Tutorial: Configure GitHub for automatic user provisioning
The objective of this tutorial is to show you the steps you need to perform in GitHub and Azure AD to automatically provision and de-provision user accounts from Azure AD to GitHub.
The scenario outlined in this tutorial assumes that you already have the following items:
- An Azure Active directory tenant
- A GitHub organization created in GitHub Enterprise Cloud, which requires the GitHub Enterprise billing plan
- A user account in GitHub with Admin permissions to the organization
- Ensure that OAuth access has been provided for your organization as described here
Assigning users to GitHub
Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user account provisioning, only the users and groups that have been "assigned" to an application in Azure AD is synchronized.
Before configuring and enabling the provisioning service, you need to decide what users and/or groups in Azure AD represent the users who need access to your GitHub app. Once decided, you can assign these users to your GitHub app by following the instructions here:
Important tips for assigning users to GitHub
It is recommended that a single Azure AD user is assigned to GitHub to test the provisioning configuration. Additional users and/or groups may be assigned later.
When assigning a user to GitHub, you must select either the User role, or another valid application-specific role (if available) in the assignment dialog. The Default Access role does not work for provisioning, and these users are skipped.
Configuring user provisioning to GitHub
This section guides you through connecting your Azure AD to GitHub's user account provisioning API, and configuring the provisioning service to create, update, and disable assigned user accounts in GitHub based on user and group assignment in Azure AD.
You may also choose to enabled SAML-based Single Sign-On for GitHub, following the instructions provided in Azure portal. Single sign-on can be configured independently of automatic provisioning, though these two features compliment each other.
Configure automatic user account provisioning to GitHub in Azure AD
In the Azure portal, browse to the Azure Active Directory > Enterprise Apps > All applications section.
If you have already configured GitHub for single sign-on, search for your instance of GitHub using the search field. Otherwise, select Add and search for GitHub in the application gallery. Select GitHub from the search results, and add it to your list of applications.
Select your instance of GitHub, then select the Provisioning tab.
Set the Provisioning Mode to Automatic.
Under the Admin Credentials section, click Authorize. This operation opens a GitHub authorization dialog in a new browser window. Note that you need to ensure you are approved to authorize access. Follow the directions described here.
In the new window, sign into GitHub using your Admin account. In the resulting authorization dialog, select the GitHub team that you want to enable provisioning for, and then select Authorize. Once completed, return to the Azure portal to complete the provisioning configuration.
In the Azure portal, input Tenant URL and click Test Connection to ensure Azure AD can connect to your GitHub app. If the connection fails, ensure your GitHub account has Admin permissions and Tenant URl is inputted correctly, then try the "Authorize" step again (you can constitute Tenant URL by rule:
https://api.github.com/scim/v2/organizations/<Organization_name>, you can find your organizations under your GitHub account: Settings > Organizations).
Enter the email address of a person or group who should receive provisioning error notifications in the Notification Email field, and check the checkbox "Send an email notification when a failure occurs."
Under the Mappings section, select Synchronize Azure Active Directory Users to GitHub.
In the Attribute Mappings section, review the user attributes that are synchronized from Azure AD to GitHub. The attributes selected as Matching properties are used to match the user accounts in GitHub for update operations. Select the Save button to commit any changes.
To enable the Azure AD provisioning service for GitHub, change the Provisioning Status to On in the Settings section
This operation starts the initial synchronization of any users and/or groups assigned to GitHub in the Users and Groups section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the service is running. You can use the Synchronization Details section to monitor progress and follow links to provisioning activity logs, which describe all actions performed by the provisioning service.
For more information on how to read the Azure AD provisioning logs, see Reporting on automatic user account provisioning.
- Managing user account provisioning for Enterprise Apps
- What is application access and single sign-on with Azure Active Directory?