Important! The content of this resource is provided -as is- for educational purposes and it is not part of GitHub's official documentation. For GitHub's Official Documentation, please visit GitHub Docs
What is GitHub Enterprise Cloud Enterprise Managed Users?
GitHub Enterprise Cloud - Enterprise Managed Users (EMU) is a version of GitHub Enterprise Cloud that enables enterprises to provide their employees with "work accounts" and guardrails against accidental public exposure of private content. With GitHub Enterprise Cloud - Enterprise Managed Users, companies will be able to centralize account management tasks into the identity provider (IdP: AzureAD , Okta or PingFederate Public Beta) they already use. The IdP is the source of truth for EMU account creation/provisioning, de-provisioning, enterprise roles, profile information and username standards.
Companies can also connect a GitHub team to a security group in their identity provider. This allows them to manage membership in GitHub teams (which can control organization- and repo-level permissions) automatically using the identity provider as a single source of truth, instead of having to manage team membership manually in GitHub.To mitigate accidental code leakage, all “public” repository, content visibility, and other publication settings are disabled (even for administrators.) For EMU-enabled enterprises, there are no public repositories, public projects, or public pages. Additionally, EMUs are not able to perform write actions (e.g. open Issues or PRs, comment, fork, star) in repositories outside of their Enterprise.
These additional controls and guardrails help our enterprise customers manage their GitHub usage securely, at scale, on GitHub.com.For more details on the ⚠️ restrictions and limitations ⚠️ of GitHub's Enterprise Cloud - Enterprise Managed Users accounts, please refer to the Official documentation.
GitHub Enterprise Cloud Enterprise Managed Users Official Docs
GitHub Enterprise Managed Users - Document Hub
Microsoft Azure setup guides
Okta setup guides
GitHub Enterprise Cloud vs Enterprise Managed Users - What's the difference?
The above authentication flow diagram has been made with ❤️ by Elizabeth Barrord
High-level overview comparison
| Feature/Capability | GitHub Enterprise Cloud(Non-EMU) | Enterprise Managed Users |
|---|---|---|
| Supported IDP's |
|
|
| Public Repository Support | Yes | No | Fork Public Repositories | Yes | No |
| Outside Collaborator Support | Yes | No |
| Multiple IDP integration Support | Yes, At the Org-level | No |
| GitHub Copilot for Business Support | Yes | Yes |
| Main authentication | Supports both IDP and/or GitHub's native authentication. | IDP only, users are only able to authenticate via the supported IDP integrated. |
Detailed Comparison 👀 - You might want to take a look.
The detailed comparison below has been made with ❤️ by Jessi Moths
| Feature/Capability | GitHub Enterprise Cloud(Non-EMU) | Enterprise Managed Users |
|---|---|---|
| Audit log events | Only audit log activity that happens in the enterprise account is available for admins' review. | Enterprise owners can audit all of the managed users' actions on GitHub.com |
| Public repositories | Enterprise users can create public repositories, unless disabled by enterprise admins. | No public repositories on GitHub Enterprise Cloud-EMUs. |
| Add a regular user to your enterprise (provide them with a license) |
|
|
| Remove a user from your enterprise (revoke their license) | Remove the user from all organizations they belong to within your enterprise (manually or via SCIM.) The user’s account itself remains active and can be used elsewhere on GitHub.com, but the SAML/SCIM identity link will be removed. | A user’s enterprise license is revoked and returned to your available pool of enterprise licenses when they are either: - removed from all orgs in the enterprise - unassigned from the IdP app |
| Add a regular user to an organization for access to repos |
|
|
| Receive an invitation/notification email when user account is added to an organization | Users receive an email notification when their account is invited (manually or via SCIM automation) to an enterprise organization. They must accept the invitation by logging into GitHub.com (and linking their SAML account, if SAML is required in the organization.) | Users do not receive notification when added to the EMU enterprise or any of its organizations. No action is required by the user to “accept” their access. |
| Add an outside collaborator for access to a repository within your enterprise’s organizations | Invite the user by GitHub username or email to each repo they should have access to, and assign read/write/admin access for that repo | Assign the user the "restricted user" role (and ONLY this role) in your IdP. This prevents innersource visibility of internal repos. All users must be provisioned via assignment in the linked identity provider (you may use guest accounts or federation in your IdP for users outside of your organization’s directory) |
| Manage users in a GitHub team via an identity provider group | Install and use the separate Team Sync app. When creating the team in GitHub, choose the group(s) you wish to use to manage membership in the GitHub team. Users added/removed to the identity provider group will also be added/removed from the GitHub team. | When creating the team in GitHub, choose the group you wish to use to manage membership in the GitHub team. Only one group may be linked per team. Groups will only display in the list to be selected to be linked to a GitHub team if they are assigned to the GitHub EMU application in your identity provider. Users added/removed to the identity provider group will also be added/removed from the GitHub team. |
| Authorize an OAuth app (user scope) | Follow authorization prompts | Not available at user scope |
| Authorize an OAuth app (org scope) | Follow authorization prompts (must be an org owner) or request authorization of the app from your org administrator. | Follow authorization prompts (must be an org owner) or request authorization of the app from your org administrator. |
| Authorize a GitHub App (user scope) | Follow authorization prompts | Not available at user scope |
| Authorize a GitHub App (org scope) | Follow authorization prompts (must be an org owner) or request installation of the app from your org administrator | Follow authorization prompts (must be an org owner/app admin) or request authorization of the app from your org administrator. |
| Create a public repo | Create a new repo and choose visibility as public (if working in an organization context, public repos may not be allowed by policy) | Never allowed when logged in to an EMU account (neither personal namespace nor organization namespace, even if an admin) |
| Fork a public/non-enterprise-owned repo into an enterprise’s organization namespace | Follow forking steps (must have repo creation rights in target org namespace) | Not allowed when logged in to an EMU account |
| Perform write actions (comment, review, star, etc.) on a public repo | Follow usual steps | Not allowed when logged in to an EMU account |
| User level profile info changes (first/last name, email address, username) | Can only be set by user editing profile/settings | Automatically synced from identity provider, cannot be directly edited by user. (User can provide/change their own profile picture.) |
| View user-level audit log info for users in your enterprise (as admin) | Not available | View enterprise audit log for user-level audit events, including logins. |
| Share personal namespace repos/your profile with anyone on GitHub.com | Available, send URL (if repo is private, invite users as collaborators) | Not available. Profiles and personal namespace repos are only visible to and can only be shared with others inside your enterprise. |
| Use Gists | Available | Not available |
| All other standard GitHub Enterprise Cloud functionality (Actions, Packages, Codespaces, etc.) | Available | Available |
GitHub Enterprise Cloud Enterprise Managed Users - right for me?
| Consider Enterprise Managed Users if | Consider GitHub Enterprise Cloud (Non-EMU) if |
|---|---|
| You have a requirement to own the user accounts and be able to take over user accounts. | You need to collaborate on or have Public Repositories. |
| You need to use OIDC SSO and enable support for your IdP's Conditional Access Policy. | You have a strong open source presence, maintain a number of open source projects and encourage your developers to contribute to open source. |
| The User Limitations and Restrictions do not impact your business. | Your IdP is not Okta, Azure AD or PingID (currently in Public Beta) (only these are supported in Enterprise Managed Users as of today) |
| You need to provide contractors with access to some of your repos without creating identity in your IdP (You need Outside Collaborator). |
Migrating to GitHub Enterprise Cloud Enterprise Managed Users
Do I really need to migrate❓
Yes, whether you are already on GitHub or not, you will still need to migrate your data from your current solution to GitHub Enterprise Cloud - Enterprise Managed Users.But, Why if I am already on GitHub❓
GitHub Enterprise Cloud - Enterprise Managed Users is deployed in a separate infrastructure from GitHub Enterprise Cloud (Non-EMU) / Teams / Free / Pro. Hence its not possible to just "toggle" its capabilities on. Therefore a full migration is needed even if you are already on GitHub.
Do you have any tools to assist with the migration❓
Yes we do! You can use our GitHub Enterprise Importer if you are migrating from:- Azure DevOps (ADO) Cloud
- Bitbucket Server and Bitbucket Data Center 5.14+
- GitHub.com (Free, Pro, Teams or Enterprise (Non-EMU)
- GitHub Enterprise Server (GHES) 3.4.1+
📌 If you are migrating from GitLab please contact your GitHub account manager/representative for more information.
Do you have tools to assist with our CI/CD Pipelines migration ❓
Yes we do! You can use our GitHub Actions Importer if you are migrating from:- Azure DevOps
- Bamboo
- CircleCI
- GitLab
- Jenkins
- Travis CI
My current solution is not listed, what can I do❓
If your current solution is not part of our supported sources for GitHub Enterprise Importer, then we don’t offer any specialist tools to migrate source, history and metadata. As an alternative, you could run a "source snapshot" or "source and history" migration. In other words, you can always migrate (code only, no metadata) using git clone and git push commands. For more information on how to do this, please refer to the Importing an external Git repository using the command line.Do you have any documentation around best practices for migrations❓
We do! For details please review our best practices on Planning your migration to GitHub.Do you have Professional Services to assist with the migration❓
We do! we offer a "white-glove service engagement" via our Expert Services Team. For more information on pricing and overall migration scoping feel free to contact your GitHub account manager/representative.If I opt for a self-served migration and run into issues who can I contact❓
If during your migration you experience issues you can always contact our support team at GitHub Enterprise Support However, Hands-on Keyboard or dedication session assistance is only offered to customers under our Premium Support Plan or customers who have opted for a white-glove Professional Service engagement . If you are interested in learning more about our Premium Support Plan or Professional Services please reach out to your GitHub account manager / representative for pricing details.GitHub Enterprise Cloud - Enterprise Managed Users is definitely for me, what do I need to get started?
To get started with GitHub Enterprise Cloud Enterprise Managed Users, please reach out to your GitHub account manager/representative and let them know you that you are interested or would like to move forward with GitHub Enterprise Cloud Enterprise Managed. Additionally if you wish to expedite this process please make them aware that you fully understand the capabilities and limitations of the platform.
Finally, for us to create your GitHub Enterprise Cloud Enterprise Managed Users instance we will need the following information from you:
- Admin Email address:
The email address of the administrator who will receive the initial setup credentials to set up SAML and SCIM within your new Enterprise Account. - Enterprise Account URL /SLUG:
This represents a URL-friendly identifier, free from spaces or special characters, which is employed in generating your GitHub Enterprise Cloud Enterprise Managed User tenant. Generally, it mirrors your existing enterprise slug with the addition of "_emu" at the end. For example a Non-EMU GitHub Enterprise URL would look as the following: https://GitHub.com/enterprises/{EnterpriseName} . However, a GitHub Enterprise Cloud Enterprise Managed Users URL would look like: https://GitHub.com/enterprises/{EnterpriseName_emu} . Yes,This designation can be changed later on. - Enterprise Managed Users ShortCode/Enterprise Identifier:
This is the 3-8 character alpha-numeric string that will be appended to each username in your account. ⚠️This cannot be changed later on ⚠️. For further clarification if your ShortCode was monalisa when your users are provisioned from your IDP into your GitHub Enterprise, they will appear, for example, as UserPrincipalName_monalisa | JohnDoe_monalisa
Once you have defined the above, feel free to send it to your GitHub account manager/representative in the following format for clarity:
Example:
- Admin Email address: Jack@GitHub.com
- Enterprise Account URL/SLUG: GitHub_emu
- Enterprise Managed Users ShortCode/Enterprise Identifier: GitHub
⚠️Note⚠️ : While rare, it is possible that your desired Enterprise Account URL/SLUG may already be taken. If this is the case, we will work with you to find an alternative.
Trademark Disclaimer
- Okta®, Auth0®, and the Okta® and Auth0® Logos are registered trademarks of Okta, Inc. in the U.S. and other countries. All other names, logos, product and service names, designs and slogans that may appear on the Site are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Okta. See Okta's Logos and Usage for further policy details.
- GITHUB®, the GITHUB® logo design, the INVERTOCAT logo design, OCTOCAT®, and the OCTOCAT® logo design are trademarks of GitHub, Inc., registered in the United States and other countries. The OCTOCAT design is the exclusive property of GitHub, Inc and has been federally registered with the United States Copyright Office. All rights reserved. See GitHub's Terms of Service for its Intellectual Property
- Microsoft products and services—including images, text, and software downloads (the "content")—are owned either by Microsoft Corporation or by third parties who have granted Microsoft permission to use the content. Microsoft cannot grant you permission for content that is owned by third parties. You may only copy, modify, distribute, display, license, or sell the content if you are granted explicit permission within the End-User License Agreement (EULA) or License Terms that accompany the content or are provided in the following guidelines. See Microsoft's Trademark Usage Guidelines for further policy details.