Make "About Enterprise Managed Users" scannable (#50406)

Co-authored-by: Rachael Rose Renk <91027132+rachaelrenk@users.noreply.github.com>

Author: lecoursen

content/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/managing-team-memberships-with-identity-provider-groups.md

@@ -95,3 +95,12 @@ Enterprise owners can review a list of IdP groups, each group's memberships, and
 1. To view the teams connected to the IdP group, click **Teams**.
 
 If a team cannot sync with the group on your IdP, the team will display an error. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/troubleshooting-team-membership-with-identity-provider-groups)."
+
+## Removing members from organizations
+
+The way a member is added to an organization owned by your enterprise determines how they must be removed from an organization.
+
+- **If a member was added to an organization manually, you must remove them manually.** Unassigning them from the {% data variables.product.prodname_emu_idp_application %} application on your IdP will suspend the user but not remove them from the organization.
+- **If a user became an organization member because they were added to IdP groups, remove them from _all_ of the mapped IdP groups** associated with the organization.
+
+To discover how a member was added to an organization, you can filter the member list by type. See "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#filtering-by-member-type-in-an-enterprise-with-managed-users)."

content/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/provisioning-users-and-groups-with-scim-using-the-rest-api.md

@@ -40,7 +40,7 @@ When you configure authentication and provisioning for your enterprise, you can
 
 ### Using a partner identity provider
 
-Each partner IdP provides a "paved-path" application, which implements both SSO and user lifecycle management. To simplify your configuration of {% data variables.product.prodname_emus %}, {% data variables.product.company_short %} recommends that you use a partner IdP's application for both authentication and provisioning. For more information and a list of partner IdPs, see "[AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/about-enterprise-managed-users#about-authentication-and-user-provisioning)."
+Each partner IdP provides a "paved-path" application, which implements both SSO and user lifecycle management. To simplify your configuration of {% data variables.product.prodname_emus %}, {% data variables.product.company_short %} recommends that you use a partner IdP's application for both authentication and provisioning. For more information and a list of partner IdPs, see "[AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/about-enterprise-managed-users#identity-management-systems)."
 
 When you use a single partner IdP for both authentication and provisioning, {% data variables.product.company_short %} provides support for the application on the partner IdP, as well as the IdPs' integration with {% data variables.product.product_name %}.
 

content/admin/identity-and-access-management/reconfiguring-iam-for-enterprise-managed-users/migrating-your-enterprise-to-a-new-identity-provider-or-tenant.md

@@ -70,7 +70,7 @@ If you don't already have single sign-on recovery codes for your enterprise, dow
 
 ### 4. Disable authentication and provisioning for your enterprise
 
-1. Use a recovery code to sign into {% data variables.product.prodname_dotcom_the_website %} as the setup user, whose username is your enterprise's shortcode suffixed with `_admin`. For more information about the setup user, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users#getting-started-with-enterprise-managed-users)."
+1. Use a recovery code to sign into {% data variables.product.prodname_dotcom_the_website %} as the setup user, whose username is your enterprise's shortcode suffixed with `_admin`. For more information about the setup user, see "[AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users)."
 1. Disable authentication and provisioning for your enterprise. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/configuring-authentication-for-enterprise-managed-users/disabling-authentication-for-enterprise-managed-users#disabling-authentication)."
 1. Wait up to an hour for {% data variables.product.product_name %} to reset your enterprise's SCIM records and suspend your enterprise's members.
 

content/admin/identity-and-access-management/understanding-iam-for-enterprises/about-enterprise-managed-users.md

@@ -65,7 +65,7 @@ If you choose {% data variables.product.prodname_emus %} but require that users
 
 ## Can your enterprise tolerate migration costs?
 
-If you already have an enterprise that uses personal accounts on {% data variables.product.prodname_dotcom_the_website %}, adoption of {% data variables.product.prodname_emus %} requires migration to a new enterprise account. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users#getting-started-with-enterprise-managed-users)."
+If you already have an enterprise that uses personal accounts on {% data variables.product.prodname_dotcom_the_website %}, adoption of {% data variables.product.prodname_emus %} requires migration to a new enterprise account. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users)."
 
 Although {% data variables.product.prodname_emus %} does not differ in cost from an enterprise that uses personal accounts, the migration process may require time or cost from your team. Confirm that this migration process is acceptable to your business and your users. If not, an enterprise with personal accounts may be the better choice for you.
 

content/admin/identity-and-access-management/understanding-iam-for-enterprises/choosing-an-enterprise-type-for-github-enterprise-cloud.md

@@ -0,0 +1,70 @@
+---
+title: 'Getting started with {% data variables.product.prodname_emus %}'
+shortTitle: Get started with managed users
+intro: 'Learn how to create and configure an {% data variables.enterprise.prodname_emu_enterprise %}.'
+product: '{% data reusables.gated-features.emus %}'
+versions:
+  ghec: '*'
+type: overview
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - SSO
+allowTitleToDifferFromFilename: true
+---
+
+Before your developers can use {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}, you must follow a series of configuration steps.
+
+## Create a new enterprise account
+
+To use {% data variables.product.prodname_emus %}, you need a **separate type of enterprise account** with {% data variables.product.prodname_emus %} enabled.
+
+To request a new enterprise account, contact [{% data variables.product.prodname_dotcom %}'s Sales team](https://enterprise.github.com/contact). You'll discuss options for trialing {% data variables.product.prodname_emus %} or migrating from an existing enterprise.
+
+When you're ready, your contact on the {% data variables.product.prodname_dotcom %} Sales team will create your new {% data variables.enterprise.prodname_emu_enterprise %}. You'll be asked to provide the following information:
+
+- The **email address** for the user who will set up your enterprise.
+- A **short code** that will be used as the suffix for your enterprise members' usernames. {% data reusables.enterprise-accounts.emu-shortcode %}
+
+## Create the setup user
+
+After we create your enterprise, you will receive an email inviting you to choose a password for the setup user, which is used to configure authentication and provisioning. The username is your enterprise's shortcode suffixed with `_admin`, for example `fabrikam_admin`.
+
+Using an **incognito or private browsing window**:
+
+1. Set the user's password.
+1. Save the user's recovery codes.
+1. Enable two-factor authentication. See "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication)."
+
+{% data reusables.enterprise-accounts.emu-password-reset-session %}
+
+## Configure authentication
+
+Next, configure how your members will authenticate.
+
+**If you're using Entra ID** as your IdP, you can choose between OpenID Connect (OIDC) and Security Assertion Markup Language (SAML).
+- We recommend OIDC, which includes support for Conditional Access Policies (CAP).
+- If you require multiple enterprises provisioned from one tenant, you must use SAML for each enterprise after the first.
+
+**If you're using another IdP**, like Okta or PingFederate, you must use SAML to authenticate your members.
+
+To get started, read the guide for your chosen authentication method.
+
+- "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users)"
+- "[AUTOTITLE](/admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users)"
+
+## Configure provisioning
+
+After you configure authentication, you can configure SCIM provisioning, which is how your IdP will create {% data variables.enterprise.prodname_managed_users %} on {% data variables.product.prodname_dotcom %}. See "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users)."
+
+## Manage organization membership
+
+After authentication and provisioning are configured, you can start managing organization membership for your {% data variables.enterprise.prodname_managed_users %} by synchronizing IdP groups with teams. See "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups)."
+
+## Support developers with multiple user accounts
+
+Developers may need to maintain separate, personal accounts for their work outside of your {% data variables.enterprise.prodname_emu_enterprise %}. You can help them manage multiple accounts by providing the following resources:
+
+- **On the command line**, developers can configure Git to simplify the process of using multiple accounts. See "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/managing-multiple-accounts)."
+- **In the web interface**, developers can switch between accounts without always needing to re-authenticate. See "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/switching-between-accounts)."

content/admin/identity-and-access-management/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users.md

@@ -29,6 +29,7 @@ children:
   - /about-enterprise-managed-users
   - /abilities-and-restrictions-of-managed-user-accounts
   - /choosing-an-enterprise-type-for-github-enterprise-cloud
+  - /getting-started-with-enterprise-managed-users
   - /changing-authentication-methods
   - /allowing-built-in-authentication-for-users-outside-your-provider
   - /troubleshooting-identity-and-access-management-for-your-enterprise

content/admin/identity-and-access-management/understanding-iam-for-enterprises/index.md

@@ -0,0 +1,30 @@
+---
+title: 'Authenticating with {% data variables.product.prodname_emus %}'
+shortTitle: Authenticate as a managed user
+intro: 'Learn how to authenticate to access an {% data variables.enterprise.prodname_emu_enterprise %} on {% data variables.product.prodname_dotcom %}.'
+product: '{% data reusables.gated-features.emus %}'
+versions:
+  ghec: '*'
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - SSO
+allowTitleToDifferFromFilename: true
+---
+
+If you use a {% data variables.enterprise.prodname_managed_user %}, you must authenticate through your identity provider (IdP) to access {% data variables.product.prodname_dotcom %}. The location where you can authenticate depends on whether your enterprise uses SAML or OIDC authentication.
+
+## Supported authentication locations
+
+Authentication location | SAML | OIDC
+--- | --- | --- |
+IdP application portal | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %}
+Login page on {% data variables.product.prodname_dotcom %} |{% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %}
+The profile page for an organization or enterprise on {% data variables.product.prodname_dotcom %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %}
+
+## Authenticating via the login page
+
+1. Navigate to [https://github.com/login](https://github.com/login).
+1. In the "Username or email address" text box, enter your username including the underscore and short code.
+1. To continue to your IdP, click **Sign in with your identity provider**.

content/authentication/authenticating-with-saml-single-sign-on/authenticating-with-a-managed-user-account.md

@@ -10,6 +10,7 @@ versions:
 topics:
   - SSO
 children:
+  - /authenticating-with-a-managed-user-account
   - /about-authentication-with-saml-single-sign-on
   - /authorizing-an-ssh-key-for-use-with-saml-single-sign-on
   - /authorizing-a-personal-access-token-for-use-with-saml-single-sign-on

content/authentication/authenticating-with-saml-single-sign-on/index.md

@@ -78,7 +78,7 @@ With {% data variables.product.prodname_emus %}, access and identity is managed
 
 #### 1. Enabling SAML single sign-on and provisioning in your {% data variables.enterprise.prodname_emu_enterprise %}
 
-In an {% data variables.enterprise.prodname_emu_enterprise %}, all members are provisioned and managed by your identity provider. You must enable SSO and SCIM provisioning before you can start using your enterprise. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/identity-and-access-management/understanding-iam-for-enterprises/about-enterprise-managed-users#getting-started-with-enterprise-managed-users)."
+In an {% data variables.enterprise.prodname_emu_enterprise %}, all members are provisioned and managed by your identity provider. You must enable SSO and SCIM provisioning before you can start using your enterprise. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/identity-and-access-management/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users)."
 
 #### 2. Managing organization and team membership in your {% data variables.enterprise.prodname_emu_enterprise %} with your identity provider
 

content/get-started/onboarding/getting-started-with-github-enterprise-cloud.md

@@ -1,5 +1 @@
-{% note %}
-
-**Note:** Because {% data variables.product.prodname_dotcom %} adds an underscore and short code to the normalized identifier provided by your IdP when creating each username, conflicts can only occur within each {% data variables.enterprise.prodname_emu_enterprise %}. {% data variables.enterprise.prodname_managed_users_caps %} can share IdP identifiers or email addresses with other user accounts on {% data variables.product.prodname_dotcom %} that are outside the enterprise.
-
-{% endnote %}
+> [!NOTE] Conflicts can only occur between users within the same enterprise. {% data variables.enterprise.prodname_managed_users_caps %} can share IdP identifiers or email addresses with other user accounts on {% data variables.product.prodname_dotcom_the_website %} that are outside the enterprise.

data/reusables/enterprise-accounts/emu-only-emails-within-the-enterprise-can-conflict.md

@@ -1 +1 @@
-{% data variables.product.company_short %} partners with some developers of identity management systems to provide a "paved-path" integration with {% data variables.product.prodname_emus %}. To simplify your configuration and ensure full support, {% data variables.product.company_short %} recommends that you use a single partner IdP for both authentication and provisioning.
+{% data variables.product.company_short %} partners with some developers of identity management systems to provide a "paved-path" integration with {% data variables.product.prodname_emus %}. To simplify your configuration and ensure full support, **use a single partner IdP for both authentication and provisioning.**

data/reusables/enterprise_user_management/emu-paved-path-iam-integrations.md

@@ -1 +1 @@
-{% data variables.product.prodname_emus %} is available for new enterprise accounts on {% data variables.product.prodname_ghe_cloud %}. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users)."
+{% data variables.product.prodname_emus %} is available for new enterprise accounts on {% data variables.product.prodname_ghe_cloud %}. See "[AUTOTITLE](/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users)."

data/reusables/gated-features/emus.md

@@ -1 +1 @@
-Support for provisioning users with {% data variables.product.company_short %}'s public SCIM schema is in public beta and subject to change.
+Provisioning users with {% data variables.product.company_short %}'s public SCIM schema is in public beta and subject to change.