Tutorial: Configure GitHub for automatic user provisioning
The objective of this tutorial is to show you the steps you need to perform in GitHub and Azure AD to automate provisioning of GitHub Enterprise Cloud organization membership.
The Azure AD provisioning integration relies on the GitHub SCIM API, which is available to GitHub Enterprise Cloud customers on the GitHub Enterprise billing plan.
The scenario outlined in this tutorial assumes that you already have the following items:
- An Azure Active directory tenant
- A GitHub organization created in GitHub Enterprise Cloud, which requires the GitHub Enterprise billing plan
- A user account in GitHub with Admin permissions to the organization
- SAML configured for the GitHub Enterprise Cloud organization
- Ensure that OAuth access has been provided for your organization as described here
- SCIM provisioning to a single organization is supported only when SSO is enabled at the organization level
This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
Assigning users to GitHub
Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user account provisioning, only the users and groups that have been "assigned" to an application in Azure AD is synchronized.
Before configuring and enabling the provisioning service, you need to decide what users and/or groups in Azure AD represent the users who need access to your GitHub app. Once decided, you can assign these users to your GitHub app by following the instructions here:
For more information, see Assign a user or group to an enterprise app.
Important tips for assigning users to GitHub
We recommend that you assign a single Azure AD user to GitHub to test the provisioning configuration. Additional users and/or groups may be assigned later.
When assigning a user to GitHub, you must select either the User role, or another valid application-specific role (if available) in the assignment dialog. The Default Access role does not work for provisioning, and these users are skipped.
Configuring user provisioning to GitHub
This section guides you through connecting your Azure AD to GitHub's SCIM provisioning API to automate provisioning of GitHub organization membership. This integration, which leverages an OAuth app, automatically adds, manages, and removes members' access to a GitHub Enterprise Cloud organization based on user and group assignment in Azure AD. When users are provisioned to a GitHub organization via SCIM, an email invitation is sent to the user's email address.
Configure automatic user account provisioning to GitHub in Azure AD
In the Azure portal, browse to the Azure Active Directory > Enterprise Apps > All applications section.
If you have already configured GitHub for single sign-on, search for your instance of GitHub using the search field. Otherwise, select Add and search for GitHub in the application gallery. Select GitHub from the search results, and add it to your list of applications.
Select your instance of GitHub, then select the Provisioning tab.
Set the Provisioning Mode to Automatic.
Under the Admin Credentials section, click Authorize. This operation opens a GitHub authorization dialog in a new browser window. Note that you need to ensure you are approved to authorize access. Follow the directions described here.
In the new window, sign into GitHub using your Admin account. In the resulting authorization dialog, select the GitHub team that you want to enable provisioning for, and then select Authorize. Once completed, return to the Azure portal to complete the provisioning configuration.
In the Azure portal, input Tenant URL and click Test Connection to ensure Azure AD can connect to your GitHub app. If the connection fails, ensure your GitHub account has Admin permissions and Tenant URl is inputted correctly, then try the "Authorize" step again (you can constitute Tenant URL by rule:
https://api.github.com/scim/v2/organizations/<Organization_name>, you can find your organizations under your GitHub account: Settings > Organizations).
Enter the email address of a person or group who should receive provisioning error notifications in the Notification Email field, and check the checkbox "Send an email notification when a failure occurs."
Under the Mappings section, select Synchronize Azure Active Directory Users to GitHub.
In the Attribute Mappings section, review the user attributes that are synchronized from Azure AD to GitHub. The attributes selected as Matching properties are used to match the user accounts in GitHub for update operations. Do not enable the Matching precendence setting for the other default attributes in the Provisioning section because errors might occur. Select Save to commit any changes.
To enable the Azure AD provisioning service for GitHub, change the Provisioning Status to On in the Settings section.
This operation starts the initial synchronization of any users and/or groups assigned to GitHub in the Users and Groups section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the service is running. You can use the Synchronization Details section to monitor progress and follow links to provisioning activity logs, which describe all actions performed by the provisioning service.
For more information on how to read the Azure AD provisioning logs, see Reporting on automatic user account provisioning.
- Managing user account provisioning for Enterprise Apps
- What is application access and single sign-on with Azure Active Directory?
Submit and view feedback for