Skip to main content

Requiring two-factor authentication for an organization

You can require organization members and outside collaborators to enable two-factor authentication for their personal accounts in an organization, making it harder for malicious actors to access an organization's repositories and settings.

When using LDAP or built-in authentication, two-factor authentication is supported on your GitHub Enterprise Server instance. Organization administrators can require members to have two-factor authentication enabled.

SAMLあるいはCASを利用する場合、GitHub Enterprise Server上では2要素認証はサポートあるいは管理されませんが、外部の認証プロバイダではサポートされることがあります。 Organizationでの2要素認証の強制はできません。 組織で 2 要素認証を適用する方法については、「組織で 2 要素認証を要求する」を参照してください。

For more information, see "About two-factor authentication."

Requirements for enforcing two-factor authentication

Before you can require organization members and outside collaborators to use 2FA, you must enable two-factor authentication for your own personal account.

Warnings:

  • When your require two-factor authentication, members and outside collaborators (including bot accounts) who do not use 2FA will be removed from the organization and lose access to its repositories, including their forks of private repositories. If they enable 2FA for their personal account within three months of being removed from the organization, you can reinstate their access privileges and settings.
  • When 2FA is required, organization members or outside collaborators who disable 2FA will automatically be removed from the organization.
  • If you're the sole owner of an organization that requires two-factor authentication, you won't be able to disable 2FA for your personal account without disabling required two-factor authentication for the organization.

Before you require use of two-factor authentication, we recommend notifying organization members and outside collaborators and asking them to set up 2FA for their accounts. You can see if members and outside collaborators already use 2FA on an organization's People tab.

  1. GitHub Enterprise Server の右上隅にあるプロファイル写真をクリックし、 [自分の Organization] をクリックします。 プロファイル メニューの組織

  2. 組織の隣の [設定] をクリックします。 [設定] ボタン

  3. In the "Security" section of the sidebar, click Authentication security.

  4. [認証] の下で、 [Organization 内のすべてのユーザーに 2 要素認証を要求する] を選択し、 [保存] をクリックします。 [2FA を要求する] チェックボックス

  5. 求められた場合には、Organization から削除するメンバーおよび外部コラボレーターに関する情報を読んでください。 Organization の名前を入力して変更を確認し、 [メンバーを削除して 2 要素認証を必須にする] をクリックします。 [2 要素の強制を確認する] ボックス

Viewing people who were removed from your organization

To view people who were automatically removed from your organization for non-compliance when you required two-factor authentication, you can search the audit log using reason:two_factor_requirement_non_compliance in the search field.

  1. 任意のページの左上で、をクリックします。 Octocat アイコン

  2. GitHub Enterprise Server の管理アカウントから、任意のページの右上隅の をクリックします。

    サイト管理者設定にアクセスするための宇宙船アイコンのスクリーンショット

  3. [サイト管理者] ページにまだ表示されていない場合は、左上隅の [サイト管理者] をクリックします。

    [サイト管理者] リンクのスクリーンショット

  4. In the "Archives" section of the sidebar, click Security log.

  5. Enter your search query using reason:two_factor_requirement_non_compliance. Staff tools audit log event showing a user removed for 2FA non-compliance To narrow your search for:

    • Organizations members removed, enter action:org.remove_member AND reason:two_factor_requirement_non_compliance

    • Outside collaborators removed, enter action:org.remove_outside_collaborator AND reason:two_factor_requirement_non_compliance

      You can also view people removed from a particular organization by using the organization name in your search:

    • org:octo-org AND reason:two_factor_requirement_non_compliance

  6. Click Search.

Helping removed members and outside collaborators rejoin your organization

If any members or outside collaborators are removed from the organization when you enable required use of two-factor authentication, they'll receive an email notifying them that they've been removed. They should then enable 2FA for their personal account, and contact an organization owner to request access to your organization.

Further reading