Merge branch 'main' into andrekolodochka-patch-2

2025-12-23 03:44:00 -05:00 · 2021-10-01 09:41:56 -05:00
parent dcee1b76ef eaa1a06304
commit 7e717847f9
16955 changed files with 445791 additions and 94102 deletions
--- a/content/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork.md
+++ b/content/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork.md
@@ -5,7 +5,7 @@ redirect_from:
  - /github/collaborating-with-issues-and-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork
  - /articles/creating-a-pull-request-from-a-fork
  - /github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork
-permissions: Anyone with write access to a repository can create a pull request from a user-owned fork.
+permissions: 'Anyone with write access to a repository can create a pull request from a user-owned fork. {% data reusables.enterprise-accounts.emu-permission-propose %}'
 versions:
  fpt: '*'
  ghes: '*'
--- a/content/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request.md
+++ b/content/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request.md
@@ -1,6 +1,7 @@
 ---
 title: Creating a pull request
 intro: 'Create a pull request to propose and collaborate on changes to a repository. These changes are proposed in a *branch*, which ensures that the default branch only contains finished and approved work.'
+permissions: 'Anyone with read access to a repository can create a pull request. {% data reusables.enterprise-accounts.emu-permission-propose %}'
 redirect_from:
  - /github/collaborating-with-issues-and-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request
  - /articles/creating-a-pull-request
@@ -12,7 +13,7 @@ versions:
 topics:
  - Pull requests
 ---
-Anyone with read permissions to a repository can create a pull request, but you must have write permissions to create a branch. If you want to create a new branch for your pull request and don't have write permissions to the repository, you can fork the repository first. For more information, see "[Creating a pull request from a fork](/articles/creating-a-pull-request-from-a-fork)" and "[About forks](/articles/about-forks)."
+If you want to create a new branch for your pull request and do not have write permissions to the repository, you can fork the repository first. For more information, see "[Creating a pull request from a fork](/articles/creating-a-pull-request-from-a-fork)" and "[About forks](/articles/about-forks)."

 You can specify which branch you'd like to merge your changes into when you create your pull request. Pull requests can only be opened between two branches that are different.

--- a/content/github/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request.md
+++ b/content/github/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request.md
@@ -1,10 +1,10 @@
 ---
 title: Reviewing dependency changes in a pull request
 intro: 'If a pull request contains changes to dependencies, you can view a summary of what has changed and whether there are known vulnerabilities in any of the dependencies.'
+product: '{% data reusables.gated-features.dependency-review %}'
 versions:
  fpt: '*'
  ghes: '>= 3.2'
-  product: '{% data reusables.gated-features.dependency-review %}'
 type: how_to
 topics:
  - Pull requests
@@ -38,18 +38,19 @@ Dependency review allows you to "shift left". You can use the provided predictiv
 1. If the pull request contains many files, use the **File filter** drop-down menu to collapse all files that don't record dependencies. This will make it easier to focus your review on the dependency changes.

   ![The file filter menu](/assets/images/help/pull_requests/file-filter-menu-json.png)
+   The dependency review provides a clearer view of what has changed in large lock files, where the source diff is not rendered by default.
+
+  {% note %}
+
+   **Note:** Dependency review rich diffs are not available for committed static JavaScript files like `jquery.js`.
+
+   {% endnote %}

 1. On the right of the header for a manifest or lock file, display the dependency review by clicking the **{% octicon "file" aria-label="The rich diff icon" %}** rich diff button.

   ![The rich diff button](/assets/images/help/pull_requests/dependency-review-rich-diff.png)

-  {% note %}
-
-   **Note:** The dependency review provides a clearer view of what has changed in large lock files, where the source diff is not rendered by default.
-
-   {% endnote %}
-
-1. Check the dependencies listed in the dependency review.
+2. Check the dependencies listed in the dependency review.

   ![Vulnerability warnings in a dependency review](/assets/images/help/pull_requests/dependency-review-vulnerability.png)

--- a/content/github/collaborating-with-pull-requests/working-with-forks/about-forks.md
+++ b/content/github/collaborating-with-pull-requests/working-with-forks/about-forks.md
@@ -19,6 +19,12 @@ Forking a repository is similar to copying a repository, with two major differen

 {% data reusables.repositories.you-can-fork %}

+{% ifversion fpt %}
+
+If you're a member of a {% data variables.product.prodname_emu_enterprise %}, there are further restrictions on the repositories you can fork. {% data reusables.enterprise-accounts.emu-forks %} For more information, see "[About {% data variables.product.prodname_emus %}](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users)."
+
+{% endif %}
+
 {% data reusables.repositories.desktop-fork %}

 Deleting a fork will not delete the original upstream repository. You can make any changes you want to your fork—add collaborators, rename files, generate {% data variables.product.prodname_pages %}—with no effect on the original.{% ifversion fpt %} You cannot restore a deleted forked repository. For more information, see "[Restoring a deleted repository](/articles/restoring-a-deleted-repository)."{% endif %}
--- a/content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/about-identity-and-access-management-for-your-enterprise-account.md
+++ b/content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/about-identity-and-access-management-for-your-enterprise-account.md
@@ -20,6 +20,12 @@ If you use Azure AD as your IDP, you can use team synchronization to manage team

 {% data reusables.saml.switching-from-org-to-enterprise %} For more information, see "[Switching your SAML configuration from an organization to an enterprise account](/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/switching-your-saml-configuration-from-an-organization-to-an-enterprise-account)."

+## About {% data variables.product.prodname_emus %}
+
+{% data reusables.enterprise-accounts.emu-short-summary %}
+
+Configuring {% data variables.product.prodname_emus %} for SAML single-sign on and user provisioning involves following a different process than you would for an enterprise that isn't using {% data variables.product.prodname_managed_users %}. If your enterprise uses {% data variables.product.prodname_emus %}, see "[Configuring SAML single sign-on for Enterprise Managed Users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users)."
+
 ## Supported IdPs

 We test and officially support the following IdPs. For SAML SSO, we offer limited support for all identity providers that implement the SAML 2.0 standard. For more information, see the [SAML Wiki](https://wiki.oasis-open.org/security) on the OASIS website.
@@ -30,5 +36,4 @@ Active Directory Federation Services (AD FS) | {% octicon "check-circle-fill" ar
 Azure Active Directory (Azure AD) | {% octicon "check-circle-fill" aria-label="The check icon" %}  | {% octicon "check-circle-fill" aria-label="The check icon" %} |
 OneLogin | {% octicon "check-circle-fill" aria-label="The check icon" %}  | |
 PingOne | {% octicon "check-circle-fill" aria-label="The check icon" %}  | |
-Shibboleth | {% octicon "check-circle-fill" aria-label="The check icon" %}  | |
-
+Shibboleth | {% octicon "check-circle-fill" aria-label="The check icon" %}  | |
--- a/content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/configuring-saml-single-sign-on-for-your-enterprise-account-using-okta.md
+++ b/content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/configuring-saml-single-sign-on-for-your-enterprise-account-using-okta.md
@@ -15,6 +15,8 @@ shortTitle: Configure SAML with Okta
 ---
 {% data reusables.enterprise-accounts.user-provisioning-release-stage %}

+{% data reusables.enterprise-accounts.emu-saml-note %}
+
 ## About SAML with Okta

 You can control access to your enterprise account in {% data variables.product.product_name %} and other web applications from one central interface by configuring the enterprise account to use SAML SSO with Okta, an Identity Provider (IdP).
--- a/content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/enforcing-saml-single-sign-on-for-organizations-in-your-enterprise-account.md
+++ b/content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/enforcing-saml-single-sign-on-for-organizations-in-your-enterprise-account.md
@@ -12,6 +12,9 @@ redirect_from:
  - /github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account
 shortTitle: Enforce SAML
 ---
+
+{% data reusables.enterprise-accounts.emu-saml-note %}
+
 ## About SAML single sign-on for enterprise accounts

 {% data reusables.saml.dotcom-saml-explanation %} For more information, see "[About identity and access management with SAML single sign-on](/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on)."
--- a/content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/managing-team-synchronization-for-organizations-in-your-enterprise-account.md
+++ b/content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/managing-team-synchronization-for-organizations-in-your-enterprise-account.md
@@ -11,6 +11,9 @@ redirect_from:
  - /github/setting-up-and-managing-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise-account
 shortTitle: Manage team synchronization
 ---
+
+{% data reusables.enterprise-accounts.emu-scim-note %}
+
 ## About team synchronization for enterprise accounts

 If you use Azure AD as your IdP, you can enable team synchronization for your enterprise account to allow organization owners and team maintainers to synchronize teams in the organizations owned by your enterprise accounts with IdP groups.
--- a/content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/switching-your-saml-configuration-from-an-organization-to-an-enterprise-account.md
+++ b/content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/switching-your-saml-configuration-from-an-organization-to-an-enterprise-account.md
@@ -10,6 +10,8 @@ topics:
 shortTitle: Switching from organization
 ---

+{% data reusables.enterprise-accounts.emu-saml-note %}
+
 ## About SAML single sign-on for enterprise accounts

 {% data reusables.saml.dotcom-saml-explanation %} {% data reusables.saml.about-saml-enterprise-accounts %}
--- a/content/github/setting-up-and-managing-your-enterprise/index.md
+++ b/content/github/setting-up-and-managing-your-enterprise/index.md
@@ -14,6 +14,7 @@ topics:
 children:
  - /managing-your-enterprise-account
  - /managing-users-in-your-enterprise
+  - /managing-your-enterprise-users-with-your-identity-provider
  - /managing-organizations-in-your-enterprise-account
  - /configuring-identity-and-access-management-for-your-enterprise-account
  - /setting-policies-for-organizations-in-your-enterprise-account
--- a/content/github/setting-up-and-managing-your-enterprise/managing-organizations-in-your-enterprise-account/adding-organizations-to-your-enterprise-account.md
+++ b/content/github/setting-up-and-managing-your-enterprise/managing-organizations-in-your-enterprise-account/adding-organizations-to-your-enterprise-account.md
@@ -1,6 +1,6 @@
 ---
 title: Adding organizations to your enterprise account
-intro: You can create new organizations to manage within your enterprise account.
+intro: You can create new organizations or invite existing organizations to manage within your enterprise account.
 product: '{% data reusables.gated-features.enterprise-accounts %}'
 redirect_from:
  - /articles/adding-organizations-to-your-enterprise-account
@@ -12,9 +12,9 @@ topics:
  - Enterprise
 shortTitle: Add organizations
 ---
-Enterprise owners can create new organizations within an enterprise account's settings.
+Enterprise owners can create new organizations within an enterprise account's settings or invite existing organizations to join an enterprise account.

-To add an organization to your enterprise account, you must create the organization from within the enterprise account settings. If you want to transfer an existing organization to your enterprise account, contact your {% data variables.product.prodname_dotcom %} sales account representative.
+To add an organization to your enterprise account, you must create the organization from within the enterprise account settings.

 ## Creating an organization in your enterprise account

@@ -31,3 +31,20 @@ Enterprise owners who create an organization owned by the enterprise account aut
 5. Under "Invite owners", type the username of a person you'd like to invite to become an organization owner, then click **Invite**.
  ![Organization owner search field and Invite button](/assets/images/help/business-accounts/invite-org-owner.png)
 6. Click **Finish**.
+
+## Inviting an organization to join your enterprise account
+
+Enterprise owners can invite existing organizations to join their enterprise account. If the organization you want to invite is already owned by another enterprise, you will not be able to issue an invitation until the previous enterprise gives up ownership of the organization.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+2. On the **Organizations** tab, above the list of organizations, click **Invite organization**.
+![Invite organization](/assets/images/help/business-accounts/enterprise-account-invite-organization.png)
+3. Under "Organization name", start typing the name of the organization you want to invite and select it when it appears in the drop-down list.
+![Search for organization](/assets/images/help/business-accounts/enterprise-account-search-for-organization.png)
+4. Click **Invite organization**.
+5. The organization owners will receive an email inviting them to join the organization. At least one owner needs to accept the invitation before the process can continue. You can cancel or resend the invitation at any time before an owner approves it.
+![Cancel or resend](/assets/images/help/business-accounts/enterprise-account-invitation-sent.png)
+6. Once an organization owner has approved the invitation, you can view its status in the list of pending invitations.
+![Pending invitation](/assets/images/help/business-accounts/enterprise-account-pending.png)
+7. Click **Approve** to complete the transfer, or **Cancel** to cancel it.
+![Approve invitation](/assets/images/help/business-accounts/enterprise-account-transfer-approve.png)
--- a/content/github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise.md
+++ b/content/github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise.md
@@ -28,6 +28,12 @@ If you want to manage owners and billing managers for an enterprise account on {

 {% endif %}

+{% ifversion fpt %}
+
+If your enterprise uses {% data variables.product.prodname_emus %}, enterprise owners can only be added or removed through your identity provider. For more information, see "[About {% data variables.product.prodname_emus %}](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users)."
+
+{% endif %}
+
 {% tip %}

 **Tip:** For more information on managing users within an organization owned by your enterprise account, see "[Managing membership in your organization](/articles/managing-membership-in-your-organization)" and "[Managing people's access to your organization with roles](/articles/managing-peoples-access-to-your-organization-with-roles)."
--- a/content/github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/roles-in-an-enterprise.md
+++ b/content/github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/roles-in-an-enterprise.md
@@ -20,7 +20,14 @@ Everyone in an enterprise is a member of the enterprise. You can also assign adm

 {% data reusables.enterprise-accounts.enterprise-administrators %}

-For more information about adding people to your enterprise, see "{% ifversion fpt %}[Inviting people to manage your enterprise](/github/setting-up-and-managing-your-enterprise/inviting-people-to-manage-your-enterprise){% else %}[Authentication](/admin/authentication){% endif %}".
+{% ifversion fpt %}
+If your enterprise does not use {% data variables.product.prodname_emus %}, you can invite someone to an administrative role using a user account on {% data variables.product.product_name %} that they control. For more information, see "[Inviting people to manage your enterprise](/github/setting-up-and-managing-your-enterprise/inviting-people-to-manage-your-enterprise)".
+
+In an enterprise using {% data variables.product.prodname_emus %}, new owners and members must be provisioned through your identity provider. Enterprise owners and organization owners cannot add new members or owners to the enterprise using {% data variables.product.prodname_dotcom %}. You can select a member's enterprise role using your IdP and it cannot be changed on {% data variables.product.prodname_dotcom %}. You can select a member's role in an organization on {% data variables.product.prodname_dotcom %}. For more information, see "[About {% data variables.product.prodname_emus %}](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users)."
+{% else %}
+For more information about adding people to your enterprise, see "[Authentication](/admin/authentication)".
+
+{% endif %}

 ## Enterprise owner

--- a/content/github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise.md
+++ b/content/github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise.md
@@ -17,10 +17,14 @@ shortTitle: View & manage SAML access

 When you enable SAML single sign-on for your enterprise account, each enterprise member can link their external identity on your identity provider (IdP) to their existing {% data variables.product.product_name %} account. {% data reusables.saml.about-saml-access-enterprise-account %}

+If your enterprise is uses {% data variables.product.prodname_emus %}, your members will use accounts provisioned through your IdP. {% data variables.product.prodname_managed_users_caps %} will not use their existing user account on {% data variables.product.product_name %}. For more information, see "[About {% data variables.product.prodname_emus %}](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users)."
+
 ## Viewing and revoking a linked identity

 {% data reusables.saml.about-linked-identities %}

+If your enterprise uses {% data variables.product.prodname_emus %}, you will not be able to deprovision or remove user accounts from the enterprise on {% data variables.product.product_name %}. Any changes you need to make to your enterprise's {% data variables.product.prodname_managed_users %} should be made through your IdP.
+
 {% data reusables.identity-and-permissions.revoking-identity-team-sync %}

 {% data reusables.enterprise-accounts.access-enterprise %}
--- a/content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users.md
+++ b/content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users.md
@@ -0,0 +1,84 @@
+---
+title: About Enterprise Managed Users
+shortTitle: About managed users
+intro: You can centrally manage identity and access for your enterprise members on {% data variables.product.prodname_dotcom %} from your identity provider.
+product: '{% data reusables.gated-features.emus %}'
+redirect_from:
+  - /early-access/github/articles/get-started-with-managed-users-for-your-enterprise
+versions:
+  fpt: '*'
+topics:
+  - Accounts
+  - Enterprise
+---
+
+## About {% data variables.product.prodname_emus %}
+
+With {% data variables.product.prodname_emus %}, you can control the user accounts of your enterprise members through your identity provider (IdP). You can simplify authentication with SAML single sign-on (SSO) and provision, update, and deprovision user accounts for your enterprise members. Users assigned to the {% data variables.product.prodname_emu_idp_application %} application in your IdP are provisioned as new user accounts on {% data variables.product.prodname_dotcom %} and added to your enterprise. You control usernames, profile data, team membership, and repository access from your IdP.
+
+In your IdP, you can give each {% data variables.product.prodname_managed_user %} the role of user, enterprise owner, or billing manager. {% data variables.product.prodname_managed_users_caps %} can own organizations within your enterprise and can add other {% data variables.product.prodname_managed_users %} to the organizations and teams within. For more information, see "[Roles in an enterprise](/github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/roles-in-an-enterprise)" and "[About organizations](/organizations/collaborating-with-groups-in-organizations/about-organizations)."
+
+You can also manage team membership within an organization in your enterprise directly through your IdP, allowing you to manage repository access using groups in your IdP. Organization membership can be managed manually or updated automatically as {% data variables.product.prodname_managed_users %} are added to teams within the organization. For more information, see "[Managing team memberships with identity provider groups](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/managing-team-memberships-with-identity-provider-groups)."
+
+You can grant {% data variables.product.prodname_managed_users %} access and the ability to contribute to repositories within your enterprise, but {% data variables.product.prodname_managed_users %} cannot create public content or collaborate with other users, organizations, and enterprises on the rest of {% data variables.product.prodname_dotcom %}. The {% data variables.product.prodname_managed_users %} provisioned for your enterprise cannot be invited to organizations or repositories outside of the enterprise, nor can the {% data variables.product.prodname_managed_users %} be invited to other enterprises. Outside collaborators are not supported by {% data variables.product.prodname_emus %}.
+
+The usernames of your enterprise's {% data variables.product.prodname_managed_users %} and their profile information, such as display names and email addresses, are set by through your IdP and cannot be changed by the users themselves. For more information, see "[Usernames and profile information](#usernames-and-profile-information)."
+
+{% data reusables.enterprise-accounts.emu-forks %}
+
+Enterprise owners can audit all of the {% data variables.product.prodname_managed_users %}' actions on {% data variables.product.prodname_dotcom %}.
+
+To use {% data variables.product.prodname_emus %}, you need a separate type of enterprise account with {% data variables.product.prodname_emus %} enabled. For more information about creating this account, see "[About enterprises with managed users](#about-enterprises-with-managed-users)."
+
+
+## Identity provider support
+
+{% data variables.product.prodname_emus %} supports the following IdPs:
+
+{% data reusables.enterprise-accounts.emu-supported-idps %}
+
+## Abilities and restrictions of {% data variables.product.prodname_managed_users %}
+
+{% data variables.product.prodname_managed_users_caps %} can only contribute to private and internal repositories within their enterprise and private repositories owned by their user account. {% data variables.product.prodname_managed_users_caps %} have read-only access to the wider {% data variables.product.prodname_dotcom %} community.
+
+* {% data variables.product.prodname_managed_users_caps %} cannot create issues or pull requests in, comment or add reactions to, nor star, watch, or fork repositories outside of the enterprise.
+* {% data variables.product.prodname_managed_users_caps %} cannot push code to repositories outside of the enterprise.
+* {% data variables.product.prodname_managed_users_caps %} and the content they create is only visible to other members of the enterprise. 
+* {% data variables.product.prodname_managed_users_caps %} cannot follow users outside of the enterprise.
+* {% data variables.product.prodname_managed_users_caps %} cannot create gists or comment on gists.
+* {% data variables.product.prodname_managed_users_caps %} cannot install {% data variables.product.prodname_github_apps %} on their user accounts.
+* Other {% data variables.product.prodname_dotcom %} users cannot see, mention, or invite a {% data variables.product.prodname_managed_user %} to collaborate.
+* {% data variables.product.prodname_managed_users_caps %} can only own private repositories and {% data variables.product.prodname_managed_users %} can only invite other enterprise members to collaborate on their owned repositories.
+* Only private and internal repositories can be created in organizations owned by an {% data variables.product.prodname_emu_enterprise %}, depending on organization and enterprise repository visibility settings. 
+
+## About enterprises with managed users
+
+To use {% data variables.product.prodname_emus %}, you need a separate type of enterprise account with {% data variables.product.prodname_emus %} enabled. To try out {% data variables.product.prodname_emus %} or to discuss options for migrating from your existing enterprise, please contact [{% data variables.product.prodname_dotcom %}'s Sales team](https://enterprise.github.com/contact).
+
+Your contact on the GitHub Sales team will work with you to create your new {% data variables.product.prodname_emu_enterprise %}. You'll need to provide the email address for the user who will set up your enterprise and a short code that will be used as the suffix for your enterprise members' usernames. {% data reusables.enterprise-accounts.emu-shortcode %} For more information, see "[Usernames and profile information](#usernames-and-profile-information)."
+
+After we create your enterprise, you will receive an email from {% data variables.product.prodname_dotcom %} inviting you to choose a password for your enterprise's setup user, which will be the first owner in the enterprise. The setup user is only used to configure SAML single sign-on and SCIM provisioning integration for the enterprise. It will no longer have access to administer the enterprise account once SAML is successfully enabled.
+
+The setup user's username is your enterprise's shortcode suffixed with `_admin`. After you log in to your setup user, you can get started by configuring SAML SSO for your enterprise. For more information, see "[Configuring SAML single sign-on for Enterprise Managed Users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users)."
+
+{% note %}
+
+{% data reusables.enterprise-accounts.emu-password-reset-session %}
+
+{% endnote %}
+
+## Authenticating as a {% data variables.product.prodname_managed_user %}
+
+{% data variables.product.prodname_managed_users_caps %} must authenticate through their identity provider.
+
+To authenticate, {% data variables.product.prodname_managed_users %} must visit their IdP application portal or **https://github.com/enterprises/ENTERPRISE_NAME**, replacing **ENTERPRISE_NAME** with your enterprise's name.
+
+## Usernames and profile information
+
+When your {% data variables.product.prodname_emu_enterprise %} is created, you will choose a short code that will be used as the suffix for your enterprise member's usernames. {% data reusables.enterprise-accounts.emu-shortcode %} The setup user who configures SAML SSO has a username in the format of **@<em>SHORT-CODE</em>_admin**.
+
+When you provision a new user from your identity provider, the new {% data variables.product.prodname_managed_user %} will have a {% data variables.product.product_name %} username in the format of **@<em>IDP-USERNAME</em>_<em>SHORT-CODE</em>**. When using Azure Active Directory (Azure AD), _IDP-USERNAME_ is formed by normalizing the characters preceding the `@` character in the UPN (User Principal Name) provided by Azure AD. When using Okta, _IDP-USERNAME_ is the normalized username attribute provided by Okta.
+
+The username of the new account provisioned on {% data variables.product.product_name %}, including underscore and short code, must not exceed 39 characters.
+
+The profile name and email address of a {% data variables.product.prodname_managed_user %} is also provided by the IdP. {% data variables.product.prodname_managed_users_caps %} cannot change their profile name or email address on {% data variables.product.prodname_dotcom %}.
--- a/content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/auditing-activity-in-your-enterprise.md
+++ b/content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/auditing-activity-in-your-enterprise.md
@@ -0,0 +1,33 @@
+---
+title: Auditing activity in your enterprise
+shortTitle: Auditing activity
+intro: 'You can audit the activity of the {% data variables.product.prodname_managed_users %} in your enterprise, viewing information about what actions were performed, by which user, and when they took place.'
+permissions: 'Enterprise owners can access the audit log.'
+product: '{% data reusables.gated-features.emus %}'
+versions:
+  fpt: '*'
+topics:
+  - Accounts
+  - Enterprise
+---
+
+## About the audit log
+
+The audit log allows enterprise owners to quickly review or export the actions performed by both owners and members of your enterprise. Each audit log entry shows information about the event.
+
+- The organization an action was performed in
+- The user who performed the action
+- Which repository an action was performed in
+- The action that was performed
+- Which country the action took place in
+- The date and time the action occurred
+
+## Accessing the audit log
+
+You can also access the audit log for your enterprise from the REST API. For more information, see "[GitHub Enterprise administration](/rest/reference/enterprise-admin#get-the-audit-log-for-an-enterprise)" in the API documentation.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.audit-log-tab %}
+1. Optionally, above the list of events, select the **Export Git Events** or **Export** drop-down menu and choose options for exporting events from the audit log.
+  !["Export Git Events" and "Export" drop-down menus for the enterprise audit log](/assets/images/help/enterprises/audit-log-export-drop-down-menus.png)
--- a/content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users.md
+++ b/content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users.md
@@ -0,0 +1,117 @@
+---
+title: Configuring SAML single sign-on for Enterprise Managed Users
+shortTitle: SAML for managed users
+intro: 'You can automatically manage access to your enterprise account on {% data variables.product.prodname_dotcom %} by configuring Security Assertion Markup Language (SAML) single sign-on (SSO).'
+product: '{% data reusables.gated-features.emus %}'
+versions:
+  fpt: '*'
+topics:
+  - Accounts
+  - Enterprise
+---
+
+## About SAML single sign-on for {% data variables.product.prodname_emus %}
+
+With {% data variables.product.prodname_emus %}, your enterprise uses SAML SSO to authenticate all members. Instead of signing in to {% data variables.product.prodname_dotcom %} with a {% data variables.product.prodname_dotcom %} username and password, members of your enterprise will sign in through your IdP.
+
+{% data variables.product.prodname_emus %} supports the following IdPs:
+
+{% data reusables.enterprise-accounts.emu-supported-idps %}
+
+After you configure SAML SSO, we recommend storing your recovery codes so you can recover access to your enterprise in the event that your identity provider is unavailable. For more information, see "[Saving your recovery codes](#saving-your-recovery-codes)."
+
+## Configuring SAML single sign-on for {% data variables.product.prodname_emus %}
+
+To configure SAML SSO for your {% data variables.product.prodname_emu_enterprise %}, you must configure an application on your IdP and then configure your enterprise on GitHub.com. After you configure SAML SSO, you can configure user provisioning. 
+
+To install and configure the {% data variables.product.prodname_emu_idp_application %} application on your IdP, you must have a tenant and administrative access on a supported IdP.
+
+{% note %}
+
+{% data reusables.enterprise-accounts.emu-password-reset-session %}
+
+{% endnote %}
+
+1. [Configuring your identity provider](#configuring-your-identity-provider)
+2. [Configuring your enterprise](#configuring-your-enterprise)
+3. [Enabling provisioning](#enabling-provisioning)
+
+### Configuring your identity provider
+
+To configure your IdP, follow the instructions they provide for configuring the {% data variables.product.prodname_emu_idp_application %} application on your IdP.
+
+1. To install the {% data variables.product.prodname_emu_idp_application %} application, click the link for your IdP below:
+
+     - [{% data variables.product.prodname_emu_idp_application %} application on Azure Active Directory](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.githubenterprisemanageduser?tab=Overview)
+     - [{% data variables.product.prodname_emu_idp_application %} application on Okta](https://www.okta.com/integrations/github-enterprise-managed-user)
+
+1. To configure the {% data variables.product.prodname_emu_idp_application %} application and your IdP, click the link below and follow the instructions provided by your IdP:
+
+     - [Azure Active Directory tutorial for {% data variables.product.prodname_emus %}](https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/github-enterprise-managed-user-tutorial)
+     - [Okta documentation for {% data variables.product.prodname_emus %}](https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-GitHub-Enterprise-Managed-User.html)
+
+1. So you can test and configure your enterprise, assign yourself or the user that will be configuring SAML SSO on {% data variables.product.prodname_dotcom %} to the {% data variables.product.prodname_emu_idp_application %} application on your IdP.
+
+1. To enable you to continue configuring your enterprise on {% data variables.product.prodname_dotcom %}, locate and note the following information from the application you installed on your IdP:
+
+    | Value | Other names | Description |
+    | :- | :- | :- |
+    | IdP Sign-On URL | Login URL, IdP URL | Application's URL on your IdP |
+    | IdP Identifier URL | Issuer | IdP's identifier to service providers for SAML authentication |
+    | Signing certificate, Base64-encoded | Public certificate | Public certificate that IdP uses to sign authentication requests |
+
+### Configuring your enterprise
+
+After you install and configure the {% data variables.product.prodname_emu_idp_application %} application on your identity provider, you can configure your enterprise. 
+
+1. Sign into {% data variables.product.prodname_dotcom_the_website %} as the setup user for your new enterprise with the username **@<em>SHORT-CODE</em>_admin**.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+
+1. Under "SAML single sign-on", select **Require SAML authentication**.
+  ![Checkbox for enabling SAML SSO](/assets/images/help/business-accounts/enable-saml-auth-enterprise.png)
+
+1. Under **Sign on URL**, type the HTTPS endpoint of your IdP for single sign-on requests that you noted while configuring your IdP.
+![Field for the URL that members will be forwarded to when signing in](/assets/images/help/saml/saml_sign_on_url_business.png)
+
+1. Under **Issuer**, type your SAML issuer URL that you noted while configuring your IdP, to verify the authenticity of sent messages.
+![Field for the SAML issuer's name](/assets/images/help/saml/saml_issuer.png)
+
+1. Under **Public Certificate**, paste the certificate that you noted while configuring your IdP, to verify SAML responses.
+![Field for the public certificate from your identity provider](/assets/images/help/saml/saml_public_certificate.png)
+
+1. To verify the integrity of the requests from your SAML issuer, click {% octicon "pencil" aria-label="The edit icon" %}. Then, in the "Signature Method" and "Digest Method" drop-downs, choose the hashing algorithm used by your SAML issuer.
+![Drop-downs for the Signature Method and Digest method hashing algorithms used by your SAML issuer](/assets/images/help/saml/saml_hashing_method.png)
+
+1. Before enabling SAML SSO for your enterprise, to ensure that the information you've entered is correct, click **Test SAML configuration**. ![Button to test SAML configuration before enforcing](/assets/images/help/saml/saml_test.png)
+
+1. Click **Save**.
+
+    {% note %}
+
+    **Note:** When you require SAML SSO for your enterprise, the setup user will no longer have access to the enterprise but will remain signed in to GitHub. Only {% data variables.product.prodname_managed_users %} provisioned by your IdP will have access to the enterprise.
+
+    {% endnote %}
+
+1. To ensure you can still access your enterprise in the event that your identity provider is ever unavailable in the future, click **Download**, **Print**, or **Copy** to save your recovery codes.
+![Button to test SAML configuration before enforcing](/assets/images/help/saml/saml_recovery_code_options.png)
+
+### Enabling provisioning
+
+After you enable SAML SSO, enable provisioning. For more information, see "[Configuring SCIM provisioning for enterprise managed users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users)."
+
+## Saving your recovery codes
+
+In the event that your identity provider is unavailable, you can use the setup user and a recovery code to sign in and access your enterprise. If you did not save your recovery codes when you configured SAML SSO, you can still access them from your enterprise's settings.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+
+1. Under "Require SAML authentication", click **Save your recovery codes**.
+![Button to test SAML configuration before enforcing](/assets/images/help/enterprises/saml-recovery-codes-link.png)
+
+2. To save your recovery codes, click **Download**, **Print**, or **Copy**.
+![Button to test SAML configuration before enforcing](/assets/images/help/saml/saml_recovery_code_options.png)
--- a/content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users-with-okta.md
+++ b/content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users-with-okta.md
@@ -0,0 +1,80 @@
+---
+title: Configuring SCIM provisioning for Enterprise Managed Users with Okta
+shortTitle: Set up provisioning with Okta
+intro: 'You can provision new users and manage their membership of your enterprise and teams using Okta as your identity provider.'
+product: '{% data reusables.gated-features.emus %}'
+versions:
+  fpt: '*'
+redirect_from:
+  - /early-access/github/articles/configuring-provisioning-for-managed-users-with-okta
+topics:
+  - Accounts
+  - Enterprise
+---
+
+## About provisioning with Okta
+
+You can use {% data variables.product.prodname_emus %} with Okta as your identity provider to provision new accounts, manage enterprise membership, and manage team memberships for organizations in your enterprise. For more information about provisioning for {% data variables.product.prodname_emus %}, see "[Configuring SCIM provisioning for enterprise managed users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users)."
+
+Before you can configure provisioning with Okta, you must configure SAML single-sign on. For more information, see "[Configuring SAML single sign-on for Enterprise Managed Users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users)."
+
+To configure provisioning with Okta, you must set your enterprise's name in the {% data variables.product.prodname_emu_idp_application %} application and enter your setup user's personal access token. You can then start provisioning users in Okta.
+
+## Supported features
+
+{% data variables.product.prodname_emus %} supports many provisioning features in Okta.
+
+| Feature | Description |
+| --- | --- |
+| Push New Users | Users that are assigned to the {% data variables.product.prodname_emu_idp_application %} application in Okta are automatically created in the enterprise on {% data variables.product.product_name %}. |
+| Push Profile Update | Updates made to the user's profile in Okta will be pushed to {% data variables.product.product_name %}. |
+| Push Groups | Groups in Okta that are assigned to the {% data variables.product.prodname_emu_idp_application %} application as Push Groups are automatically created in the enterprise on {% data variables.product.product_name %}. |
+| Push User Deactivation | Unassigning the user from the {% data variables.product.prodname_emu_idp_application %} application in Okta will disable the user on {% data variables.product.product_name %}. The user will not be able to sign in, but the user's information is maintained. |
+| Reactivate Users | Users in Okta whose Okta accounts are reactivated and who are assigned back to the {% data variables.product.prodname_emu_idp_application %} application will be enabled. |
+
+{% note %}
+
+**Note:** {% data variables.product.prodname_emus %} does not support modifications to usernames.
+
+{% endnote %}
+
+## Setting your enterprise name
+
+After your {% data variables.product.prodname_emu_enterprise %} has been created, you can begin to configure provisioning by setting your enterprise name in Okta.
+
+1. Navigate to your {% data variables.product.prodname_emu_idp_application %} application on Okta.
+1. Click the **Sign On** tab.
+1. To make changes, click **Edit**.
+1. Under "Advanced Sign-on Settings", in the "Enterprise Name" text box, type your enterprise name. For example, if you access your enterprise at `https://github.com/enterprises/octoinc`, your enterprise name would be "octoinc".
+![Screenshot of the Enterprise Name field on Okta](/assets/images/help/enterprises/okta-emu-enterprise-name.png)
+1. To save your enterprise name, click **Save**.
+
+## Configuring provisioning
+
+After setting your enterprise name, you can proceed to configure provisioning settings.
+
+To configure provisioning, the setup user with the **@<em>SHORT-CODE</em>_admin** username will need to provide a personal access token with the **admin:enterprise** scope. For more information on creating a new token, see "[Creating a personal access token](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users#creating-a-personal-access-token)."
+
+1. Navigate to your {% data variables.product.prodname_emu_idp_application %} application on Okta.
+1. Click the **Provisioning** tab.
+1. In the settings menu, click **Integration**.
+1. To make changes, click **Edit**.
+1. Select **Enable API integration**.
+1. In the "API Token" field, enter the personal access token with the **admin:enterprise** scope belonging to the setup user.
+![Screenshot showing the API Token field on Okta](/assets/images/help/enterprises/okta-emu-token.png)
+1. Click **Test API Credentials**. If the test is successful, a verification message will appear at the top of the screen.
+1. To save the token, click **Save**.
+1. In the settings menu, click **To App**.
+![Screenshot showing the To App menu item on Okta](/assets/images/help/enterprises/okta-emu-to-app-menu.png)
+1. To the right of "Provisioning to App", to allow changes to be made, click **Edit**.
+1. Select **Enable** for **Create Users**, **Update User Attributes**, and **Deactivate Users**.
+![Screenshot showing provisioning options on Okta](/assets/images/help/enterprises/okta-emu-provisioning-to-app.png)
+1. To finish configuring provisioning, click **Save**.
+
+## Assigning users
+
+After you have configured SAML SSO and provisioning, you will be able provision new users on {% data variables.product.prodname_dotcom_the_website %} by assigning users to the {% data variables.product.prodname_emu_idp_application %} application. You can also automatically manage organization membership by assigning groups to the application as push groups and connecting the push groups to teams in your organizations. For more information about managing teams, see "[Managing team memberships with identity provider groups](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/managing-team-memberships-with-identity-provider-groups)."
+
+When assigning users, you can use the "Roles" attribute in the {% data variables.product.prodname_emu_idp_application %} application to set a user's role in your enterprise on {% data variables.product.product_name %}. For more information on roles, see "[Roles in an enterprise](/github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/roles-in-an-enterprise)."
+
+![Screenshot showing the role options for provisioned user on Okta](/assets/images/help/enterprises/okta-emu-user-role.png)
--- a/content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users.md
+++ b/content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users.md
@@ -0,0 +1,59 @@
+---
+title: Configuring SCIM provisioning for Enterprise Managed Users
+shortTitle: Provisioning managed users
+intro: 'You can configure your identity provider to provision new users and manage their membership in your enterprise and teams.'
+product: '{% data reusables.gated-features.emus %}'
+versions:
+  fpt: '*'
+topics:
+  - Accounts
+  - Enterprise
+---
+
+## About provisioning for {% data variables.product.prodname_emus %}
+
+You can configure provisioning for {% data variables.product.prodname_emus %} to create, manage, and deactivate user accounts for your enterprise members. When you configure provisioning for {% data variables.product.prodname_emus %}, users assigned to the {% data variables.product.prodname_emu_idp_application %} application in your identity provider are provisioned as new user accounts on {% data variables.product.prodname_dotcom %} via SCIM, and the users are added to your enterprise. 
+
+When you update information associated with a user's identity on your IdP, your IdP will update the user's account on GitHub.com. When you unassign the user from the {% data variables.product.prodname_emu_idp_application %} application or deactivate a user's account on your IdP, your IdP will communicate with {% data variables.product.prodname_dotcom %} to invalidate any SAML sessions and disable the member's account. The disabled account's information is maintained and their username is changed to a hash of their original username with the short code appended. If you reassign a user to the {% data variables.product.prodname_emu_idp_application %} application or reactivate their account on your IdP, the {% data variables.product.prodname_managed_user %} account on {% data variables.product.prodname_dotcom %} will be reactivated and username restored.
+
+Groups in your IdP can be used to manage team membership within your enterprise's organizations, allowing you to configure repository access and permissions through your IdP. For more information, see "[Managing team memberships with identity provider groups](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/managing-team-memberships-with-identity-provider-groups)."
+
+## Prerequisites
+
+Before you can configure provisioning for {% data variables.product.prodname_emus %}, you must configure SAML single-sign on. For more information, see "[Configuring SAML single sign-on for Enterprise Managed Users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users)."
+
+## Creating a personal access token
+
+To configure provisioning for your {% data variables.product.prodname_emu_enterprise %}, you need a personal access token with the **admin:enterprise** scope that belongs to the setup user.
+
+{% warning %}
+
+**Warning:** If the token expires or a provisioned user creates the token, SCIM provisioning may unexpectedly stop working. Make sure that you create the token while signed in as the setup user and that the token expiration is set to "No expiration".
+
+{% endwarning %}
+
+1. Sign into {% data variables.product.prodname_dotcom_the_website %} as the setup user for your new enterprise with the username **@<em>SHORT-CODE</em>_admin**.
+{% data reusables.user_settings.access_settings %}
+{% data reusables.user_settings.developer_settings %}
+{% data reusables.user_settings.personal_access_tokens %}
+{% data reusables.user_settings.generate_new_token %}
+1. Under **Note**, give your token a descriptive name.
+   ![Screenshot showing the token's name](/assets/images/help/enterprises/emu-pat-name.png)
+1. Select the **Expiration** drop-down menu, then click **No expiration**.
+   ![Screenshot showing token expiration set to no expiration](/assets/images/help/enterprises/emu-pat-no-expiration.png)
+1. Select the **admin:enterprise** scope.
+   ![Screenshot showing the admin:enterprise scope](/assets/images/help/enterprises/enterprise-pat-scope.png)
+1. Click **Generate token**.
+   ![Generate token button](/assets/images/help/settings/generate_token.png)
+1. To copy the token to your clipboard, click the {% octicon "paste" aria-label="The copy icon" %}.
+   ![Newly created token](/assets/images/help/settings/personal_access_tokens.png)
+2. To save the token for use later, store the new token securely in a password manager.
+
+## Configuring provisioning for {% data variables.product.prodname_emus %}
+
+After creating your personal access token and storing it securely, you can configure provisioning on your identity provider.
+
+To configure Azure Active Directory to provision users for your {% data variables.product.prodname_emu_enterprise %}, see [Tutorial: Configure GitHub Enterprise Managed User for automatic user provisioning](https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/github-enterprise-managed-user-provisioning-tutorial) in the Azure AD documentation.
+
+To configure Okta to provision users for your {% data variables.product.prodname_emu_enterprise %}, see "[Configuring SCIM provisioning for Enterprise Managed Users with Okta](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users-with-okta)."
+
--- a/content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/index.md
+++ b/content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/index.md
@@ -0,0 +1,19 @@
+---
+title: Managing your enterprise users with your identity provider
+shortTitle: Manage users with your IdP
+product: '{% data reusables.gated-features.emus %}'
+intro: 'You can manage identity and access with your identity provider and provision accounts that can only contribute to your enterprise.'
+versions:
+  fpt: '*'
+topics:
+  - Enterprise
+  - Accounts
+children:
+  - /about-enterprise-managed-users
+  - /configuring-saml-single-sign-on-for-enterprise-managed-users
+  - /configuring-scim-provisioning-for-enterprise-managed-users
+  - /configuring-scim-provisioning-for-enterprise-managed-users-with-okta
+  - /managing-team-memberships-with-identity-provider-groups
+  - /auditing-activity-in-your-enterprise
+---
+
--- a/content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/managing-team-memberships-with-identity-provider-groups.md
+++ b/content/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/managing-team-memberships-with-identity-provider-groups.md
@@ -0,0 +1,70 @@
+---
+title: Managing team memberships with identity provider groups
+shortTitle: Manage teams with your IdP
+intro: You can manage team membership on {% data variables.product.product_name %} through your identity provider (IdP) by connecting IdP groups with your {% data variables.product.prodname_emu_enterprise %}.
+product: '{% data reusables.gated-features.emus %}'
+versions:
+  fpt: '*'
+topics:
+  - Accounts
+  - Enterprise
+---
+
+## About team management with {% data variables.product.prodname_emus %}
+
+With {% data variables.product.prodname_emus %}, you can manage team membership within your enterprise through your IdP. When you connect a team in one of your enterprise's organizations to an IdP group, changes to membership from the IdP group are reflected in your enterprise automatically, reducing the need for manual updates and custom scripts. 
+
+When a change to an IdP group or a new team connection results in a {% data variables.product.prodname_managed_user %} joining a team in an organization they were not already a member of, the {% data variables.product.prodname_managed_user %} will automatically be added to the organization. Organization owners can also manage organization membership manually. When you disconnect a group from a team, users who became members of the organization via team membership are removed from the organization if they are not assigned membership in the organization by any other means.
+
+You can connect a team in your enterprise to one IdP group. You can assign the same IdP group to multiple teams in your enterprise.
+
+If you are connecting an existing team to an IdP group, you must first remove any members that were added manually. After you connect a team in your enterprise to an IdP group, your IdP administrator must make team membership changes through the identity provider. You cannot manage team membership on {% data variables.product.prodname_dotcom_the_website %}.
+
+When group membership changes on your IdP, your IdP sends a SCIM request with the changes to {% data variables.product.prodname_dotcom_the_website %} according to the schedule determined by your IdP, so change may not be immediate. Any requests that change team or organization membership will register in the audit log as changes made by the account used to configure user provisioning.
+
+Teams connected to IdP groups cannot be parents of other teams nor a child of another team. If the team you want to connect to an IdP group is a parent or child team, we recommend creating a new team or removing the nested relationships that make your team a parent team.
+
+To manage repository access for any team in your enterprise, including teams connected to an IdP group, you must make changes on {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[Managing team access to an organization repository](/organizations/managing-access-to-your-organizations-repositories/managing-team-access-to-an-organization-repository)".
+
+## Creating a new team connected to an IdP group
+
+Any member of an organization can create a new team and connect the team to an IdP group. 
+
+{% data reusables.profile.access_org %}
+{% data reusables.user_settings.access_org %}
+{% data reusables.organizations.new_team %}
+{% data reusables.organizations.team_name %}
+{% data reusables.organizations.team_description %}
+1. To connect a team, select the "Identity Provider Groups" drop-down menu and click the team you want to connect.
+    ![Drop-down menu to choose identity provider groups](/assets/images/help/teams/choose-an-idp-group.png)
+{% data reusables.organizations.team_visibility %}
+{% data reusables.organizations.create_team %}
+
+## Managing the connection between an existing team and an IdP group
+
+Organization owners and team maintainers can manage the existing connection between an IdP group and a team.
+
+{% note %}
+
+**Note**: Before you connect an existing team on {% data variables.product.prodname_dotcom_the_website %} to an IdP group for the first time, all members of the team on {% data variables.product.prodname_dotcom_the_website %} must first be removed. For more information, see "[Removing organization members from a team](/github/setting-up-and-managing-organizations-and-teams/removing-organization-members-from-a-team)."
+
+{% endnote %}
+
+{% data reusables.profile.access_profile %}
+
+{% data reusables.profile.access_org %}
+{% data reusables.organizations.specific_team %}
+{% data reusables.organizations.team_settings %}
+1. Optionally, under "Identity Provider Group", to the right of the IdP group you want to disconnect, click {% octicon "x" aria-label="X symbol" %}. 
+    ![Unselect a connected IdP group from the GitHub team](/assets/images/enterprise/github-ae/teams/unselect-idp-group.png)
+1. To connect an IdP group, under "Identity Provider Group", select the drop-down menu, and click an identity provider group from the list.
+    ![Drop-down menu to choose identity provider group](/assets/images/enterprise/github-ae/teams/choose-an-idp-group.png)
+1. Click **Save changes**.
+
+## Viewing IdP groups and connected teams
+
+You can review a list of IdP groups, any teams connected to an IdP group, and see the membership of each IdP group on {% data variables.product.product_name %}. You must edit the membership for a group on your IdP.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.identity-provider-tab %}
+1. Under "Identity Provider (IdP) Groups", review the list of IdP groups.
--- a/content/github/writing-on-github/editing-and-sharing-content-with-gists/creating-gists.md
+++ b/content/github/writing-on-github/editing-and-sharing-content-with-gists/creating-gists.md
@@ -1,6 +1,7 @@
 ---
 title: Creating gists
 intro: 'You can create two kinds of gists: {% ifversion ghae %}internal{% else %}public{% endif %} and secret. Create {% ifversion ghae %}an internal{% else %}a public{% endif %} gist if you''re ready to share your ideas with {% ifversion ghae %}enterprise members{% else %}the world{% endif %} or a secret gist if you''re not.'
+permissions: '{% data reusables.enterprise-accounts.emu-permission-gist %}'
 redirect_from:
  - /articles/about-gists/
  - /articles/cannot-delete-an-anonymous-gist/
--- a/content/github/writing-on-github/editing-and-sharing-content-with-gists/forking-and-cloning-gists.md
+++ b/content/github/writing-on-github/editing-and-sharing-content-with-gists/forking-and-cloning-gists.md
@@ -1,6 +1,7 @@
 ---
 title: Forking and cloning gists
 intro: 'Gists are actually Git repositories, which means that you can fork or clone any gist, even if you aren''t the original author. You can also view a gist''s full commit history, including diffs.'
+permissions: '{% data reusables.enterprise-accounts.emu-permission-gist %}'
 redirect_from:
  - /articles/forking-and-cloning-gists
  - /github/writing-on-github/forking-and-cloning-gists
--- a/content/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax.md
+++ b/content/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax.md
@@ -277,6 +277,14 @@ The footnote will render like this:
 ![Rendered footnote](/assets/images/site/rendered-footnote.png)
 {% endif %}

+## Hiding content with comments
+
+You can tell {% data variables.product.product_name %} to hide content from the rendered Markdown by placing the content in an HTML comment.
+
+<pre>
+&lt;!-- This content will not appear in the rendered Markdown --&gt;
+</pre>
+
 ## Ignoring Markdown formatting

 You can tell {% data variables.product.product_name %} to ignore (or escape) Markdown formatting by using `\` before the Markdown character.
@@ -287,13 +295,13 @@ You can tell {% data variables.product.product_name %} to ignore (or escape) Mar

 For more information, see Daring Fireball's "[Markdown Syntax](https://daringfireball.net/projects/markdown/syntax#backslash)."

-## Hiding content with comments
+{% ifversion fpt or ghes > 3.2 or ghae-issue-5232 %}

-You can tell {% data variables.product.product_name %} to hide content from the rendered Markdown by placing the content in an HTML comment.
+## Disabling Markdown rendering

-<pre>
-&lt;!-- This content will not appear in the rendered Markdown --&gt;
-</pre>
+{% data reusables.repositories.disabling-markdown-rendering %}
+
+{% endif %}

 ## Further reading