Manage GitHub identities and access
Drill 19 practice questions focused entirely on Manage GitHub identities and access for the GitHub GH-100 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A team of contractors needs to triage issues and pull requests in a private repository, plus manage repository labels and milestones. Company policy requires least-privilege access, and the contractors must NOT be able to push code, merge pull requests, or change repository settings. The organization owner wants a reusable role that can be applied across several repositories. What is the best way to grant this access?
Your company uses a GitHub Enterprise Cloud account with Enterprise Managed Users (EMU) integrated with Azure AD (Entra ID) via SAML SSO and SCIM provisioning. An employee leaves the company, and the HR team removes them from the corporate identity provider. As the enterprise administrator, what happens to this user's GitHub account and access, and what is the correct expectation?
You administer an Enterprise Managed Users (EMU) instance for a financial services company. Compliance requires that every developer be protected by two-factor authentication. Your security team asks you to configure and enforce 2FA for all managed users directly in the GitHub enterprise settings. What should you tell them about implementing this requirement?
An enterprise uses a GitHub Enterprise Cloud with Managed Users (EMU) instance provisioned via SCIM from Azure AD (Entra ID). Two newly hired employees, both named Alex Kim, are being provisioned. The identity provider maps the SCIM userName attribute (derived from each user's email local-part 'alex.kim') to their GitHub handle. The first user provisions successfully as '@alex.kim_acme'. When the second Alex Kim is provisioned, what happens and how should the administrator ensure both users are created correctly?
Contoso is adopting GitHub Enterprise Cloud and wants all developer identities to be fully controlled by their Azure AD tenant, so that accounts are automatically created and deprovisioned centrally and users cannot use these accounts for personal open-source contributions outside the company. The security team also requires that these accounts cannot exist or be used before the identity provider authenticates them. Which enterprise account type should Contoso choose to meet these requirements?
You are the enterprise administrator for a GitHub Enterprise Cloud account with several organizations. Your security team asks you to identify every instance where a repository was changed from private to public across all organizations over the past 90 days, and they want this data pulled programmatically into their SIEM on a recurring schedule. Which approach best satisfies this requirement using native GitHub Enterprise capabilities?
Your company runs a GitHub Enterprise Cloud account with Enterprise Managed Users (EMU) enabled through Okta. A project lead asks you to add an external contractor's existing personal GitHub.com account as an outside collaborator on one private repository so the contractor can submit pull requests. What should you tell the project lead?
An enterprise administrator has created an organization-level ruleset targeting the default branch of all repositories in an organization. The ruleset requires pull requests with at least two approvals and blocks force pushes. A senior release engineer reports they need to occasionally push directly to the default branch during emergency hotfixes, but the platform team wants to preserve the two-approval requirement for everyone else and keep a record of who used the exception. What is the most appropriate way to accommodate this requirement?
Your company runs a GitHub Enterprise Cloud account with Enterprise Managed Users (EMU) tied to Microsoft Entra ID. The security team wants to enforce Conditional Access policies (device compliance, sign-in risk) that are evaluated by Entra ID on every authentication to GitHub, without requiring an on-premises component to relay authentication state. Which identity federation protocol should you configure for the EMU enterprise to meet this requirement?
An enterprise owner at a company using GitHub Enterprise Cloud with Enterprise Managed Users (EMU) wants to grant a group of 40 backend engineers access to several organizations at once. The engineers already exist as a group in the company's identity provider. The owner creates an enterprise team and wants its membership to be automatically driven by the IdP group, while also using that same team to assign organization roles across multiple organizations. Which approach correctly achieves automatic, IdP-driven membership for an enterprise team?
An organization on GitHub Enterprise Cloud has its base permission set to 'Write', meaning all organization members can push to every repository. A contractor who is NOT a member of the organization needs to contribute code to only one private repository. The security team requires that this contractor be able to access that single repository and nothing else in the organization. How should the enterprise administrator grant this access while respecting the least-privilege requirement?
At Contoso, an enterprise account contains 12 organizations on GitHub Enterprise Cloud. Priya is an enterprise owner but is NOT a member or owner of the 'payments-team' organization. A developer asks Priya to directly add a specific outside collaborator to a private repository inside the 'payments-team' organization. Without changing her own membership, what can Priya do based on the GitHub authorization model?
A team lead at your company wants a group of contractors to be able to manage issues and pull requests—applying labels, closing issues, requesting reviews, and marking duplicates—on a specific repository, but they must NOT be able to push code to any branch or change repository settings. As an organization owner, which built-in repository role should you assign to the contractors' team to grant exactly this level of access with the least privilege?
An enterprise owner on GitHub Enterprise Cloud (without Enterprise Managed Users) notices that a contractor was added directly to a single private repository in the Acme-Web organization, but the contractor is NOT a member of the organization. Leadership wants to ensure this contractor cannot see any other private repositories in the organization and cannot be counted against internal team-based base permissions. Which statement correctly describes the contractor's status and how their access is governed?
Your enterprise uses GitHub Enterprise Cloud with SAML SSO enforced (not EMU). A developer leaves the company, and their IdP account is disabled. A security reviewer notices the developer's personal GitHub account still appears in an organization and worries they could still access repositories via a previously authorized personal access token. As the enterprise administrator, what is the most reliable way to ensure this former employee can no longer access organization resources?
You administer a GitHub Enterprise Cloud organization backed by personal accounts (not EMU). Leadership requires all members to authenticate through the company's SAML identity provider. You enable and enforce SAML SSO for the organization. A developer complains that their existing personal access token (PAT) and SSH key suddenly stopped working against organization repositories, even though they can still sign in to github.com. What must the developer do to restore programmatic access?
Your company uses a GitHub Enterprise Managed Users (EMU) instance with Azure AD (Entra ID) as the identity provider, connected via SAML SSO and SCIM provisioning. An HR change updates an employee's display name and email in Entra ID. Days later, a colleague notices the user's profile name in GitHub still shows the old value. The user can still sign in normally. What is the most likely cause of the outdated profile information?
An enterprise uses SAML SSO with Azure AD (Entra ID) for their GitHub Enterprise Cloud organization (not EMU). The security team wants GitHub team membership to be automatically driven by Azure AD security groups, so that when a user is removed from an Azure AD group they lose the corresponding GitHub team membership without manual intervention. Team Synchronization has been enabled for the organization. What must an organization owner do to make a specific GitHub team's membership managed by an identity provider group?
An enterprise uses GitHub Enterprise Cloud (not EMU) with SAML SSO already configured against Microsoft Entra ID. The security team wants organization team membership to be governed centrally by Entra ID security groups, so that when a user is added to or removed from an Entra group, their membership in the corresponding GitHub team updates automatically. They do NOT want to manage user accounts or provisioning through this mechanism. Which GitHub feature should the administrator enable to meet this requirement?
More GH-100 practice
Keep going with the other GitHub Enterprise Administrator (GH-100) domains, or take a full timed mock exam.
← Back to GH-100 overview