When you adopt GitHub Enterprise Cloud with data residency, you can choose where your company's code and data are stored.
After you have worked with GitHub's Sales team to create an enterprise account with a dedicated URL on GHE.com, you'll use this guide to set up your enterprise. You will:
- Add users by configuring authentication and provisioning with an identity management system
- Set up billing for your enterprise
- Optionally, migrate data from another platform
- Learn about available features, including features that work differently or require additional configuration
After this initial setup, you'll be able to create organizations and repositories, collaborate on code, configure policies, and more.
Prerequisites
-
You must have been provisioned with an enterprise on GHE.com.
-
If you intend to pay with a Microsoft Azure subscription, you must have admin access to the Azure portal or work with someone to configure an admin consent workflow. For a full list of prerequisites, see Connecting an Azure subscription.
-
You must ensure that client systems trust GitHub's SSH key fingerprints and can access certain hostnames and IP addresses. See "Network details for GHE.com."
1. Add users to your enterprise
Enterprises on GHE.com use Enterprise Managed Users. To create user accounts and grant access to your new enterprise on GHE.com, you must configure authentication and SCIM provisioning. See Getting started with Enterprise Managed Users.
Sign in as the setup user
After we create your enterprise, you will receive an email inviting you to choose a password for the setup user, which is used to configure authentication and provisioning. The username is a randomly generated shortcode, suffixed with _admin
.
Using an incognito or private browsing window:
- Set the user's password.
- Save the user's recovery codes.
If you need to reset the password for your setup user, contact GitHub Support through the GitHub Support portal. The usual password reset option by providing your email address will not work.
Create a personal access token
Next, create a personal access token that you can use to configure provisioning.
- You must be signed in as the setup user when you create the token.
- The token must have at least the scim:enterprise scope.
- The token must have no expiration.
To learn how to create a personal access token (classic), see "Managing your personal access tokens."
Configure authentication
Next, configure how your members will authenticate.
If you're using Entra ID as your IdP, you can choose between OpenID Connect (OIDC) and Security Assertion Markup Language (SAML).
- We recommend OIDC, which includes support for Conditional Access Policies (CAP).
- If you require multiple enterprises provisioned from one tenant, you can use SAML or OIDC for the first enterprise, but must use SAML for each additional enterprise.
If you're using another IdP, like Okta or PingFederate, you must use SAML to authenticate your members.
To get started, read the guide for your chosen authentication method.
- "Configuring OIDC for Enterprise Managed Users"
- "Configuring SAML single sign-on for Enterprise Managed Users"
Configure provisioning
After you configure authentication, you can configure SCIM provisioning, which is how your IdP will create managed user accounts on GitHub. See "Configuring SCIM provisioning for Enterprise Managed Users."
Manage organization membership
After authentication and provisioning are configured, you can start managing organization membership for your managed user accounts by synchronizing IdP groups with teams. See "Managing team memberships with identity provider groups."
2. Set up billing
To pay for licenses and services, you can use a credit card, PayPal, or a Microsoft Azure subscription.
- To add a credit card or PayPal details, see Managing your payment and billing information.
- To link an Azure subscription, see Connecting an Azure subscription.
3. Migrate data
Optionally, to migrate existing data to your new enterprise on GHE.com, you can use GitHub's migration tools.
- If you're migrating from GitHub.com, GitHub Enterprise Server, Azure DevOps, or Bitbucket Server, you can migrate source code history and metadata with GitHub Enterprise Importer. See About GitHub Enterprise Importer.
- If you're migrating from a different platform, see Migration paths to GitHub.
Example script for GitHub Enterprise Importer
The following script demonstrates the use of GitHub Enterprise Importer for migration of an individual source repository from GitHub.com to a target repository on GHE.com. The --target-api-url
parameter sets your enterprise on GHE.com as the destination of the migration.
You can use the environment variable definitions in the script as an example to create additional commands that migrate data using GitHub Enterprise Importer.
In the following script, replace the following placeholder text with actual values.
Placeholder | Description |
---|---|
TARGET-TOKEN | Personal access token (PAT) for accessing the target enterprise on GHE.com |
SOURCE-TOKEN | PAT for accessing the source resources on GitHub.com |
TARGET-GHE-API-URL | The URL for accessing API endpoints for your enterprise. For example, if your enterprise's subdomain is octocorp , this value must be https://api.octocorp.ghe.com . |
SOURCE-GH-ORGANIZATION-NAME | The name of the source organization on GitHub.com. |
SOURCE-GH-REPOSITORY-NAME | The name of the source repository on GitHub.com. |
TARGET-GHE-ORGANIZATION-NAME | The name of the target organization on GHE.com. |
TARGET-GHE-REPOSITORY-NAME | The name of the target repository on GHE.com. |
#!/bin/sh export GH_PAT="TARGET-TOKEN" export GH_SOURCE_PAT="SOURCE-TOKEN" export TARGET_API_URL="TARGET-GHE-API-URL" export GITHUB_SOURCE_ORG="SOURCE-GH-ORGANIZATION-NAME" export SOURCE_REPO="SOURCE-GH-REPOSITORY-NAME" export GITHUB_TARGET_ORG="TARGET-GHE-ORGANIZATION-NAME" export TARGET_REPO="TARGET-GHE-REPOSITORY-NAME" gh gei migrate-repo --target-api-url $TARGET_API_URL --github-source-org $GITHUB_SOURCE_ORG --source-repo $SOURCE_REPO --github-target-org $GITHUB_TARGET_ORG --target-repo $TARGET_REPO --verbose
#!/bin/sh
export GH_PAT="TARGET-TOKEN"
export GH_SOURCE_PAT="SOURCE-TOKEN"
export TARGET_API_URL="TARGET-GHE-API-URL"
export GITHUB_SOURCE_ORG="SOURCE-GH-ORGANIZATION-NAME"
export SOURCE_REPO="SOURCE-GH-REPOSITORY-NAME"
export GITHUB_TARGET_ORG="TARGET-GHE-ORGANIZATION-NAME"
export TARGET_REPO="TARGET-GHE-REPOSITORY-NAME"
gh gei migrate-repo --target-api-url $TARGET_API_URL --github-source-org $GITHUB_SOURCE_ORG --source-repo $SOURCE_REPO --github-target-org $GITHUB_TARGET_ORG --target-repo $TARGET_REPO --verbose
4. Learn about GitHub's features
When you have completed the initial setup of your enterprise, you and your enterprise's members can start using GitHub's features.
The features available with data residency on GHE.com are similar to the features available to managed user accounts on GitHub.com, with some additions and exceptions. Some features work differently or require additional configuration compared to the equivalent feature on GitHub.com. See Feature overview for GitHub Enterprise Cloud with data residency.