Skip to main content

Managing team synchronization for organizations in your enterprise

You can enable team synchronization between Microsoft Entra ID (previously known as Azure AD) and GitHub Enterprise Cloud to allow organizations owned by your enterprise account to manage team membership through IdP groups.

Who can use this feature?

Enterprise owners can manage team synchronization for an enterprise account.

Note: If your enterprise uses Enterprise Managed Users, you do not need to use team synchronization. Instead, you can manage team membership via the SCIM configuration you created while setting up your enterprise. For more information, see "Managing team memberships with identity provider groups."

About team synchronization for enterprise accounts

If you use SAML at the enterprise level with Entra ID as your IdP, you can enable team synchronization for your enterprise account to allow organization owners and team maintainers to synchronize teams in the organizations owned by your enterprise accounts with IdP groups.

If team sync is enabled for your organization or enterprise account, you can synchronize a GitHub team with an IdP group. When you synchronize a GitHub team with an IdP group, membership changes to the IdP group are reflected on GitHub Enterprise Cloud automatically, reducing the need for manual updates and custom scripts.

Team synchronization is not a user provisioning service and does not invite non-members to join organizations in most cases. This means a user will only be successfully added to a team if they are already an organization member. However, you can optionally allow team synchronization to re-invite users who were previously organization members and have since been removed.

After you enable team synchronization, team maintainers and organization owners can connect a team to an IdP group on GitHub or through the API. For more information, see "Synchronizing a team with an identity provider group" and "REST API endpoints for teams."

Warning: When you disable team synchronization, any team members that were assigned to a GitHub team through the IdP group are removed from the team and may lose access to repositories.

You can also configure and manage team synchronization for an individual organization. For more information, see "Managing team synchronization for your organization."

Usage limits

There are usage limits for the team synchronization feature. Exceeding these limits will lead to a degradation in performance and may cause synchronization failures.

  • Maximum number of members in a GitHub team: 5,000
  • Maximum number of members in a GitHub organization: 10,000
  • Maximum number of teams in a GitHub organization: 1,500

Prerequisites

  • You must use an Entra ID commercial tenant, not Gov Cloud.
  • You or your Entra ID administrator must be a Global administrator or a Privileged Role administrator in Entra ID.
  • You must enforce SAML single sign-on for organizations in your enterprise account with your supported IdP. For more information, see "Configuring SAML single sign-on for your enterprise."
  • You must authenticate to your enterprise account using SAML SSO and the supported IdP. For more information, see "Authenticating with SAML single sign-on."

Managing team synchronization for Entra ID

To enable team synchronization for Entra ID, your Entra ID installation needs the following permissions.

  • Read all users’ full profiles
  • Sign in and read user profile
  • Read directory data
  1. In the top-right corner of GitHub.com, click your profile photo, then click Your enterprises.

  2. In the list of enterprises, click the enterprise you want to view.

  3. In the enterprise account sidebar, click Settings.

  4. Under Settings, click Authentication security.

  5. Confirm that SAML SSO is enabled for your enterprise.

  6. Under "Team synchronization", click Enable for Entra ID.

  7. Confirm team synchronization.

    • If you have IdP access, click Enable team synchronization. You'll be redirected to your identity provider's SAML SSO page and asked to select your account and review the requested permissions.
    • If you don't have IdP access, copy the IdP redirect link and share it with your IdP administrator to continue enabling team synchronization.
  8. Review the details for the IdP tenant you want to connect to your enterprise account, then click Approve.

  9. To disable team synchronization, under "Team synchronization", click Disable team synchronization.

Managing whether team synchronization can re-invite non-members to organizations

  1. In the top-right corner of GitHub.com, click your profile photo, then click Your enterprises.

  2. In the list of enterprises, click the enterprise you want to view.

  3. In the enterprise account sidebar, click Settings.

  4. Under Settings, click Authentication security.

  5. Under "Team synchronization", select or deselect Do not allow Team Sync to re-invite past members to organizations that were removed by an organization owner.