Week Three: Authentication and Adoption 🔑 [GitHub Administration Certification Prep Course]

[queenofcorgis]

Welcome to Week Three of the GitHub Administration Exam prep course! You’re almost halfway there. Let’s dig into authentication, adoption, and support.

As a thank you for participating in these discussions, we’ll be awarding 15 GitHub Certification exam vouchers to members who engage with us during the course.

Need a recap or want to catch up?

• Week One’s Discussion
• Week Two’s Discussion

Step One: Prep 📚

We’ve assembled some materials for this first section.

• Microsoft Learn Modules
  • Authenticate and authorize user identities on GitHub
  • GitHub administration for enterprise support and adoption
• Further Reading:
  • Viewing and managing a member's SAML access to your organization from GitHub Docs
  • Synchronizing a team with an identity provider group from GitHub Docs
• Video
  • Hands on with GitHub in the Enterprise

Step Two: Test Your Knowledge ⚡

Question One: Which protocol does GitHub support for automated user provisioning and deprovisioning with enterprise identity providers?
A) LDAP
B) SSO
C) SCIM
D) OAuth

Question Two: What is a consequence of enabling SAML single sign-on (SSO) for an organization?
A) Users can sign in with their GitHub username only to all company tools
B) Users must authenticate through the configured identity provider before accessing organization resources
C) All repositories in the organization are available to authenticated users
D) 2FA is automatically disabled

Question Three: Which authentication method is recommended for secure command-line access to GitHub repositories?
A) Username and password
B) Public access tokens
C) Email verification
D) SSH keys

Question Four: What is the primary difference between authentication and authorization in GitHub?
A) Authentication verifies user identity; authorization determines what resources a user can access
B) Authentication grants access to resources; authorization verifies user identity
C) Authentication manages repository settings; authorization manages user passwords
D) Authentication provides permissions to teams; authorization adds users to organizations

Question Five: What issues should be solved by an administrator vs. GitHub support? Select all that apply.
A) Removing sensitive data from commits
B) Restoring recently deleted branches
C) Recovering recently deleted repositories
D) Managing repository access
E) Restoring force-pushed commits

Question Six: What is a key benefit of deploying multiple organizations within a GitHub Enterprise account?
A) It enables unlimited organization creation helping you get the most value out of your plan
B) It allows every team to have their own organization
C) It creates more complex structure to your enterprise and shows account maturity
D) It provides granular control over permissions and policies for different business units

Question Seven: When an employee leaves an organization, how does EMU help maintain security?
A) The user’s GitHub account is automatically deactivated
B) The user is automatically removed from the enterprise via the identity provider
C) The user triggers an alert to the administrator to manually remove them from the enterprise
D) The user’s permissions are not affected

Jump to the answers in the comments 🧠

Use the discussion below to share additional study resources, ask questions for our team to answer, and respond to our prep questions.

*No Purchase Necessary. Open only to Github community members 18+. Game ends 11/1/25. For details, see Official Rules.

[fradel]

Question One
Which protocol does GitHub support for automated user provisioning and deprovisioning with enterprise identity providers?
Answer: C) SCIM
GitHub supports SCIM (System for Cross-domain Identity Management) for automated provisioning and deprovisioning.

Question Two
What is a consequence of enabling SAML single sign-on (SSO) for an organization?
Answer: B) Users must authenticate through the configured identity provider before accessing organization resources
SAML SSO ensures users are verified by the identity provider before accessing GitHub organization resources.

Question Three
Which authentication method is recommended for secure command-line access to GitHub repositories?
Answer: D) SSH keys
SSH keys are the most secure and recommended method for CLI access to GitHub.

Question Four
What is the primary difference between authentication and authorization in GitHub?
Answer: A) Authentication verifies user identity; authorization determines what resources a user can access
Authentication confirms who the user is; authorization defines what they can do.

Question Five
GitHub support is typically needed for:
C) Recovering recently deleted repositories

Question Six
What is a key benefit of deploying multiple organizations within a GitHub Enterprise account?
Answer: D) It provides granular control over permissions and policies for different business units
Multiple organizations allow tailored access and governance across teams.

Question Seven
When an employee leaves an organization, how does EMU help maintain security?
Answer: B) The user is automatically removed from the enterprise via the identity provider
Enterprise Managed Users (EMU) integrates with identity providers to automate user removal.

is that right?

[paulsuv9]

Thanks for posting the full set, @fradel—your breakdown helped validate my own reasoning. Especially appreciated the clarity around EMU and SCIM. Looking forward to your take on Week Four!

[paulsuv9]

✅ Week Three Knowledge Check – GitHub Admin Prep (With Rationale)

Posting my answers for Week Three, along with brief reasoning:

1. C) SCIM
   → GitHub supports SCIM for automated provisioning/deprovisioning with enterprise identity providers.

2. B) Users must authenticate through the configured identity provider before accessing organization resources
   → SAML SSO enforces identity provider authentication before access.

3. D) SSH keys
   → SSH keys are the recommended method for secure CLI access to GitHub.

4. A) Authentication verifies user identity; authorization determines what resources a user can access
   → Authentication = who you are; Authorization = what you can do.

5. C) Recovering recently deleted repositories
   → This is a GitHub support task; others are typically admin responsibilities.

6. D) It provides granular control over permissions and policies for different business units
   → Multiple orgs allow tailored governance across teams.

7. B) The user is automatically removed from the enterprise via the identity provider
   → EMU integrates with identity providers to automate user removal.

Looking forward to Week Four and seeing how others are approaching policy enforcement and repo lifecycle management.

[Apexq]

1-C
2-B
3-D
4-A
5-C
6-D
7-B

[salahtidur]

my answers are:

1. C. SCIM

2. B. Users must authenticate through the configured identity provider before accessing organization resources

3. D. SSH keys

4. A. Authentication verifies user identity; authorization determines what resources a user can access

5. A, B, D, E

6. D. It provides granular control over permissions and policies for different business units

7. B. The user is automatically removed from the enterprise via the identity provider

[Misunhwang]

1. C
2. B
   3, D
3. A
4. C
5. D
6. B

[johnnieng]

Here are my answers:

Question 1
Which protocol does GitHub support for automated user provisioning and deprovisioning with enterprise identity providers?

A) LDAP
LDAP is supported for some on-premises integrations but not primary for automated provisioning in cloud.

B) SSO
SSO handles authentication, not provisioning/deprovisioning.

C) SCIM
Correct. GitHub uses SCIM (System for Cross-domain Identity Management) to automate user account creation, updates, and deactivation via identity providers like Microsoft Entra ID or Okta.​

D) OAuth
OAuth is for API access and token-based auth, not lifecycle management.

Answer: C – SCIM enables automated provisioning and deprovisioning of user accounts.​
https://docs.github.com/en/enterprise-cloud@latest/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users

Question 2
What is a consequence of enabling SAML single sign-on (SSO) for an organization?

A) Users can sign in with their GitHub username only
This would bypass SSO entirely.

B) Users must authenticate through the configured identity provider before accessing organization resources
Correct. With SAML SSO enabled, users sign in via the identity provider (IdP), and GitHub verifies the response before granting access to organization resources.​

C) All repositories become available to authenticated users
Access is still controlled by permissions, not SSO alone.

D) 2FA is automatically disabled
SSO can integrate with 2FA but does not disable it.

Answer: B – Users are required to authenticate through the IdP for organization access.​
https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-single-sign-on/about-authentication-with-single-sign-on

Question 3
Which authentication method is recommended for secure command-line access to GitHub repositories?

A) Username and password
Insecure and deprecated for Git operations.

B) Public access tokens
Personal access tokens (PATs) are for API/HTTPS, not primary CLI recommendation.

C) Email verification
Used for account setup, not ongoing access.

D) SSH keys
Correct. SSH keys provide secure, passwordless authentication for Git operations over the command line, using public-private key pairs.​

Answer: D – SSH keys are the secure standard for CLI repository access.​
https://www.ionos.com/digitalguide/websites/web-development/ssh-key-with-github/

Question 4
What is the primary difference between authentication and authorization in GitHub?

A) Authentication verifies user identity; authorization determines what resources a user can access
Correct. Authentication confirms who you are (e.g., via SSO or SSH), while authorization controls permissions and access to specific repositories or actions.​

B) Authentication grants access; authorization verifies identity
Reversed definitions.

C) Authentication manages repository settings; authorization manages passwords
Neither matches the core concepts.

D) Authentication provides permissions; authorization adds users
Incorrect reversal.

Answer: A – Authentication handles identity verification; authorization manages resource access.​
https://learn.microsoft.com/en-us/training/modules/authenticate-authorize-user-identities-github/

Question 5
What issues should be solved by an administrator vs. GitHub support? Select all that apply.

Administrator Responsibilities

A) Removing sensitive data from commits
This is a process initiated and largely carried out by the administrator. It involves using tools like git-filter-repo to rewrite the repository's history locally. While GitHub Support can be contacted to purge cached views and references in pull requests, the core task of removing the data rests with the administrator.​
https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository

B) Restoring recently deleted branches
An administrator can restore a deleted branch if they or another user have a local copy of the repository. By using the git reflog command, they can find the commit history and push the branch back to the remote repository.​
https://rewind.com/blog/how-to-restore-deleted-branch-commit-git-reflog/

D) Managing repository access
A core responsibility of an administrator is to manage who can access a repository. This includes inviting collaborators, creating teams, and assigning permission levels.​
https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository

Issues Requiring GitHub Support

C) Recovering recently deleted repositories
Recovering recently deleted repositories is supported by built-in restore flows for owners, but when constraints exist (e.g., fork networks) or plan requirements apply, GitHub Support may be necessary, making this a Support-resolvable issue.
https://docs.github.com/en/repositories/creating-and-managing-repositories/restoring-a-deleted-repository

E) Restoring force-pushed commits
Restoring force-pushed commits typically requires GitHub support, especially if local reflog is unavailable or the old commits are not easily identifiable, as the force push overwrites remote history and may leave dangling commits that need specialized recovery.
https://github.com/orgs/community/discussions/22221

The items GitHub Support should handle are C and E; the items an administrator should handle are A, B and D.
https://learn.microsoft.com/en-us/training/modules/github-administration-for-enterprise-support-adoption/3-support-for-github-enterprise#distinguishing-administrator-duties-from-github-support

Question 6
What is a key benefit of deploying multiple organizations within a GitHub Enterprise account?

A) Enables unlimited organization creation
Organizations are limited by plan; this is not a benefit.

B) Allows every team their own organization
This can create silos, not a key benefit.

C) Creates more complex structure
Complexity is a drawback, not an advantage.

D) Provides granular control over permissions and policies for different business units
Correct. Multiple organizations allow separate policies, settings, and permissions tailored to business units while maintaining enterprise oversight.​

Answer: D – Multiple organizations offer tailored control for different units.​
https://docs.github.com/en/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/best-practices-for-structuring-organizations-in-your-enterprise

Question 7
When an employee leaves an organization, how does EMU help maintain security?

A) The user’s GitHub account is automatically deactivated
Deactivation happens via IdP sync, not independently.

B) The user is automatically removed from the enterprise via the identity provider
Correct. Enterprise Managed Users (EMU) integrate with IdPs using SCIM; deprovisioning the user in the IdP suspends their GitHub account and revokes access.​

C) The user triggers an alert
No automatic trigger; it's IdP-driven.

D) The user’s permissions are not affected
Permissions are revoked upon deprovisioning.

Answer: B – EMU automates removal through IdP deprovisioning for security.
https://docs.github.com/en/enterprise-cloud@latest/admin/concepts/identity-and-access-management/enterprise-managed-users

[mvark]

I have been compiling the reasoning for the answers along with the resources I'm collecting here all at one place for quick reference.

I feel Q5 is oddly worded for a multiple-choice question, as it asks about tasks that both the Administrator and GitHub Support should handle.

My answers:

1. C - GitHub supports the System for Cross-domain Identity Management (SCIM) protocol for automated user provisioning and deprovisioning when integrated with enterprise identity providers. SCIM enables organizations to automate the management of user accounts, ensuring users are provisioned or deprovisioned from GitHub automatically when their status changes in the identity provider. This is crucial for maintaining secure access and compliance in large enterprises.
2. B - Enabling SAML single sign-on (SSO) for a GitHub organization requires users to authenticate through the organization's configured identity provider (IdP) before they can access any resources within the organization. This adds a layer of security by centralizing authentication and enforcing enterprise policies.
3. D - GitHub supports two primary methods for command-line repository access: HTTPS and SSH. Although HTTPS can use personal access tokens (PATs) for authentication, SSH keys are widely recommended for secure, seamless access without the need to repeatedly enter credentials.
4. A - In GitHub, authentication is the process of verifying a user's identity. This means confirming that the user is who they claim to be, typically via credentials like passwords, SSH keys, or SSO via identity providers. Authorization, on the other hand, is the process that determines what actions or resources an authenticated user is allowed to access. It governs permissions at various levels such as repository access, organization resources, and team memberships.
5. A,B,D - Administrators in a GitHub organization have the ability and tools to remove sensitive data from commits, manage repository access and restore recently deleted branches using GitHub's branch recovery features. Recovering recently deleted repositories (within 90 days) and restoring force-pushed commits (in limited cases) requires intervention of GitHub Support (C & E)
6. D - In a GitHub Enterprise account, deploying multiple organizations allows the enterprise to have granular control and management over each organization’s permissions, policies, and settings tailored to different business units or teams. This separation is beneficial for applying distinct security, compliance, and access controls according to the requirements of various parts of the company.
7. B - Enterprise Managed Users (EMU) in GitHub Enterprise integrates closely with an organization's identity provider (IdP). When an employee leaves the organization and their status is updated in the identity provider, EMU automatically reflects this change by removing the user from the GitHub Enterprise account. This automated deprovisioning helps maintain security by ensuring that only current employees retain access, reducing the risk of unauthorized access by former employees.

[niikwade]

I really like how you go about answering these questions. Providing links for further reading/verification is excellent. I like :-)

[johnnieng]

Thank you for posting links. The link in question 6 is same as question 5.

[queenofcorgis]

The answers are... click details to reveal them! Don't worry if you haven't had a chance to study yet, after you post your answers, check them against the ones below.

Question One: Which protocol does GitHub support for automated user provisioning and deprovisioning with enterprise identity providers? C) SCIM

Question Two: What is a consequence of enabling SAML single sign-on (SSO) for an organization?
B) Users must authenticate through the configured identity provider before accessing organization resources

Question Three: Which authentication method is recommended for secure command-line access to GitHub repositories?
D) SSH keys

Question Four: What is the primary difference between authentication and authorization in GitHub?
A) Authentication verifies user identity; authorization determines what resources a user can access

Question Five: What issues should be solved by an administrator vs. GitHub support? Select all that apply.
A) Removing sensitive data from commits
B) Restoring recently deleted branches
D) Managing repository access

C and E require GitHub Support.

Question Six: What is a key benefit of deploying multiple organizations within a GitHub Enterprise account?
D) It provides granular control over permissions and policies for different business units

Question Seven: When an employee leaves an organization, how does EMU help maintain security?
B) The user is automatically removed from the enterprise via the identity provider

[niikwade]

Knowledge test for week 3

Question One: Which protocol does GitHub support for automated user provisioning and deprovisioning with enterprise identity providers? **C) SCIM**

Question Two: What is a consequence of enabling SAML single sign-on (SSO) for an organization?
B) Users must authenticate through the configured identity provider before accessing organization resources

Question Three: Which authentication method is recommended for secure command-line access to GitHub repositories?
D) SSH keys

Question Four: What is the primary difference between authentication and authorization in GitHub?
A) Authentication verifies user identity; authorization determines what resources a user can access

Question Five: What issues should be solved by an administrator vs. GitHub support? Select all that apply.
A) Removing sensitive data from commits
B) Restoring recently deleted branches
D) Managing repository access

Question Six: What is a key benefit of deploying multiple organizations within a GitHub Enterprise account?
D) It provides granular control over permissions and policies for different business units

Question Seven: When an employee leaves an organization, how does EMU help maintain security?
B) The user is automatically removed from the enterprise via the identity provider

Wishing you all a lovely weekend.

[jccampanero]

I am very sorry for not being able to post my answers before this week.

It has been another week with great course content and great contributions from course mates.

These are my answers:

Question One: Which protocol does GitHub support for automated user provisioning and deprovisioning with enterprise identity providers?
A) LDAP
B) SSO
C) SCIM
D) OAuth

Question Two: What is a consequence of enabling SAML single sign-on (SSO) for an organization?
A) Users can sign in with their GitHub username only to all company tools
B) Users must authenticate through the configured identity provider before accessing organization resources
C) All repositories in the organization are available to authenticated users
D) 2FA is automatically disabled

Question Three: Which authentication method is recommended for secure command-line access to GitHub repositories?
A) Username and password
B) Public access tokens
C) Email verification
D) SSH keys

Question Four: What is the primary difference between authentication and authorization in GitHub?
A) Authentication verifies user identity; authorization determines what resources a user can access
B) Authentication grants access to resources; authorization verifies user identity
C) Authentication manages repository settings; authorization manages user passwords
D) Authentication provides permissions to teams; authorization adds users to organizations

Question Five: What issues should be solved by an administrator vs. GitHub support? Select all that apply.
A) Removing sensitive data from commits
B) Restoring recently deleted branches
C) Recovering recently deleted repositories
D) Managing repository access
E) Restoring force-pushed commits

Question Six: What is a key benefit of deploying multiple organizations within a GitHub Enterprise account?
A) It enables unlimited organization creation helping you get the most value out of your plan
B) It allows every team to have their own organization
C) It creates more complex structure to your enterprise and shows account maturity
D) It provides granular control over permissions and policies for different business units

Question Seven: When an employee leaves an organization, how does EMU help maintain security?
A) The user’s GitHub account is automatically deactivated
B) The user is automatically removed from the enterprise via the identity provider
C) The user triggers an alert to the administrator to manually remove them from the enterprise
D) The user’s permissions are not affected

It is nice to see and further understand how the underlying mechanisms of our everyday work behave.

I found of especial relevance the different options that we have when integrating with authentication services such as Entra and Okta.

Question five is very interesting: it brings to our minds some of the main use cases and responsibilities an administrator must have to solve repository-related issues.

I look forward to week four's contents.

Enjoy your weekend.

[ImmrBhattarai]

Here are the quick answers, based on what I know.

I appreciate other friends providing detailed explanation for each answer.

1. C
2. B
3. D
4. A
5. A, B, & D
6. D
7. B

[ELMACHHOUNE]

1-C

2-B

3-D

4-A

5-C

6-D

7-B

[weekijoon]

1. Question One: Which protocol does GitHub support for automated user provisioning and deprovisioning with enterprise identity providers?

   C) SCIM

2. Question Two: What is a consequence of enabling SAML single sign-on (SSO) for an organization?
   
B) Users must authenticate through the configured identity provider before accessing organization resources


3. Question Three: Which authentication method is recommended for secure command-line access to GitHub repositories?

   D) SSH keys

4. Question Four: What is the primary difference between authentication and authorization in GitHub?

   A) Authentication verifies user identity; authorization determines what resources a user can access

5. Question Five: What issues should be solved by an administrator vs. GitHub support? Select all that apply.
   
A) Removing sensitive data from commits

B) Restoring recently deleted branches

D) Managing repository access

6. Question Six: What is a key benefit of deploying multiple organizations within a GitHub Enterprise account?
   
D) It provides granular control over permissions and policies for different business units

7. Question Seven: When an employee leaves an organization, how does EMU help maintain security?

   B) The user is automatically removed from the enterprise via the identity provider

[sam-nash]

1. C
2. B
3. D
4. A
5. C
6. D
7. B

[queenofcorgis]

Nice work everyone on Week Three! Our final week's discussion has been posted - let's finish strong 💪🏼