From 85df5b8a314d1bc702cb160434435908b164ff5e Mon Sep 17 00:00:00 2001 From: Sam Browning <106113886+sabrowning1@users.noreply.github.com> Date: Mon, 9 Feb 2026 09:34:44 -0500 Subject: [PATCH 1/2] [EDI] Conceptual content on security configurations (#59556) Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- ...out-enabling-security-features-at-scale.md | 20 +--- .../about-security-configurations.md | 46 -------- ...ity-configuration-for-your-repositories.md | 50 --------- .../concepts/security-at-scale/index.md | 3 +- .../security-configurations.md | 102 ++++++++++++++++++ .../custom-configuration-intro-ghes.md | 1 + .../define-security-configurations.md | 2 +- .../security-configurations/emu-note.md | 5 - 8 files changed, 110 insertions(+), 119 deletions(-) delete mode 100644 content/code-security/concepts/security-at-scale/about-security-configurations.md delete mode 100644 content/code-security/concepts/security-at-scale/choosing-a-security-configuration-for-your-repositories.md create mode 100644 content/code-security/concepts/security-at-scale/security-configurations.md create mode 100644 data/reusables/security-configurations/custom-configuration-intro-ghes.md delete mode 100644 data/reusables/security-configurations/emu-note.md diff --git a/content/code-security/concepts/security-at-scale/about-enabling-security-features-at-scale.md b/content/code-security/concepts/security-at-scale/about-enabling-security-features-at-scale.md index a0018c57f237..5e19e99c81cc 100644 --- a/content/code-security/concepts/security-at-scale/about-enabling-security-features-at-scale.md +++ b/content/code-security/concepts/security-at-scale/about-enabling-security-features-at-scale.md @@ -40,29 +40,19 @@ For more information on purchasing {% data variables.product.prodname_GH_cs_or_s There are two types of {% data variables.product.prodname_security_configuration %}: -* **The {% data variables.product.prodname_github_security_configuration %}**. This configuration is a collection of enablement settings created and managed by subject matter experts at {% data variables.product.company_short %}. The {% data variables.product.prodname_github_security_configuration %} is designed to adequately secure any repository, and can easily be applied to all repositories in your organization. -* **{% data variables.product.prodname_custom_security_configurations_caps %}**. These are configurations you can create and edit yourself, allowing you to choose different enablement settings for groups of repositories with specific security needs. +* **The {% data variables.product.prodname_github_security_configuration %}**, which is a collection of enablement settings created and managed by subject matter experts at {% data variables.product.company_short %} +* **{% data variables.product.prodname_custom_security_configurations_caps %}**, which are configurations you can create and edit yourself, allowing you to meet your specific security needs -{% endif %} - -{% ifversion security-configurations-ghes-only %} +For more detailed information on {% data variables.product.prodname_security_configurations %}, see [AUTOTITLE](/code-security/concepts/security-at-scale/security-configurations). -You can customize {% data variables.product.prodname_security_configurations %}, allowing you to choose different enablement settings for groups of repositories with specific security needs. +{% elsif security-configurations-ghes-only %} -You will only ever see enablement settings for features that have been installed on your {% data variables.product.prodname_ghe_server %} instance by an enterprise administrator. +{% data reusables.security-configurations.custom-configuration-intro-ghes %} To learn how to create {% data variables.product.prodname_custom_security_configurations %}, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). {% endif %} -{% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases %} - -Each repository can only have one {% data variables.product.prodname_security_configuration %} applied to it. {% ifversion security-configurations-cloud %}To find out how you should get started with {% data variables.product.prodname_security_configurations %}, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/choosing-a-security-configuration-for-your-repositories).{% endif %} - -{% ifversion security-configurations-api %} -You can also create and manage security configurations using the REST API. For more information, see [AUTOTITLE](/rest/code-security/configurations). -{% endif %} - ## About {% data variables.product.prodname_global_settings %} While {% data variables.product.prodname_security_configurations %} determine repository-level security settings, {% data variables.product.prodname_global_settings %} determine your organization-level security settings, which are then inherited by all repositories. With {% data variables.product.prodname_global_settings %}, you can customize how security features analyze your organization{% ifversion ghes < 3.16 %}, as well as grant a team permission to manage security alerts and settings across your organization{% endif %}. diff --git a/content/code-security/concepts/security-at-scale/about-security-configurations.md b/content/code-security/concepts/security-at-scale/about-security-configurations.md deleted file mode 100644 index d79d163110db..000000000000 --- a/content/code-security/concepts/security-at-scale/about-security-configurations.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: About security configurations -shortTitle: Security configurations -intro: Security configurations are collections of security settings that you can apply across your enterprise. -versions: - feature: security-configuration-enterprise-level -topics: - - Advanced Security - - Enterprise - - Security -redirect_from: - - /admin/managing-code-security/securing-your-enterprise/about-security-configurations -contentType: concepts ---- - -## About {% data variables.product.prodname_security_configurations %} - -{% data variables.product.prodname_security_configurations_caps %} simplify the rollout of {% data variables.product.company_short %} security products at scale by helping you define collections of security settings and apply them across your enterprise. - -{% data reusables.security-configurations.overview %} - -{% ifversion ghec %} - -When you create a security configuration with {% data variables.product.prodname_AS %} features enabled, your enterprise will incur usage costs when you apply the configuration to repositories if your enterprise account has metered billing. If you have bought volume/subscription licenses for {% data variables.product.prodname_GHAS %}, {% data variables.product.prodname_GH_code_security %}, or {% data variables.product.prodname_GH_secret_protection %}, you will need enough licenses to cover any additional unique committers. See [AUTOTITLE](/billing/how-tos/products/add-advanced-security). - -{% endif %} - -{% ifversion security-configurations-ghes-only %} - -When creating a security configuration, keep in mind that: - -* Only features installed by a site administrator on your {% data variables.product.prodname_ghe_server %} instance will appear in the UI. -* {% data variables.product.prodname_AS %} features will only be visible if your enterprise or {% data variables.product.prodname_ghe_server %} instance holds a {% data variables.product.prodname_GHAS %}{% ifversion ghas-products %}, {% data variables.product.prodname_GH_code_security %}, or {% data variables.product.prodname_GH_secret_protection %}{% endif %} license. -* Certain features, like {% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_code_scanning %} default setup, also require that {% data variables.product.prodname_actions %} is installed on the {% data variables.product.prodname_ghe_server %} instance. - -{% endif %} - -{% data reusables.security-configurations.emu-note %} - -{% data reusables.security-configurations.security-features-use-actions %} - -## Preserving default settings for new repositories - -If you had default security settings in place for newly created repositories, {% data variables.product.github %} will preserve these settings by automatically creating a "New repository default settings" security configuration for your enterprise. The configuration matches your previous enterprise-level default settings for new repositories as of December, 2024. - -The "New repository default settings" configuration will automatically get applied to any newly created repositories in your enterprise, if no organization-level defaults are set. diff --git a/content/code-security/concepts/security-at-scale/choosing-a-security-configuration-for-your-repositories.md b/content/code-security/concepts/security-at-scale/choosing-a-security-configuration-for-your-repositories.md deleted file mode 100644 index 08114bce29c4..000000000000 --- a/content/code-security/concepts/security-at-scale/choosing-a-security-configuration-for-your-repositories.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Choosing a security configuration for your repositories -shortTitle: Choose security configuration -intro: Find out which type of {% data variables.product.prodname_security_configuration %} will meet the security needs of the repositories in your organization. -permissions: '{% data reusables.permissions.security-org-enable %}' -versions: - feature: security-configurations-cloud -topics: - - Code Security - - Secret Protection - - Organizations - - Security -redirect_from: - - /code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/choosing-a-security-configuration-for-your-repositories -contentType: concepts ---- - -## About choosing a {% data variables.product.prodname_security_configuration %} - -{% data reusables.security-configurations.define-security-configurations %} {% data variables.product.company_short %} offers two types of {% data variables.product.prodname_security_configurations %}: - -* The {% data variables.product.prodname_github_security_configuration %} -* {% data variables.product.prodname_custom_security_configurations_caps %} - -_We recommend that organizations initially apply the {% data variables.product.prodname_github_security_configuration %}_. After you have applied the {% data variables.product.prodname_github_security_configuration %} to repositories in your organization, you can evaluate the security findings for each repository and determine if you instead want to create and apply a {% data variables.product.prodname_custom_security_configuration %}. - -Currently, only one {% data variables.product.prodname_security_configuration %} can be applied to a repository at a time. - -## Choosing the {% data variables.product.prodname_github_security_configuration %} - -The {% data variables.product.prodname_github_security_configuration %} offers a number of benefits: - -* It is created and managed by {% data variables.product.company_short %}'s subject matter experts. -* It is the quickest {% data variables.product.prodname_security_configuration %} to apply to all repositories in your organization. -* It is designed to effectively secure both low- and high-impact repositories. - -The {% data variables.product.prodname_github_security_configuration %} includes {% data variables.product.prodname_GH_code_security %} and {% data variables.product.prodname_GH_secret_protection %} features. Applying the configuration to private and internal repositories in your organization will incur usage costs or require licenses. - -To start securing repositories in your organization with the {% data variables.product.prodname_github_security_configuration %}, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization). - -## Choosing a {% data variables.product.prodname_custom_security_configuration %} - -If you are familiar with {% data variables.product.company_short %}'s security products, and you have specific security needs that the {% data variables.product.prodname_github_security_configuration %} can't meet, you can create and apply {% data variables.product.prodname_custom_security_configurations %}. With {% data variables.product.prodname_custom_security_configurations %}, you can: - -* Edit the enablement settings for different security features -* Create several configurations for repositories to reflect their different levels of visibility, risk tolerance, and impact - -You can also choose whether or not you want to include {% data variables.product.prodname_GH_code_security %} or {% data variables.product.prodname_GH_secret_protection %} features in a configuration. If you do, keep in mind that these features incur usage costs (or require {% data variables.product.prodname_GHAS %} licenses) when applied to private and internal repositories. - -To start securing repositories in your organization with {% data variables.product.prodname_custom_security_configurations %}, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). diff --git a/content/code-security/concepts/security-at-scale/index.md b/content/code-security/concepts/security-at-scale/index.md index 0ddf7dc5070a..bf47d01ead33 100644 --- a/content/code-security/concepts/security-at-scale/index.md +++ b/content/code-security/concepts/security-at-scale/index.md @@ -16,8 +16,7 @@ topics: contentType: concepts children: - /about-enabling-security-features-at-scale - - /about-security-configurations - - /choosing-a-security-configuration-for-your-repositories + - /security-configurations - /about-security-overview - /about-security-campaigns - /auditing-security-alerts diff --git a/content/code-security/concepts/security-at-scale/security-configurations.md b/content/code-security/concepts/security-at-scale/security-configurations.md new file mode 100644 index 000000000000..a07ec408ff2a --- /dev/null +++ b/content/code-security/concepts/security-at-scale/security-configurations.md @@ -0,0 +1,102 @@ +--- +title: Security configurations +intro: '{% data variables.product.prodname_security_configurations_caps %} are collections of security settings that you can apply to repositories at scale.' +permissions: 'Organization owners, {% ifversion security-configuration-enterprise-level %}enterprise owners, {% endif %}security managers, and organization members with the **admin** role' +versions: + feature: security-configurations +topics: + - Code Security + - Secret Protection + - Organizations + - Security +redirect_from: + - /code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/choosing-a-security-configuration-for-your-repositories + - /code-security/concepts/security-at-scale/choosing-a-security-configuration-for-your-repositories + - /admin/managing-code-security/securing-your-enterprise/about-security-configurations + - /code-security/concepts/security-at-scale/about-security-configurations +contentType: concepts +--- + +{% ifversion security-configurations-cloud %} + +{% data reusables.security-configurations.define-security-configurations %} + +There are two types of {% data variables.product.prodname_security_configuration %}: + +* [The {% data variables.product.prodname_github_security_configuration %}](#the-github-recommended-security-configuration) +* [{% data variables.product.prodname_custom_security_configurations_caps %}](#custom-security-configurations) + +Each repository can only have one {% data variables.product.prodname_security_configuration %} applied to it. + +{% ifversion security-configurations-api %} +You can create and manage security configurations using the REST API. For more information, see [AUTOTITLE](/rest/code-security/configurations). +{% endif %} + +{% ifversion ghec %} + +> [!NOTE] If your enterprise uses {% data variables.product.prodname_emus %}, please note that enterprise-level {% data variables.product.prodname_security_configurations %} are not automatically rolled out to user namespace repositories. There are some additional {% data variables.product.prodname_secret_scanning %} settings that can be applied to user namespace repositories within the enteprise, but you cannot apply enterprise-level {% data variables.product.prodname_security_configurations %} to this type of user-owner repository. + +{% endif %} + +## The {% data variables.product.prodname_github_security_configuration %} + +The {% data variables.product.prodname_github_security_configuration %} offers a number of benefits: + +* It is created and managed by {% data variables.product.company_short %}'s subject matter experts. +* It is the quickest {% data variables.product.prodname_security_configuration %} to apply to all repositories in your organization. +* It is designed to effectively secure both low- and high-impact repositories. + +_We recommend that organizations and enterprises initially apply the {% data variables.product.prodname_github_security_configuration %}_. + +The {% data variables.product.prodname_github_security_configuration %} includes {% data variables.product.prodname_GH_code_security %} and {% data variables.product.prodname_GH_secret_protection %} features. Applying the configuration to private and internal repositories in your organization will incur usage costs or require licenses. + +## {% data variables.product.prodname_custom_security_configurations_caps %} + +If you are familiar with {% data variables.product.company_short %}'s security products, and you have specific security needs that the {% data variables.product.prodname_github_security_configuration %} can't meet, you can create and apply {% data variables.product.prodname_custom_security_configurations %}. With {% data variables.product.prodname_custom_security_configurations %}, you can: + +* Edit the enablement settings for different security features +* Create several configurations for repositories to reflect their different levels of visibility, risk tolerance, and impact + +You can also choose whether or not you want to include {% data variables.product.prodname_GH_code_security %} or {% data variables.product.prodname_GH_secret_protection %} features in a configuration. If you do, keep in mind that these features incur usage costs (or require {% data variables.product.prodname_GHAS %} licenses) when applied to private and internal repositories. + +{% elsif security-configurations-ghes-only %} + +## {% data variables.product.prodname_security_configurations_caps %} on {% data variables.product.prodname_ghe_server %} + +{% data reusables.security-configurations.define-security-configurations %} {% data reusables.security-configurations.custom-configuration-intro-ghes %} + +## Feature availability + +Feature availability in {% data variables.product.prodname_security_configurations %} is determined as follows: + +* You will only see features in the UI if they were installed by a site administrator on your {% data variables.product.prodname_ghe_server %} instance. +* {% data variables.product.prodname_AS %} features will only be visible if your enterprise or {% data variables.product.prodname_ghe_server %} instance holds a {% data variables.product.prodname_GHAS %}{% ifversion ghas-products %}, {% data variables.product.prodname_GH_code_security %}, or {% data variables.product.prodname_GH_secret_protection %}{% endif %} license. +* Certain features, like {% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_code_scanning %} default setup, also require that {% data variables.product.prodname_actions %} is installed on the {% data variables.product.prodname_ghe_server %} instance. + +{% endif %} + +## Enforcement of {% data variables.product.prodname_security_configurations %} + +When you apply a {% data variables.product.prodname_security_configuration %}, you can choose to enforce it, meaning users cannot change the enablement status of features included in the configuration. + +If a user in your organization {% ifversion security-configuration-enterprise-level %}or enterprise {% endif %}attempts to change the enablement status of a feature in an enforced configuration using the REST API, the API call will appear to succeed, but no enablement statuses will change. + +Some situations can break the enforcement of {% data variables.product.prodname_security_configurations %} for a repository. For example, the enablement of {% data variables.product.prodname_code_scanning %} will not apply to a repository if: +* {% data variables.product.prodname_actions %} is initially enabled on the repository, but is then disabled in the repository. +* {% data variables.product.prodname_actions %} is not available for the repository.{% ifversion ghes %} +* Self-hosted runners with the label `code-scanning` are not available.{% endif %} +* The languages excluded from {% data variables.product.prodname_code_scanning %} default setup are changed at the repository level. + +## Next steps + +{% ifversion security-configurations-cloud %} + +To start securing repositories in your organization with the {% data variables.product.prodname_github_security_configuration %}, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization). + +Alternatively, to start securing repositories in your organization with {% data variables.product.prodname_custom_security_configurations %}, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). + +{% elsif security-configurations-ghes-only %} + +To learn how to create {% data variables.product.prodname_custom_security_configurations %}, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). + +{% endif %} diff --git a/data/reusables/security-configurations/custom-configuration-intro-ghes.md b/data/reusables/security-configurations/custom-configuration-intro-ghes.md new file mode 100644 index 000000000000..c5a843dc088b --- /dev/null +++ b/data/reusables/security-configurations/custom-configuration-intro-ghes.md @@ -0,0 +1 @@ +When you create a {% data variables.product.prodname_security_configuration %}, you can choose different enablement settings to meet the specific security needs of a group of repositories. diff --git a/data/reusables/security-configurations/define-security-configurations.md b/data/reusables/security-configurations/define-security-configurations.md index baffb6a25f6b..48fdf85c5c33 100644 --- a/data/reusables/security-configurations/define-security-configurations.md +++ b/data/reusables/security-configurations/define-security-configurations.md @@ -1 +1 @@ -{% data variables.product.prodname_security_configurations_caps %} are collections of enablement settings for {% data variables.product.company_short %}'s security features that you can apply to any repository within your organization. +{% data variables.product.prodname_security_configurations_caps %} are collections of enablement settings for {% data variables.product.company_short %}'s security features that you can apply to any repository within an organization{% ifversion ghec or security-configuration-enterprise-level %} or enterprise{% endif %}. diff --git a/data/reusables/security-configurations/emu-note.md b/data/reusables/security-configurations/emu-note.md deleted file mode 100644 index a80aea4ab6ec..000000000000 --- a/data/reusables/security-configurations/emu-note.md +++ /dev/null @@ -1,5 +0,0 @@ -{% ifversion ghec %} - -If your enterprise uses {% data variables.product.prodname_emus %}, please note that enterprise-level {% data variables.product.prodname_security_configurations %} are not automatically rolled out to user namespace repositories. There are some additional {% data variables.product.prodname_secret_scanning %} settings that can be applied to user namespace repositories within the enteprise, but you cannot apply enterprise-level {% data variables.product.prodname_security_configurations %} to this type of user-owner repository. - -{% endif %} From 574fd5bc116f75cae37a81c3a95f4add941d28a5 Mon Sep 17 00:00:00 2001 From: Laura Coursen Date: Mon, 9 Feb 2026 08:54:47 -0600 Subject: [PATCH 2/2] Create new article about the setup user (#59518) Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> --- .../identity-and-access-management/index.md | 1 + .../setup-user.md | 30 +++++++++++++++++++ ...a-residency-for-github-enterprise-cloud.md | 3 +- ...g-started-with-enterprise-managed-users.md | 14 +-------- .../enterprise-accounts/about-setup-user.md | 1 + .../emu-recommend-password-manager.md | 2 +- 6 files changed, 35 insertions(+), 16 deletions(-) create mode 100644 content/admin/concepts/identity-and-access-management/setup-user.md create mode 100644 data/reusables/enterprise-accounts/about-setup-user.md diff --git a/content/admin/concepts/identity-and-access-management/index.md b/content/admin/concepts/identity-and-access-management/index.md index 75e8de8abc1c..6c07aeaa8e79 100644 --- a/content/admin/concepts/identity-and-access-management/index.md +++ b/content/admin/concepts/identity-and-access-management/index.md @@ -10,6 +10,7 @@ topics: children: - /identity-and-access-management-fundamentals - /enterprise-managed-users + - /setup-user - /user-offboarding contentType: concepts --- diff --git a/content/admin/concepts/identity-and-access-management/setup-user.md b/content/admin/concepts/identity-and-access-management/setup-user.md new file mode 100644 index 000000000000..f8539d3ed2f8 --- /dev/null +++ b/content/admin/concepts/identity-and-access-management/setup-user.md @@ -0,0 +1,30 @@ +--- +title: Setup user +intro: 'The setup user is used to configure authentication and provisioning for {% data variables.product.prodname_emus %}.' +versions: + ghec: '*' +topics: + - Accounts + - Enterprise + - Fundamentals +--- + +## How should I use the setup user? + +The setup user is **only** intended to be used for: + +* Configuring authentication and provisioning +* SCIM provisioning via its {% data variables.product.pat_generic %} +* Regaining access to your enterprise in the event of an issue with your identity provider, by utilizing the enterprise's SAML recovery codes + +For other enterprise administration tasks, such as creating organizations, use a provisioned managed user account with the appropriate administrative role. + +## How do I sign in as the setup user? + +After we create your enterprise, you will receive an **email** inviting you to choose a password for the setup user. + +When you create the password, you should enable two-factor authentication (2FA) for the account. All subsequent login attempts for the setup user account will require a successful 2FA challenge response. + +If the enterprise account has enabled single sign-on and the setup user has **not** enabled 2FA, they must use an enterprise recovery code to authenticate. To avoid being locked out of your account, after enabling single sign-on, **save your enterprise recovery codes**. See [AUTOTITLE](/admin/managing-iam/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes#downloading-codes-for-an-enterprise-with-enterprise-managed-users). + +{% data reusables.enterprise-accounts.emu-password-reset-session %} diff --git a/content/admin/data-residency/getting-started-with-data-residency-for-github-enterprise-cloud.md b/content/admin/data-residency/getting-started-with-data-residency-for-github-enterprise-cloud.md index 16fdf2df2c56..5f6e3072ef71 100644 --- a/content/admin/data-residency/getting-started-with-data-residency-for-github-enterprise-cloud.md +++ b/content/admin/data-residency/getting-started-with-data-residency-for-github-enterprise-cloud.md @@ -71,10 +71,9 @@ Using an **incognito or private browsing window**: > [!NOTE] > If 2FA isn't enabled, you will need to enter your enterprise's single sign-on (SSO) recovery code each time you sign in as the setup user. You can download these codes once SSO is enabled. - {% data reusables.enterprise-accounts.emu-recommend-password-manager %} -{% data reusables.enterprise-accounts.emu-password-reset-session %} +{% data reusables.enterprise-accounts.about-setup-user %} ### Create a {% data variables.product.pat_generic %} diff --git a/content/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users.md b/content/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users.md index 76e829903a34..2a63b0b3adbe 100644 --- a/content/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users.md +++ b/content/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users.md @@ -40,21 +40,9 @@ Using an **incognito or private browsing window**: > [!WARNING] > All subsequent login attempts for the setup user account will require a successful 2FA challenge response. - - > [!IMPORTANT] - > If the enterprise account has enabled single sign-on and the setup user hasn’t enabled 2FA, they must use an enterprise recovery code to authenticate. To avoid being locked out of your account, after enabling single sign-on, save your enterprise recovery codes. For more information, see [AUTOTITLE](/admin/managing-iam/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes#downloading-codes-for-an-enterprise-with-enterprise-managed-users) and the related [changelog on {% data variables.product.prodname_blog %}](https://github.blog/changelog/2025-01-17-setup-user-for-emu-enterprises-requires-2fa-or-use-of-a-recovery-code/). - -{% data reusables.enterprise-accounts.emu-password-reset-session %} - {% data reusables.enterprise-accounts.emu-recommend-password-manager %} - > [!NOTE] - > Once single sign-on has been configured on the enterprise, the setup user is only intended to be used going forwards for: - > - > * SCIM provisioning via its {% data variables.product.pat_generic %}. - > * To regain access to your enterprise in the event of an issue with your identity provider by utilizing the enterprise's SAML recovery codes. - > - > For other enterprise administration tasks, you should use a provisioned managed user account with the enterprise owner role. +{% data reusables.enterprise-accounts.about-setup-user %} ## Create a {% data variables.product.pat_generic %} diff --git a/data/reusables/enterprise-accounts/about-setup-user.md b/data/reusables/enterprise-accounts/about-setup-user.md new file mode 100644 index 000000000000..b13be593c054 --- /dev/null +++ b/data/reusables/enterprise-accounts/about-setup-user.md @@ -0,0 +1 @@ +For more information about the setup user, see [AUTOTITLE](/admin/concepts/identity-and-access-management/setup-user). diff --git a/data/reusables/enterprise-accounts/emu-recommend-password-manager.md b/data/reusables/enterprise-accounts/emu-recommend-password-manager.md index 381eb7306fd9..969a5789dbd5 100644 --- a/data/reusables/enterprise-accounts/emu-recommend-password-manager.md +++ b/data/reusables/enterprise-accounts/emu-recommend-password-manager.md @@ -1 +1 @@ -We strongly recommend **storing the credentials for the setup user** in your company's password management tool. Someone will need to sign in as this user to update authentication settings, migrate to another identity provider or authentication method, or use your enterprise's recovery codes. +1. We strongly recommend **storing the credentials for the setup user** in your company's password management tool. Someone will need to sign in as this user to update authentication settings, migrate to another identity provider or authentication method, or use your enterprise's recovery codes.