Did you know that now you can subscribe to GitHub Copilot Business without GitHub Enterprise (GHE), which means you can get GitHub Copilot Business as a standalone capability, while having the normal GitHub Enterprise features (repositories, actions, etc.) disabled.
This post is a screenshot-based step-by-step guide on how to configure a new GitHub Copilot Business standalone account with Enterprise Managed Users (EMU)Â and using Microsoft Entra ID as the identity provider.
Pre-requisites
Before we get started, ensure that you have the following:
- An active Microsoft Azure Subscription, which is used for billing
- An existing Microsoft Entra ID tenant
- A new GitHub Copilot Business non-GHE EMU account, created by your GitHub sales team
We will also need the users with the following roles:
- A user with Owner rights to the Azure subscription
- A user with Cloud Application Administrator or Global Administrator rights to the Entra ID tenant that the Azure subscription is associated with
- A user with Cloud Application Administrator or Global Administrator rights to the Entra ID tenant that the GitHub Copilot users will authenticate with
About Your Entra ID Tenant
While it is common to use the same Microsoft Entra ID tenant for both billing and identity configuration, it is not a requirement. Billing and IdP configurations are managed through separate Microsoft Entra ID Enterprise Applications.Step-by-Step Guide
Step 1: Configure Azure Billing
- Go toÂ
https://github.com/enterprises/{enterprise-slug}
- On the left, click Settings → Billing
- Click on the Payment information tab
- Click Add Azure Subscription
- Sign in with the Microsoft Entra ID admin account
- Select the Microsoft Entra ID tenant and Azure Subscription to charge against
- Click Connect
Step 2: Configure Entra ID as the GitHub Identity Provider (IdP)
GitHub supports a number of identity providers including Microsoft Entra ID. With Microsoft Entra ID, we can choose to integrate by SAML or OIDC. The process for these are well documented in the following:
- SAML Integration: SSO tutorial (part 1) and SCIM automated user provisioning tutorial (part 2)
- OIDC Integration: SSO and SCIM automated provisioning tutorial
Should you use SAML or OIDC?
One of the practical advantages of OIDC is that it allows you to use Entra ID’s Conditional Access Policies (CAP) for blocking GitHub access using SSH keys or Personal Access Tokens (PAT). This is useful when you are using the full GitHub Enterprise but not very useful if you are only using GitHub Copilot. Since each Entra ID tenant can only connect to a single GitHub EMU via OIDC, it may be best to use SAML for now and save the OIDC connection in the event that you’ll subscribe to GitHub Enterprise in the future.In this step, we recommend creating at adding at least two Entra ID groups:
- An Entra ID group for your GitHub Admins (role = Enterprise Owner). Note: users of this group does not need to be assigned GitHub Copilot licenses.
- One or more Entra ID groups for your developers (role = User).
Step 3: Create Enterprise Teams in GitHub
In this step, we will create _enterprise teams_ in GitHub that are synchronized with the Entra ID groups that you configured in Step 2.
- Go toÂ
https://github.com/enterprises/{enterprise_slug}
- Login with a GitHub Enterprise Owner account
- Go to People → Enterprise teams
- Click New enterprise team
- Repeat step 4 for each team that you want to create.
Tips
- If you want teams to be synchronized with your Entra ID group, go back to the Azure Portal → Enterprise Applications and add the groups that you want to synchronize.
- Do you need more than one team? Not necessarily. Creating multiple teams is primarily useful for team-level Copilot usage analytics. If you don’t need that, you can create a single team and add all users to it.
Step 4: Assign Copilot Licenses to Enterprise Teams
- Go to Settings → Enterprise licensing
- On the right of Copilot Business, click Manage seats
- Click Add teams and add the team that you just created
Azure Subscription Charges
- By assigning Copilot licenses to teams, your Azure subscription will be charged for each user in those teams.
- The dollar ($x) amount displayed on this page is based on web prices. The actual amount billed will depend on the rates (e.g., enterprise discounts) in your Azure subscription.
Step 5: Enable Copilot and Configure Policies
- Go to Settings → Policies → Copilot Business
- In the Policies tab, under GitHub Copilot Policies, select Allowed and then Save
- Enable/Disable the other policies as needed (see here for more info). Here’s an example of a typical enterprise configuration:
- Click the Content exclusion tab and configure the repositories and paths that you want GitHub Copilot to exclude. Also, check out the documentation for this policy.
Congratulations! You have completed the admin setup. The next step is to confirm that your developers can start using GitHub Copilot.
Reminder
GitHub Copilot Business is a purely IDE-based experience. Only your administrators need access tohttps://github.com/enterprises/{enterprise_slug}
, so you don’t have to share this URL with your developers.Step 6: Test your Configuration with a Developer
Here’s a quick guide on what a developer needs to do to start using GitHub Copilot:
- Install the GitHub Copilot Extension in your IDE
- Sign in to GitHub
- Login with your username^ (NOT your email address!)
- Start using GitHub Copilot
^This is where it gets tricky!
Each developer will need to know their GitHub {alias}_{shortcode}
username.
{alias}
is, by default, the email prefix of your IdP username – but reformatted to only alphanumeric characters or single hyphens (Note: This default username mapping logic can be customized).{shortcode}
is the enterprise shortcode created during the GHCBnonGHE account creation. The shortcode is the same as the prefix of your root admin account{shortcode}_admin
.
Here are some examples, assuming your enterprise shortcode is rt:
- If the IdP username is
john.doe@raztype.com
, then the GitHub username isjohndoe_rt
. - If the IdP username is
john_doe@raztype.com
, then the GitHub username isjohn-doe_rt
. - If the IdP username is
john-doe@raztype.com
, then the GitHub username isjohn-doe_rt
. - If the IdP username is
johndoe@raztype.com
, then the GitHub username isjohndoe_rt
.
If you are still stuck, ask your GitHub admin to go to https://github.com/enterprises/{enterprise_slug}/people and look up your username (it’s the gray text under your name).
Happy coding!
0 comments
Be the first to start the discussion.