Improve EMU onboarding experience for Setup Admins [GA] (#53050)

Co-authored-by: Isaac Brown <[email protected]>

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md

@@ -133,9 +133,9 @@ To prevent confusion from your developers, you can change this behavior so that
 > [!NOTE]
 > If a user is signed in to their personal account when they attempt to access any of your enterprise's resources, they'll be automatically signed out and redirected to SSO to sign in to their {% data variables.enterprise.prodname_managed_user %}. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/managing-multiple-accounts)."
 
-{% data reusables.enterprise-accounts.access-enterprise %}
-{% data reusables.enterprise-accounts.settings-tab %}
-{% data reusables.enterprise-accounts.security-tab %}
+{% data reusables.enterprise-accounts.access-enterprise-emu %}
+{% data reusables.enterprise-accounts.identity-provider-tab %}
+{% data reusables.enterprise-accounts.sso-configuration %}
 1. Under "Single sign-on settings", select or deselect **Automatically redirect users to sign in**.
 {% endif %}
 

content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-oidc-for-enterprise-managed-users.md

@@ -47,9 +47,9 @@ OIDC does not support IdP-initiated authentication.
 
 1. Sign into {% data variables.product.prodname_dotcom %} as the setup user for your new enterprise with the username **@SHORT-CODE_admin**.
 {% data reusables.enterprise-accounts.access-enterprise-emu %}
-{% data reusables.enterprise-accounts.settings-tab %}
-{% data reusables.enterprise-accounts.security-tab %}
-1. Under "OpenID Connect single sign-on", select **Require OIDC single sign-on**.
+{% data reusables.enterprise-accounts.identity-provider-tab %}
+{% data reusables.enterprise-accounts.sso-configuration %}
+1. Under "OIDC single sign-on", select **Enable OIDC configuration**.
 1. To continue setup and be redirected to Entra ID, click **Save**.
 {% data reusables.enterprise-accounts.emu-azure-admin-consent %}
 {% data reusables.enterprise-accounts.download-recovery-codes %}

content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users.md

@@ -104,16 +104,16 @@ After the initial configuration of SAML SSO, the only setting you can update on
    > {% data reusables.enterprise-accounts.emu-password-reset-session %}
 
 {% data reusables.enterprise-accounts.access-enterprise-emu %}
-{% data reusables.enterprise-accounts.settings-tab %}
-{% data reusables.enterprise-accounts.security-tab %}
+{% data reusables.enterprise-accounts.identity-provider-tab %}
+{% data reusables.enterprise-accounts.sso-configuration %}
 
-1. Under "SAML single sign-on", select **Require SAML authentication**.
+1. Under "SAML single sign-on", select **Add SAML configuration**.
 1. Under **Sign on URL**, type the HTTPS endpoint of your IdP for SSO requests that you noted while configuring your IdP.
 1. Under **Issuer**, type your SAML issuer URL that you noted while configuring your IdP, to verify the authenticity of sent messages.
 1. Under **Public Certificate**, paste the certificate that you noted while configuring your IdP, to verify SAML responses.
-{% data reusables.saml.edit-signature-and-digest-methods %}
+1. Under **Public Certificate**, select the **Signature Method** and **Digest Method** dropdown menus, then click the hashing algorithm used by your SAML issuer.
 1. Before enabling SAML SSO for your enterprise, to ensure that the information you've entered is correct, click **Test SAML configuration**. {% data reusables.saml.test-must-succeed %}
-1. Click **Save**.
+1. Click **Save SAML settings**.
 
     > [!NOTE]
     > After you require SAML SSO for your enterprise and save SAML settings, the setup user will continue to have access to the enterprise and will remain signed in to GitHub along with the {% data variables.enterprise.prodname_managed_users %} provisioned by your IdP who will also have access to the enterprise.

content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/disabling-authentication-and-provisioning-for-enterprise-managed-users.md

@@ -41,7 +41,7 @@ If you want to migrate to a new identity provider (IdP) or tenant rather than di
 {% data reusables.emus.sign-in-as-setup-user %}
 1. Attempt to access your enterprise account, and use a recovery code to bypass SAML SSO or OIDC. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable)."
 {% data reusables.enterprise-accounts.access-enterprise-emu %}
-{% data reusables.enterprise-accounts.settings-tab %}
-{% data reusables.enterprise-accounts.security-tab %}
-1. Under "SAML single sign-on", deselect **Require SAML authentication** or **Require OIDC single sign-on**.
-1. Click **Save**.
+{% data reusables.enterprise-accounts.identity-provider-tab %}
+{% data reusables.enterprise-accounts.sso-configuration %}
+1. Next to "SAML single sign-on" or "OIDC single sign-on", click to deselect **SAML single sign-on** or **OIDC single sign-on**.
+1. To confirm, click **Disable SAML single sign-on** or **Disable OIDC single sign-on**.

content/admin/managing-iam/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes.md

@@ -20,16 +20,23 @@ In the event that your IdP is unavailable, you can use a recovery code to sign i
 
 If you did not save your recovery codes when you configured SSO, you can still access the codes from your enterprise's settings.
 
-{% data reusables.enterprise-accounts.access-enterprise %}
+## Downloading codes for an enterprise with personal accounts
+
+{% data reusables.enterprise-accounts.access-enterprise-personal-accounts %}
 {% data reusables.enterprise-accounts.settings-tab %}
 {% data reusables.enterprise-accounts.security-tab %}
 
-1. Under{% ifversion oidc-for-emu %} either{% endif %} "Require SAML authentication"{% ifversion oidc-for-emu %} or "Require OIDC authentication"{% endif %}, click **Save your recovery codes**.{% ifversion oidc-for-emu %}
+1. Under "Require SAML authentication", click **Save your recovery codes**.
+
+   ![Screenshot of the "Authentication security" screen. The "Save your recovery codes" hyperlink is highlighted with an orange outline.](/assets/images/help/enterprises/saml-recovery-codes-link.png)
+1. To save your recovery codes, click **Download**, **Print**, or **Copy**.
+
+## Downloading codes for an enterprise with {% data variables.product.prodname_emus %}
 
-   > [!NOTE]
-   > OIDC SSO is only available for {% data variables.product.prodname_emus %}. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users)."
+{% data reusables.enterprise-accounts.access-enterprise-emu %}
+{% data reusables.enterprise-accounts.identity-provider-tab %}
+{% data reusables.enterprise-accounts.sso-configuration %}
 
-   {% endif %}
+1. Under either "SAML single sign-on" or "OIDC single sign-on", click **Save your recovery codes**.
 
-   ![Screenshot of the "Authentication security" screen. The "Save your recovery codes" hyperlink is highlighted with an orange outline.](/assets/images/help/enterprises/saml-recovery-codes-link.png)
 1. To save your recovery codes, click **Download**, **Print**, or **Copy**.

content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md

@@ -181,10 +181,10 @@ If you don't use a partner IdP, or if you only use a partner IdP for authenticat
    > {% data reusables.enterprise-accounts.emu-password-reset-session %}
 
 {% data reusables.enterprise-accounts.access-enterprise-emu %}
-{% data reusables.enterprise-accounts.settings-tab %}
-{% data reusables.enterprise-accounts.security-tab %}
+{% data reusables.enterprise-accounts.identity-provider-tab %}
+{% data reusables.enterprise-accounts.sso-configuration %}
 1. Under "Open SCIM Configuration", select "Enable open SCIM configuration".
-1. Manage the lifecycle of your users by making calls to the REST API endpoints for SCIM provisioning. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/provisioning-users-and-groups-with-scim-using-the-rest-api)."
+1. Manage the lifecycle of your users by making calls to the REST API endpoints for SCIM provisioning. See "[AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/provisioning-users-and-groups-with-scim-using-the-rest-api)."
 
 {% endif %}
 

content/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups.md

@@ -88,9 +88,8 @@ Enterprise owners can review a list of IdP groups, each group's memberships, and
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.click-identity-provider %}
-
 1. To see the members and teams connected to an IdP group, click the group's name.
-
+1. {% data reusables.enterprise-accounts.groups-tab %}
 1. To view the teams connected to the IdP group, click **Teams**.
 
 If a team cannot sync with the group on your IdP, the team will display an error. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/troubleshooting-team-membership-with-identity-provider-groups)."

content/admin/managing-iam/provisioning-user-accounts-with-scim/troubleshooting-team-membership-with-identity-provider-groups.md

@@ -29,13 +29,13 @@ If {% data variables.product.prodname_dotcom %} is unable to synchronize team me
 ## Viewing errors for team synchronization with an IdP group
 
 {% data reusables.enterprise-accounts.access-enterprise %}
+1. In the list of enterprises, click the enterprise you want to view.
 {% data reusables.enterprise-accounts.click-identity-provider %}
+1. Under **Identity provider**, click **Groups**.
 1. If synchronization for a group is experiencing problems, you'll see a message that reads "Some groups are failing to synchronize to teams. Check that you have available licenses."
 1. In the list of IdP groups, click the group you'd like to review.
 1. To review the synchronization error for the group, under the name of the group, click **Teams**.
 
-   ![Screenshot of the page for a synchronized IdP group. Under the name of the group, to the right, the "Teams" tab is highlighted in dark orange.](/assets/images/help/enterprises/idp-group-sync-teams-tab.png)
-
    If a team is unable to sync membership with a group on your IdP, you'll see a description of the problem under the team's name and membership count.
 
 {% ifversion ghec %}

content/admin/managing-iam/reconfiguring-iam-for-enterprise-managed-users/migrating-from-oidc-to-saml.md

@@ -37,10 +37,10 @@ If you're new to {% data variables.product.prodname_emus %} and haven't yet conf
 ## Migrating your enterprise
 
 {% data reusables.emus.sign-in-as-setup-user %}
-{% data reusables.enterprise-accounts.access-enterprise %}
-{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.access-enterprise-emu %}
 {% data reusables.emus.use-enterprise-recovery-code %}
-{% data reusables.enterprise-accounts.security-tab %}
-1. Deselect **Require OIDC single sign-on**.
-1. Click **Save**.
-1. Configure SAML authentication and SCIM provisioning. For more information, see [Tutorial: Microsoft Entra single sign-on (SSO) integration with GitHub Enterprise Managed User](https://learn.microsoft.com/entra/identity/saas-apps/github-enterprise-managed-user-tutorial) on Microsoft Learn.
+{% data reusables.enterprise-accounts.identity-provider-tab %}
+{% data reusables.enterprise-accounts.sso-configuration %}
+1. Deselect **OIDC single sign-on**.
+1. Confirm and click **Disable OIDC single sign-on**.
+1. Configure SAML authentication and SCIM provisioning. See [Tutorial: Microsoft Entra single sign-on (SSO) integration with GitHub Enterprise Managed User](https://learn.microsoft.com/entra/identity/saas-apps/github-enterprise-managed-user-tutorial) on Microsoft Learn.

content/admin/managing-iam/reconfiguring-iam-for-enterprise-managed-users/migrating-from-saml-to-oidc.md

@@ -44,14 +44,15 @@ To migrate your enterprise from SAML to OIDC, you will disable your existing {%
 > Migration of your enterprise from SAML to OIDC can take up to an hour. During the migration, users cannot access your enterprise on {% data variables.product.github %}.
 
 1. Before you begin the migration, sign in to Azure and disable provisioning in the existing {% data variables.product.prodname_emu_idp_application %} application.
-1. If you use [Conditional Access (CA) network location policies](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition) in Entra ID, and you're currently using an IP allow list with your enterprise account or any of the organizations owned by the enterprise account, disable the IP allow lists. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-allowed-ip-addresses-for-organizations-in-your-enterprise)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization)."
+1. If you use [Conditional Access (CA) network location policies](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition) in Entra ID, and you're currently using an IP allow list with your enterprise account or any of the organizations owned by the enterprise account, disable the IP allow lists. See "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-allowed-ip-addresses-for-organizations-in-your-enterprise)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization)."
 {% data reusables.emus.sign-in-as-setup-user %}
-{% data reusables.enterprise-accounts.access-enterprise %}
-{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.access-enterprise-emu %}
 {% data reusables.emus.use-enterprise-recovery-code %}
-{% data reusables.enterprise-accounts.security-tab %}
-1. At the bottom of the page, next to "Migrate to OpenID Connect single sign-on", click **Configure with Azure**.
-1. Read the warning, then click **I understand, begin migrating to OpenID Connect**.
+{% data reusables.enterprise-accounts.identity-provider-tab %}
+{% data reusables.enterprise-accounts.sso-configuration %}
+1. At the bottom of the page, click **Migrate to OpenID Connect single sign-on**.
+1. Read the warning, then click **Migrate to OIDC**.
+1. Click **Begin OIDC migration**.
 {% data reusables.enterprise-accounts.emu-azure-admin-consent %}
 1. After you grant consent, a new browser window will open to {% data variables.product.github %} and display a new set of recovery codes for your {% data variables.enterprise.prodname_emu_enterprise %}. Download the codes, then click **Enable OIDC authentication**.
 1. Wait for the migration to complete, which can take up to an hour. To check the status of the migration, navigate to your enterprise's authentication security settings page. If "Require SAML authentication" is selected, the migration is still in progress.
@@ -60,10 +61,9 @@ To migrate your enterprise from SAML to OIDC, you will disable your existing {%
    > Do not provision new users from the application on Entra ID during the migration.
 
 1. In a new tab or window, while signed in as the setup user, create a {% data variables.product.pat_v1 %} with the **scim:enterprise** scope and **no expiration** and copy it to your clipboard. For more information about creating a new token, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users#creating-a-personal-access-token)."
-1. In the provisioning settings for the {% data variables.product.prodname_emu_idp_oidc_application %} application in the Microsoft Entra admin center, under "Tenant URL", type the tenant URL for your enterprise:
-
-   * For **{% data variables.product.prodname_dotcom_the_website %}**: `https://api.github.com/scim/v2/enterprises/YOUR_ENTERPRISE`, replacing YOUR_ENTERPRISE with the name of your enterprise account. For example, if your enterprise account's URL is `https://github.com/enterprises/octo-corp`, the name of the enterprise account is `octo-corp`.
-   * For **{% data variables.enterprise.data_residency_site %}**: `https://api.SUBDOMAIN.ghe.com/scim/v2/enterprises/SUBDOMAIN`, where SUBDOMAIN is your enterprise's subdomain on {% data variables.enterprise.data_residency_site %}.
+1. In the provisioning settings for the {% data variables.product.prodname_emu_idp_oidc_application %} application in the Microsoft Entra admin center, under "Tenant URL", the tenant URL for your enterprise:
+    * For **{% data variables.product.prodname_dotcom_the_website %}**: `https://api.github.com/scim/v2/enterprises/YOUR_ENTERPRISE`, replacing YOUR_ENTERPRISE with the name of your enterprise account. For example, if your enterprise account's URL is `https://github.com/enterprises/octo-corp`, the name of the enterprise account is `octo-corp`.
+    * For **{% data variables.enterprise.data_residency_site %}**: `https://api.SUBDOMAIN.ghe.com/scim/v2/enterprises/SUBDOMAIN`, where SUBDOMAIN is your enterprise's subdomain on {% data variables.enterprise.data_residency_site %}.
 
 1. Under "Secret token", paste the {% data variables.product.pat_v1 %} with the **scim:enterprise** scope that you created earlier.
 1. To test the configuration, click **Test Connection**.

data/reusables/enterprise-accounts/access-enterprise-personal-accounts.md

@@ -0,0 +1,2 @@
+1. In the top-right corner of {% data variables.product.prodname_dotcom %}, click your profile photo.
+1. Click **Your enterprises**, then click the enterprise you want to view.

data/reusables/enterprise-accounts/groups-tab.md

@@ -0,0 +1 @@
+1. Under **Identity provider**, click **Groups**.

data/reusables/enterprise-accounts/identity-provider-tab.md

@@ -0,0 +1 @@
+1. On the left side of the page, in the enterprise account sidebar, click **Identity provider**.

data/reusables/enterprise-accounts/sso-configuration.md

@@ -0,0 +1 @@
+1. Under **Identity Provider**, click **Single sign-on configuration**.