Skip to main content



About guest collaborators


The guest collaborator role is only available with Enterprise Managed Users.

You can use the guest collaborator role to grant limited access to vendors and contractors. Guest collaborators:

  • Are provisioned by your IdP, like all managed user accounts.
  • Can be added as organization members or as collaborators in repositories.
  • Cannot access internal repositories in the enterprise, except in organizations where they're added as a member.

Enabling guest collaborators in your IdP

If you use Microsoft Entra ID (previously known as Azure AD) or Okta for authentication, you may need update the Enterprise Managed Users application in your IdP.

Enabling guest collaborators with Entra ID

  1. Sign into the Microsoft Azure portal.

  2. Click Identity.

  3. Click Applications.

  4. Click Enterprise applications.

  5. Click All applications.

  6. View the details for your Enterprise Managed Users application.

  7. In the left sidebar, click Users and Groups.

  8. View the application registration.

    • If the application registration displays the "Restricted User" or "Guest Collaborator" roles, you're ready to invite guest collaborators to your enterprise.
    • If the application registration does not display the roles, proceed to the next step.
  9. In the Azure portal, click App registrations.

  10. Click All applications, then use the search bar to find your application for Enterprise Managed Users.

  11. Click your SAML or OIDC application.

  12. In the left sidebar, click Manifest.

  13. Search for the following id: 1ebc4a02-e56c-43a6-92a5-02ee09b90824 within the Manifest file:

    • If the id is not present, proceed to the next step.
    • If the id is present, review the description and displayName values. If the values are not set to Guest Collaborator, you can rename both to be so, and proceed to step 15.
  14. Under the appRoles object, add the following block:

      "allowedMemberTypes": [
      "description": "Guest Collaborator",
      "displayName": "Guest Collaborator",
      "id": "1ebc4a02-e56c-43a6-92a5-02ee09b90824",
      "isEnabled": true,
      "lang": null,
      "origin": "Application",
      "value": null

    Note: The id value is critical. If another id value is present, the update will fail.

  15. Click Save.

Enabling guest collaborators with Okta

To add the guest collaborator role to your Okta application:

  1. Navigate to your application for Enterprise Managed Users on Okta.

  2. Click Provisioning.

  3. Click Go to Profile Editor.

  4. Find "Roles" at the bottom of the profile editor and click the edit icon.

  5. Add a new role.

    • For "Display name", type Guest Collaborator.
    • For "Value", type guest_collaborator.
  6. Click Save.

Adding guest collaborators to your enterprise

When guest collaborators are enabled in your IdP, you can use SCIM to provision users with the guest_collaborator role.

  • If you use a partner IdP, use the "Roles" attribute in the Enterprise Managed Users application.
  • If you use the SCIM endpoints of GitHub's REST API to provision users, use the roles user attribute.

For more information about partner IdPs and other identity management systems, see "About Enterprise Managed Users."

Giving guest collaborators access to resources

When you have added a guest collaborator to your enterprise, you can add the user to specific organizations or repositories.

Add the user to an organization

To give the user access to repositories in an organization, add the user as a member of the organization.

Add the user to a repository

To give the user access to specific repositories, add the user to the repositories as a repository collaborator.

This gives the user access to the repository without giving them access to other internal or private repositories in the same organization. For more information, see "Roles in an organization."

Further reading