Skip to main content

Getting started with Enterprise Managed Users

Learn how to create and configure an enterprise with managed users.

Before your developers can use GitHub Enterprise Cloud with Enterprise Managed Users, you must follow a series of configuration steps.

Create a new enterprise account

To use Enterprise Managed Users, you need a separate type of enterprise account with Enterprise Managed Users enabled.

To request a new enterprise account, contact GitHub's Sales team. You'll discuss options for trialing Enterprise Managed Users or migrating from an existing enterprise.

When you're ready, your contact on the GitHub Sales team will create your new enterprise with managed users. You'll be asked to provide the following information:

  • The email address for the user who will set up your enterprise.
  • A short code that will be used as the suffix for your enterprise members' usernames. The short code must be unique to your enterprise, a three-to-eight character alphanumeric string, and contain no special characters.

Create the setup user

After we create your enterprise, you will receive an email inviting you to choose a password for the setup user, which is used to configure authentication and provisioning. The username is your enterprise's shortcode suffixed with _admin, for example fabrikam_admin.

Using an incognito or private browsing window:

  1. Set the user's password.
  2. Save the user's recovery codes.
  3. Enable two-factor authentication. See "Configuring two-factor authentication."

If you need to reset the password for your setup user, contact GitHub Support through the GitHub Support portal.

Create a personal access token

Next, create a personal access token that you can use to configure provisioning.

  • You must be signed in as the setup user when you create the token.
  • The token must have admin:enterprise scope.
  • The token must have no expiration.

To learn how to create a personal access token (classic), see "Managing your personal access tokens."

Configure authentication

Next, configure how your members will authenticate.

If you're using Entra ID as your IdP, you can choose between OpenID Connect (OIDC) and Security Assertion Markup Language (SAML).

  • We recommend OIDC, which includes support for Conditional Access Policies (CAP).
  • If you require multiple enterprises provisioned from one tenant, you must use SAML for each enterprise after the first.

If you're using another IdP, like Okta or PingFederate, you must use SAML to authenticate your members.

To get started, read the guide for your chosen authentication method.

Configure provisioning

After you configure authentication, you can configure SCIM provisioning, which is how your IdP will create managed user accounts on GitHub. See "Configuring SCIM provisioning for Enterprise Managed Users."

Manage organization membership

After authentication and provisioning are configured, you can start managing organization membership for your managed user accounts by synchronizing IdP groups with teams. See "Managing team memberships with identity provider groups."

Support developers with multiple user accounts

Developers may need to maintain separate, personal accounts for their work outside of your enterprise with managed users. You can help them manage multiple accounts by providing the following resources:

  • On the command line, developers can configure Git to simplify the process of using multiple accounts. See "Managing multiple accounts."
  • In the web interface, developers can switch between accounts without always needing to re-authenticate. See "Switching between accounts."