About team synchronization
If team sync is enabled for your organization or enterprise account, you can synchronize a GitHub team with an IdP group. When you synchronize a GitHub team with an IdP group, membership changes to the IdP group are reflected on GitHub AE automatically, reducing the need for manual updates and custom scripts.
You can connect a team on GitHub AE to one IdP group. All users in the group are automatically added to the team and also added to the parent organization as members. When you disconnect a group from a team, users who became members of the organization via team membership are removed from the organization. You can assign an IdP group to multiple GitHub AE teams.
Once a GitHub team is connected to an IdP group, your IdP administrator must make team membership changes through the identity provider. You cannot manage team membership on GitHub AE.
When group membership changes on your IdP, your IdP sends a SCIM request with the changes to GitHub AE according to the schedule determined by your IdP. Any requests that change GitHub team or organization membership will register in the audit log as changes made by the account used to configure user provisioning. For more information about this account, see "Configuring user provisioning with SCIM for your enterprise." For more information about SCIM request schedules, see "Check the status of user provisioning" in the Microsoft Docs.
Parent teams cannot synchronize with IdP groups. If the team you want to connect to an IdP group is a parent team, we recommend creating a new team or removing the nested relationships that make your team a parent team. For more information, see "About teams," "Creating a team," and "Moving a team in your organization’s hierarchy."
To manage repository access for any GitHub team, including teams connected to an IdP group, you must make changes with GitHub AE. For more information, see "About teams" and "Managing team access to an organization repository."
Prerequisites
To connect a team on GitHub AE to an IdP group, the team must already exist in your organization. Even if you have configured SCIM provisioning, creating a group in your IdP does not automatically create a team on GitHub AE.
Before you can connect a GitHub AE team with an IdP group, you must first configure user provisioning for your enterprise using a supported System for Cross-domain Identity Management (SCIM). For more information, see "Configuring user provisioning with SCIM for your enterprise."
Once user provisioning for GitHub AE is configured using SCIM, you can assign the GitHub AE application to every IdP group that you want to use on GitHub AE. For more information, see Configure automatic user provisioning to GitHub AE in the Microsoft Docs.
Connecting an IdP group to a team
When you connect an IdP group to a GitHub AE team, all users in the group are automatically added to the team. Any users who were not already members of the parent organization members are also added to the organization.
-
In the upper-right corner of GitHub AE, select your profile photo, then click Your organizations.
-
Click the name of your organization.
-
Under your organization name, click Teams.
-
Click the name of the team.
-
At the top of the team page, click Settings.
-
Under "Identity Provider Group", select the Select Group dropdown menu, and click an identity provider group from the list.
-
Click Save changes.
Disconnecting an IdP group from a team
-
In the upper-right corner of GitHub AE, select your profile photo, then click Your organizations.
-
Click the name of your organization.
-
Under your organization name, click Teams.
-
Click the name of the team.
-
At the top of the team page, click Settings.
-
Under "Identity Provider Group", to the right of the IdP group you want to disconnect, click .
-
Click Save changes.
