Skip to main content

Configuring authentication and provisioning for your enterprise using Azure AD

You can use a tenant in Azure Active Directory (Azure AD) as an identity provider (IdP) to centrally manage authentication and user provisioning for your GitHub Enterprise Server instance.

Who can use this feature

Enterprise owners can configure authentication and provisioning for an enterprise on GitHub Enterprise Server.

About authentication and user provisioning with Azure AD

Azure Active Directory (Azure AD) is a service from Microsoft that allows you to centrally manage user accounts and access to web applications. For more information, see What is Azure Active Directory? in the Microsoft Docs.

To manage identity and access for GitHub Enterprise Server, you can use an Azure AD tenant as a SAML IdP for authentication. You can also configure Azure AD to automatically provision accounts and access membership with SCIM, which allows you to create GitHub Enterprise Server users and manage team and organization membership from your Azure AD tenant.

Note: SCIM for GitHub Enterprise Server is currently in private beta and is subject to change. For access to the beta, contact your account manager on GitHub's Sales team.

Warning: The beta is exclusively for testing and feedback, and no support is available. GitHub recommends testing with a staging instance. For more information, see "Setting up a staging instance."

After you enable SAML SSO and SCIM for GitHub Enterprise Server using Azure AD, you can accomplish the following from your Azure AD tenant.

  • Assign the GitHub Enterprise Server application on Azure AD to a user account to automatically create and grant access to a corresponding user account on GitHub Enterprise Server.
  • Unassign the GitHub Enterprise Server application to a user account on Azure AD to deactivate the corresponding user account on GitHub Enterprise Server.
  • Assign the GitHub Enterprise Server application to an IdP group on Azure AD to automatically create and grant access to user accounts on GitHub Enterprise Server for all members of the IdP group. In addition, the IdP group is available on GitHub Enterprise Server for connection to a team and its parent organization.
  • Unassign the GitHub Enterprise Server application from an IdP group to deactivate the GitHub Enterprise Server user accounts of all IdP users who had access only through that IdP group and remove the users from the parent organization. The IdP group will be disconnected from any teams on GitHub Enterprise Server.

For more information about managing identity and access for your enterprise on your GitHub Enterprise Server instance, see "Managing identity and access for your enterprise." For more information about synchronizing teams with IdP groups, see "Synchronizing a team with an identity provider group."

Prerequisites

Configuring authentication and user provisioning with Azure AD

In your Azure AD tenant, add the application for GitHub Enterprise Server, then configure provisioning.

  1. In the Azure AD tenant, in the left sidebar, click Provisioning.

  2. Under "Tenant URL", type the full endpoint URL for SCIM on your GitHub Enterprise Server instance. For more information, see "SCIM" in the REST API documentation.

  3. Under "Secret Token", type the personal access token that you created in step 4 of "Configuring user provisioning with SCIM for your enterprise."

  4. To ensure a successful connection from Azure AD to your GitHub Enterprise Server instance, Click Test Connection.

  5. After you ensure a successful connection, at the top of the page, click Save.

  1. Assign an enterprise owner for GitHub Enterprise Server in Azure AD. The process you should follow depends on whether you configured provisioning. For more information about enterprise owners, see "Roles in an enterprise."
    • If you configured provisioning, to grant the user enterprise ownership in GitHub Enterprise Server, assign the enterprise owner role to the user in Azure AD.
    • If you did not configure provisioning, to grant the user enterprise ownership in GitHub Enterprise Server, include the administrator attribute in the SAML assertion for the user account on the IdP, with the value of true. For more information about including the administrator attribute in the SAML claim from Azure AD, see How to: customize claims issued in the SAML token for enterprise applications in the Microsoft Docs.