GitHub Enterprise Administrator (GH-100) · Difficulty

Hard GH-100 practice questions

Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 8 hard questions available — no sign-up, always free.

Question 1 of 8

An enterprise owner is reviewing suspicious activity where several repositories had their visibility changed to public overnight. Using the audit log, they need to determine whether these changes were performed by a human clicking in the web UI or by an automated integration acting on a user's behalf. Which audit log field or approach best allows them to distinguish programmatic (token-based) actions from interactive web sessions?

Reviewed for accuracy · Report an issue
Question 2 of 8

Your enterprise runs security-sensitive CI/CD workflows on GitHub-hosted larger runners. The security team requires that all outbound traffic from these runners to your internal Azure resources travels over a private network without traversing the public internet, and that the runners receive IP addresses from your own Azure virtual network. As the enterprise administrator, what is the correct approach to meet this requirement?

Reviewed for accuracy · Report an issue
Question 3 of 8

An enterprise uses a GitHub Enterprise Cloud with Managed Users (EMU) instance provisioned via SCIM from Azure AD (Entra ID). Two newly hired employees, both named Alex Kim, are being provisioned. The identity provider maps the SCIM userName attribute (derived from each user's email local-part 'alex.kim') to their GitHub handle. The first user provisions successfully as '@alex.kim_acme'. When the second Alex Kim is provisioned, what happens and how should the administrator ensure both users are created correctly?

Reviewed for accuracy · Report an issue
Question 4 of 8

Your company runs a GitHub Enterprise Cloud account with Enterprise Managed Users (EMU) tied to Microsoft Entra ID. The security team wants to enforce Conditional Access policies (device compliance, sign-in risk) that are evaluated by Entra ID on every authentication to GitHub, without requiring an on-premises component to relay authentication state. Which identity federation protocol should you configure for the EMU enterprise to meet this requirement?

Reviewed for accuracy · Report an issue
Question 5 of 8

At Contoso, an enterprise account contains 12 organizations on GitHub Enterprise Cloud. Priya is an enterprise owner but is NOT a member or owner of the 'payments-team' organization. A developer asks Priya to directly add a specific outside collaborator to a private repository inside the 'payments-team' organization. Without changing her own membership, what can Priya do based on the GitHub authorization model?

Reviewed for accuracy · Report an issue
Question 6 of 8

You administer a GitHub Enterprise Cloud organization that must comply with a new supply-chain integrity policy. Auditors require that every commit merged into the default branch of all repositories be cryptographically verifiable, and that release tags matching 'v*' cannot be deleted or overwritten by anyone except a small release-engineering group. You want to enforce this consistently across all current and future repositories with the least ongoing maintenance. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 7 of 8

An enterprise owner wants every repository across all organizations to be able to call a centrally maintained reusable workflow stored in a private repository named 'org-shared/ci-templates'. However, the organization's Actions policy is currently set to 'Allow enterprise, and select non-enterprise, actions and reusable workflows', and repositories report that they cannot reference the reusable workflow. What is the correct action to enable this while keeping the restrictive policy in place?

Reviewed for accuracy · Report an issue
Question 8 of 8

Your enterprise uses GitHub Enterprise Cloud with SAML SSO enforced (not EMU). A developer leaves the company, and their IdP account is disabled. A security reviewer notices the developer's personal GitHub account still appears in an organization and worries they could still access repositories via a previously authorized personal access token. As the enterprise administrator, what is the most reliable way to ensure this former employee can no longer access organization resources?

Reviewed for accuracy · Report an issue