Abilities and restrictions of managed user accounts

If you centrally manage identity and access for your enterprise members on GitHub from your identity provider (IdP), some abilities and restrictions apply for your users' experience on GitHub.com.

In this article

About Enterprise Managed Users

With Enterprise Managed Users, you can control the user accounts of your enterprise members through your identity provider (IdP). For more information, see "About Enterprise Managed Users."

Abilities and restrictions of managed user accounts

Managed user accounts can only contribute to private and internal repositories within their enterprise and private repositories owned by their user account. Managed user accounts have read-only access to the wider GitHub community. These visibility and access restrictions for users and content apply to all requests, including API requests.

  • Managed user accounts authenticate using only your identity provider, and have no password or two-factor authentication methods stored on GitHub. As a result, they do not see the sudo prompt when taking sensitive actions. For more information, see "Sudo mode."

  • Managed user accounts cannot be invited to organizations or repositories outside of the enterprise, nor can the managed user accounts be invited to other enterprises.

  • Managed user accounts and the content they create is only visible to other members of the enterprise.

  • Other GitHub users cannot see, mention, or invite a managed user account to collaborate.

  • Managed user accounts can view all public repositories on GitHub.com, but cannot interact with repositories outside of the enterprise in any of the following ways:

    • Push code to the repository
    • Create issues or pull requests within the repository
    • Create or comment on discussions within the repository
    • Comment on issues or pull requests, or add reactions to comments
    • Star, watch, or fork the repository

  • Managed user accounts cannot create gists or comment on gists.

  • Managed user accounts cannot create personalised profiles.

  • Managed user accounts cannot follow users outside of the enterprise.

  • Managed user accounts cannot create starter workflows for GitHub Actions.

  • Managed user accounts cannot install GitHub Apps on their user accounts.

  • Managed user accounts can install GitHub App on a repository if the app does not request organization permissions and if the managed user account has admin access to the repositories that they are granting the app access to.

  • Managed user accounts can install GitHub App on an organization if the managed user account is an organization owner.

  • You can choose whether managed user accounts are able to create repositories owned by their user accounts. For more information, see "Enforcing repository management policies in your enterprise."

  • If you allow managed user accounts to create repositories owned by their user accounts, they can only own private repositories and can only invite other enterprise members to collaborate on their user-owned repositories.

  • Managed user accounts cannot fork repositories from outside of the enterprise. Managed user accounts can fork private or internal repositories owned by organizations in the enterprise into their user account namespace or other organizations owned by the enterprise, as specified by enterprise policy.

  • Only private and internal repositories can be created in organizations owned by an enterprise with managed users, depending on organization and enterprise repository visibility settings.

  • Outside collaborators are not supported by Enterprise Managed Users, but guest collaborators are. For more information, see "Roles in an enterprise."

  • Managed user accounts are limited in their use of GitHub Pages. For more information, see "About GitHub Pages."

  • Managed user accounts cannot sign up for GitHub Copilot Individual. To allow a managed user to use Copilot, you must grant the user access to a Copilot Business or Copilot Enterprise subscription. For more information, see "About GitHub Copilot."

  • Managed user accounts can only create and use codespaces that are owned and paid for by their organization or enterprise. This means that managed user accounts:

    • Can create codespaces for repositories owned by their organization, or forks of these repositories, provided that the organization can pay for GitHub Codespaces. For more information, see "Choosing who owns and pays for codespaces in your organization."
    • Cannot create codespaces for their personal repositories, other than forks of repositories owned by their organization; for any other repositories outside their organization; or from GitHub's public templates for GitHub Codespaces.
    • Cannot publish a codespace created from a template to a new repository.

  • Entitlement minutes for GitHub-hosted runners are not available for managed user accounts. Enterprise Managed Users who would like to contribute to repositories in organizations they are not a member of can fork the organization repo, then open a pull request targeting the organization repository. This runs the workflows on the organization's GitHub-hosted runners.

  • Managed user accounts can create GitHub Apps and OAuth apps.

    Note: Even an OAuth app created by a managed user account or organization with managed users can be accessed by users outside the enterprise.

  • Owners of an enterprise with Enterprise Managed Users can manage the automatic enablement of GitHub Advanced Security features such as secret scanning for new user-owned repositories with an enterprise level setting. For more information, see "Managing GitHub Advanced Security features for your enterprise."

  • Managed user accounts do not have access to the GitHub Certifications program.