docs/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/disabling-authentication-and-provisioning-for-enterprise-managed-users.md

title, allowTitleToDifferFromFilename, shortTitle, intro, versions, type, topics, permissions, redirect_from

title	allowTitleToDifferFromFilename	shortTitle	intro	versions	type	topics	permissions	redirect_from
Disabling authentication for Enterprise Managed Users	true	Disable authentication	You can disable SAML or OIDC single sign-on (SSO) authentication for {% data variables.product.prodname_emus %} by using a recovery code to sign in as the setup user.	ghec *	overview	Accounts Authentication Enterprise SSO	The setup user can disable SAML or OIDC authentication for {% data variables.product.prodname_emus %}.	/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/disabling-authentication-for-enterprise-managed-users /admin/identity-and-access-management/configuring-authentication-for-enterprise-managed-users/disabling-authentication-for-enterprise-managed-users /admin/identity-and-access-management/configuring-authentication-for-enterprise-managed-users/disabling-authentication-and-provisioning-for-enterprise-managed-users

About disabled authentication for {% data variables.product.prodname_emus %}

After you disable SAML or OIDC authentication for your enterprise, the following effects apply:

• All external identities for the enterprise, and associated email addresses for {% data variables.enterprise.prodname_managed_users %}, will be removed. For more information, see AUTOTITLE.
• All {% data variables.enterprise.prodname_managed_users %} will be suspended. The suspended accounts will not be renamed. For more information, see AUTOTITLE.
• All {% data variables.product.pat_generic_plural %} and SSH keys associated with {% data variables.enterprise.prodname_managed_users %} will be deleted.
• All of the external groups provisioned by SCIM will be deleted. For more information, see AUTOTITLE.

If you later reconfigure authentication for the enterprise, external groups must be reprovisioned via SCIM, and {% data variables.enterprise.prodname_managed_users %} must be reprovisioned before users can sign in.

Note

When a {% data variables.enterprise.prodname_managed_user %} is suspended, the user's avatar is permanently deleted. If you reprovision the user, the user will need to reupload their avatar.

If you want to migrate to a new identity provider (IdP) or tenant rather than disabling authentication entirely, see AUTOTITLE.

Disabling authentication

Warning

Disabling authentication and provisioning will prevent your enterprise's {% data variables.enterprise.prodname_managed_users %} from signing in to access your enterprise on {% data variables.product.github %}.

{% data reusables.emus.sign-in-as-setup-user %}

1. Attempt to access your enterprise account, and use a recovery code to bypass SAML SSO or OIDC. For more information, see AUTOTITLE. {% data reusables.enterprise-accounts.access-enterprise-emu %} {% data reusables.enterprise-accounts.identity-provider-tab %} {% data reusables.enterprise-accounts.sso-configuration %}
2. Next to "SAML single sign-on" or "OIDC single sign-on", click to deselect SAML single sign-on or OIDC single sign-on.
3. To confirm, click Disable SAML single sign-on or Disable OIDC single sign-on.