November 6th, 2024

How to subscribe for GitHub copilot business without GitHub Enterprise: A Step-by-Step Guide

Rafferty Uy
Rafferty Uy
Developer Productivity Specialist

Image HC0400 MS AzureDeveloperBlogSeries Banner 103124 DC V2 02 2Did you know that now you can subscribe to GitHub Copilot Business without GitHub Enterprise (GHE), which means you can get GitHub Copilot Business as a standalone capability, while having the normal GitHub Enterprise features (repositories, actions, etc.) disabled.

See GitHub’s documentation to learn more about GitHub Copilot Business for non-GitHub Enterprise.

This post is a screenshot-based step-by-step guide on how to configure a new GitHub Copilot Business standalone account with Enterprise Managed Users (EMU) and using Microsoft Entra ID as the identity provider.

Pre-requisites

Before we get started, ensure that you have the following:

We will also need the users with the following roles:

  • A user with Owner rights to the Azure subscription
  • A user with Cloud Application Administrator or Global Administrator rights to the Entra ID tenant that the Azure subscription is associated with
  • A user with Cloud Application Administrator or Global Administrator rights to the Entra ID tenant that the GitHub Copilot users will authenticate with
  • A user with Enterprise Owner (admin) rights to the GitHub Copilot Business non-GHE account

About Your Entra ID Tenant

While it is common to use the same Microsoft Entra ID tenant for both billing and identity configuration, it is not a requirement. Billing and IdP configurations are managed through separate Microsoft Entra ID Enterprise Applications.

Step-by-Step Guide

Step 1: Configure Azure Billing

  1. Go to https://github.com/enterprises/{enterprise-slug}
  2. On the left, click Settings → Billing
  3. Click on the Payment information tab
  4. Click Add Azure Subscription Image 20240323 ghec paymentinformation
  5. Sign in with the Microsoft Entra ID admin account
  6. Select the Microsoft Entra ID tenant and Azure Subscription to charge against Image 20240323 ghec selectazuresubscription
  7. Click Connect Image 20240323 ghec billingconfiguration

Step 2: Configure Entra ID as the GitHub Identity Provider (IdP)

GitHub supports a number of identity providers including Microsoft Entra ID. With Microsoft Entra ID, we can choose to integrate by SAML or OIDC. The process for these are well documented in the following:

Should you use SAML or OIDC?

One of the practical advantages of OIDC is that it allows you to use Entra ID’s Conditional Access Policies (CAP) for blocking GitHub access using SSH keys or Personal Access Tokens (PAT). This is useful when you are using the full GitHub Enterprise but not very useful if you are only using GitHub Copilot. Since each Entra ID tenant can only connect to a single GitHub EMU via OIDC, it may be best to use SAML for now and save the OIDC connection in the event that you’ll subscribe to GitHub Enterprise in the future.

In this step, we recommend creating at adding at least two Entra ID groups:

  1. An Entra ID group for your GitHub Admins (role = Enterprise Owner). Note: users of this group does not need to be assigned GitHub Copilot licenses.
  2. One or more Entra ID groups for your developers (role = User).

Step 3: Create Enterprise Teams in GitHub

In this step, we will create _enterprise teams_ in GitHub that are synchronized with the Entra ID groups that you configured in Step 2.

  1. Go to https://github.com/enterprises/{enterprise_slug}
  2. Login with a GitHub Enterprise Owner account
  3. Go to People → Enterprise teams
  4. Click New enterprise team Image 202401812 ghcpnonghe enterpriseteams
  5. Repeat step 4 for each team that you want to create.

Tips

  • If you want teams to be synchronized with your Entra ID group, go back to the Azure Portal → Enterprise Applications and add the groups that you want to synchronize.
  • Do you need more than one team? Not necessarily. Creating multiple teams is primarily useful for team-level Copilot usage analytics. If you don’t need that, you can create a single team and add all users to it.

Step 4: Assign Copilot Licenses to Enterprise Teams

  1. Go to Settings → Enterprise licensing
  2. On the right of Copilot Business, click Manage seatsImage 202401812 ghcpnonghe enterpriselicensing
  3. Click Add teams and add the team that you just created

Azure Subscription Charges

  • By assigning Copilot licenses to teams, your Azure subscription will be charged for each user in those teams.
  • The dollar ($x) amount displayed on this page is based on web prices. The actual amount billed will depend on the rates (e.g., enterprise discounts) in your Azure subscription.

Step 5: Enable Copilot and Configure Policies

  1. Go to Settings → Policies → Copilot Business
  2. In the Policies tab, under GitHub Copilot Policies, select Allowed and then Save
  3. Enable/Disable the other policies as needed (see here for more info). Here’s an example of a typical enterprise configuration:Image 202401812 ghcpnonghe copilotpolicies
  4. Click the Content exclusion tab and configure the repositories and paths that you want GitHub Copilot to exclude. Also, check out the documentation for this policy.Image 202401812 ghcpnonghe copilotcontentexclusion

Congratulations! You have completed the admin setup. The next step is to confirm that your developers can start using GitHub Copilot.

Reminder

GitHub Copilot Business is a purely IDE-based experience. Only your administrators need access tohttps://github.com/enterprises/{enterprise_slug}, so you don’t have to share this URL with your developers.

Step 6: Test your Configuration with a Developer

Here’s a quick guide on what a developer needs to do to start using GitHub Copilot:

  1. Install the GitHub Copilot Extension in your IDE
  2. Sign in to GitHub
  3. Login with your username^ (NOT your email address!)
  4. Start using GitHub Copilot

^This is where it gets tricky!

Each developer will need to know their GitHub {alias}_{shortcode} username.

  • {alias} is, by default, the email prefix of your IdP username – but reformatted to only alphanumeric characters or single hyphens (Note: This default username mapping logic can be customized).
  • {shortcode} is the enterprise shortcode created during the GHCBnonGHE account creation. The shortcode is the same as the prefix of your root admin account {shortcode}_admin.

Here are some examples, assuming your enterprise shortcode is rt:

  • If the IdP username is john.doe@raztype.com, then the GitHub username is johndoe_rt.
  • If the IdP username is john_doe@raztype.com, then the GitHub username is john-doe_rt.
  • If the IdP username is john-doe@raztype.com, then the GitHub username is john-doe_rt.
  • If the IdP username is johndoe@raztype.com, then the GitHub username is johndoe_rt.

If you are still stuck, ask your GitHub admin to go to https://github.com/enterprises/{enterprise_slug}/people and look up your username (it’s the gray text under your name).

Happy coding!

Category
All things Azure
Topics
Azure BillingEMUEnterprise Managed UsersEntraEntra IDGHCBnonGHEGHEC EMUGitHub Copilot BusinessGitHub Copilot Business for Non-GHEGitHub Copilot Business StandaloneGitHub Copilot StandaloneIdPMicrosoft EntraMicrosoft Entra IDOIDCSAML

Author

Rafferty Uy
Rafferty Uy
Developer Productivity Specialist

Rafferty is a highly experienced professional on all things Azure. Most recently, he is known to be an SME in GenAI and DevSecOps.

0 comments

Leave a comment

Your email address will not be published. Required fields are marked *

Code of Conduct