Why cant I see users email address

Or also:

  • How can I identify users in my GitHub organisation?
  • How can I see the real name of the user?

You are a GitHub organisation owner, youve added a number of users into your organisation over past few weeks/months/years. Now you want to clean it up and trying to remove the users who either left the company or no longer need to have access to your organisation. You log into your org and see the following:

Why_cant_I_see_users_email_address_01.png

Who is this Pink Elephant And who is this Grumpy Ukrainian Well, if you worked with me you might get some idea wink Are they still employee of the company Or are they one of those who left two years ago but we never removed their accounts and they still have the access Should I remove them WHAT IS THEIR REAL NAME AND EMAIL ADDRESS so I can identify them and make the decision

The answer is my favourite it depends. It depends on a few things:

  • is this an enterprise with managed users EMU or standard enterprise account If you never heard of EMUs - you are highly unlikely to have an EMU account.
  • have you verified your domain name
  • what emails have the user specified in their profile and was it made public
  • have you configured and enforced SAML SSO in your organisation

Lets start from the beginning...

EMUs

Lets get EMUs out of the way first. With EMUs you still cant see the email addresses but usually this is not an issue. GitHub will pull the name and the username for each user from your identity provider, so everyone will have their real name or at least whatever their real name is in the IdP into their GitHub profile and users wont be able to modify it. The only way to change it is through your IdP. So org owners will always know who each user is:

Why_cant_I_see_users_email_address_02.png

Bottom line You wont have this issue in EMU enterprise account.

Classic GitHub

This is where it becomes tricky. And it all starts long time ago, when GitHub was built as a platform for individuals to build and collaborate on. The keyword here is individual. With exception of EMUs, all accounts on GitHub are personal they belong to individual users. Each user can decide what username they want to pick, what name they want to provide to the public, what email address they want to add to their profile and whether they want to make that email public. So lets see when its actually possible to either see the email address or find the identity of the user.

Profile Settings

Each user decides whether they want to share their email addresses publicly in their profiles. Heres how ak-honkyponkys profile looks like when she doesnt share her email address:

Why_cant_I_see_users_email_address_03.png

Now, ak-honkyponky adds her public email address:

Why_cant_I_see_users_email_address_04.png

And her public profile now includes email address under Follow button:

Why_cant_I_see_users_email_address_05.png

Bottom line if the user shares their email address publicly, you will be able to see it in their profile.

Verified domains

As organisation owner, you have an option to verify your domain names. If you do so, technically proving to GitHub than you own that domain name and as result own/manage all email addresses within that domain. So if a user in your organisation specified an email address with your domain name in their settings - that email address will appear on the list of organisation members. For example, andrek.com is my domain name and I verified it on GitHub in my organisation. As result, I can see Ryans and my email addresses, even both of us made it private.

Why_cant_I_see_users_email_address_06.png

Whats more, I can see two of Ryans emails because I also own and verified kolodochka.com

Why_cant_I_see_users_email_address_07.png

Why_cant_I_see_users_email_address_08.png

But I cant see ak-honkyponkys email addresses Also I cant see the second email address I configured in my account. Thats because none of those email addresses are from verified domain names:

Why_cant_I_see_users_email_address_09.png

So the bottom line is you will be able to see email addresses of users as long as that email is at one of your verified domains in your organisation.

SAML SSO configured

This is where it gets even trickier. Ability to connect your organisation to your Identity Provider Entra ID, Okta, Google, etc is a feature of GitHub Enterprise plan. If you are on a Free or Team plan - this section does not apply to you.

When a user logs into your SAML-protected organisation for the first time, their GitHub username will be linked to their identity in your IdP and the link will be stored under their organisational profile. Simply click on username and go to SSO identity linked section. While this wont necessarily give you the name although in many cases the linkage is done on email address, which often includes users name, it will tell you what to search for in your IdP to identify the users:

Why_cant_I_see_users_email_address_10.png

You can even use GitHub APIs to create a script to extract linked identities for all users in your organisation.

Bottom line Configuring SAML SSO will let you cross reference and identify the user from your IdP.

But what about the name

Well, similar to email address in users profile, its up to the user what to provide as their name. If the user decides to specify Pink Elephant instead of Alana Smith - there is absolutely nothing you can do. But you still can identify the user if you have SAML SSO configured.

So what can you do

Just like I said at the beginning it depends wink Again, the following is all about standard non-EMU deployment as with EMU this is not an issue.

Also, you could always use notifications engine to contact the user. Say, create an issue for each user you dont recognise, put something like contact IT in issue description and assign the issue to the user or tag the user.

Other than that, if the users dont want to make their real name public - there is absolutely nothing you can do.

With email - there are a few things that you can though.

  1. Verify the domains you own in your enterprise or organisation. This will make any users email address from your domain visible in members list.
  2. Point 1 above doesnt address the case where your org members dont add company email to their profile. While you cant enforce users to specify company email address in their profile, you can sort of nudge users to do so by restricting where notifications go. Essentially, if that setting is configured and a user doesnt add company email to their profile - they will never receive notifications from your organisation. This, in addition to verifying your domain, will allow you to see user emails in members list.
  3. If you are on Enterprise plan - configure and enforce SAML SSO and use GitHub APIs to obtain linked SSO identity. Heres an example API call you can use:
organization(login: "your_organisation-name") {
    samlIdentityProvider {
        externalIdentities(first: 10) {
            edges {
                node {
                    user {
                        login
                    }
                    samlIdentity {
                        familyName
                        givenName
                        nameId
                        username
                    }
                }
            }
        }
    }
}

One important note sometimes SE get requests from customers to provide them with the email address of a particular account. Sometimes it is a valid request where a past employee created an account, created a few repositories then left a company and the company lost access to those repositories. Or it is a machine account and IT team forgot the password and the email address so they cant reset the password or create a new token for the integration. While there are limited tools available to SEs to see some details of GitHub accounts, including email addresses, under no circumstances we will ever provide those details to anybody. If you need to obtain such account details you should contact GitHub support and they will determine whether such a request is valid and whether it is within GitHub policies to disclose that information.