accounts for your enterprise members. Users assigned to the GitHub Enterprise Managed User application in your IdP are provisioned as new user accounts on GitHub and added to your enterprise. You control usernames, profile data, team membership, and repository access from your IdP.

In your IdP, you can give each managed user the role of user, enterprise owner, or billing manager. Managed users can own organizations within your enterprise and can add other managed users to the organizations and teams within. For more information, see "Roles in an enterprise" and "About organizations."

Organization membership can be managed manually or updated automatically as managed users are added to IdP groups that are connected to teams within the organization. When a managed user is manually added to an organization, unassigning them from the GitHub Enterprise Managed User application on your IdP will suspend the user but not remove them from the organization. For more information about managing organization and team membership automatically, see "Managing team memberships with identity provider groups."

You can grant managed users access and the ability to contribute to repositories within your enterprise, but managed users cannot create public content or collaborate with other users, organizations, and enterprises on the rest of GitHub. The managed users provisioned for your enterprise cannot be invited to organizations or repositories outside of the enterprise, nor can the managed users be invited to other enterprises. Outside collaborators are not supported by Enterprise Managed Users.

The usernames of your enterprise's managed users and their profile information, such as display names and email addresses, are set by through your IdP and cannot be changed by the users themselves. For more information, see "Usernames and profile information."

Managed users cannot fork repositories from outside of the enterprise or fork internal repositories. Managed users can fork private repositories owned by organizations in the enterprise into other organizations owned by the enterprise, or as a fork owned by the managed user.

Enterprise owners can audit all of the managed users' actions on GitHub.

To use Enterprise Managed Users, you need a separate type of enterprise account with Enterprise Managed Users enabled. For more information about creating this account, see "About enterprises with managed users."

Identity provider support

Enterprise Managed Users supports the following IdPs:

  • Azure Active Directory (Azure AD)
  • Okta

Abilities and restrictions of managed users

Managed users can only contribute to private and internal repositories within their enterprise and private repositories owned by their user account. Managed users have read-only access to the wider GitHub community. These visibility and access restrictions for users and content apply to all requests, including API requests.

  • Managed users cannot create issues or pull requests in, comment or add reactions to, nor star, watch, or fork repositories outside of the enterprise.
  • Managed users can view all public repositories on GitHub.com, but cannot push code to repositories outside of the enterprise.
  • Managed users and the content they create is only visible to other members of the enterprise.
  • Managed users cannot follow users outside of the enterprise.
  • Managed users cannot create gists or comment on gists.
  • Managed users cannot install GitHub Apps on their user accounts.
  • Other GitHub users cannot see, mention, or invite a managed user to collaborate.
  • Managed users can only own private repositories and managed users can only invite other enterprise members to collaborate on their owned repositories.
  • Only private and internal repositories can be created in organizations owned by an enterprise with managed users, depending on organization and enterprise repository visibility settings.

About enterprises with managed users

To use Enterprise Managed Users, you need a separate type of enterprise account with Enterprise Managed Users enabled. To try out Enterprise Managed Users or to discuss options for migrating from your existing enterprise, please contact GitHub's Sales team.

Your contact on the GitHub Sales team will work with you to create your new enterprise with managed users. You'll need to provide the email address for the user who will set up your enterprise and a short code that will be used as the suffix for your enterprise members' usernames. The short code must be unique to your enterprise, a three-to-eight character alphanumeric string, and contain no special characters. For more information, see "Usernames and profile information."

After we create your enterprise, you will receive an email from GitHub inviting you to choose a password for your enterprise's setup user, which will be the first owner in the enterprise. Use an incognito or private browsing window when setting the password. The setup user is only used to configure SAML single sign-on and SCIM provisioning integration for the enterprise. It will no longer have access to administer the enterprise account once SAML is successfully enabled.

The setup user's username is your enterprise's shortcode suffixed with _admin. After you log in to your setup user, you can get started by configuring SAML SSO for your enterprise. For more information, see "Configuring SAML single sign-on for Enterprise Managed Users."

If you need to reset the password for your setup user, use an incognito or private browsing window to request a new password. When the email arrives with the link to reset your password, copy the link into your browser. For more information on resetting your password, see "Requesting a new password ."

Authenticating as a managed user

Managed users must authenticate through their identity provider. To authenticate, a managed user can visit their IdP application portal or use the login page on GitHub.com.

Authenticating as a managed user via GitHub.com

  1. Navigate to https://github.com/login.
  2. In the "Username or email address" text box, enter your username including the underscore and short code. Screenshot showing login form When the form recognizes your username, the form will update. You do not need to enter your password on this form.
  3. To continue to your identity provider, click Sign in with your identity provider. Screenshot showing "Sign in with your identity provider" button

Usernames and profile information

When your enterprise with managed users is created, you will choose a short code that will be used as the suffix for your enterprise member's usernames. The short code must be unique to your enterprise, a three-to-eight character alphanumeric string, and contain no special characters. The setup user who configures SAML SSO has a username in the format of @SHORT-CODE_admin.

When you provision a new user from your identity provider, the new managed user will have a GitHub username in the format of @IDP-USERNAME_SHORT-CODE.

Identity providerGitHub username
Azure Active Directory (Azure AD)
  • IDP-USERNAME is formed by normalizing the characters preceding the @ character in the UPN (User Principal Name).
  • Guest accounts will have #EXT removed from the UPN.
Okta
  • IDP-USERNAME is the normalized username attribute provided by the IdP.

It's possible for a conflict to occur when provisioning users if the unique parts of the username provided by your IdP are removed when it is normalized. If you are unable to provision a user due to a username conflict, you should modify the username provided by your IdP.

The username of the new account provisioned on GitHub, including underscore and short code, must not exceed 39 characters.

The profile name and email address of a managed user is also provided by the IdP. Managed users cannot change their profile name or email address on GitHub.

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.