How should I offboard users?
The method for offboarding a user depends on your enterprise type:
- Personal accounts: Remove the user from the enterprise account using the GitHub UI or API.
- Outside collaborators are an exception to this process. They cannot be removed in the enterprise settings, and must be removed from each repository instead.
- Enterprise Managed Users: Suspend the user's account by removing the user from the GitHub application in your identity provider.
- The user will show as suspended on your enterprise's "People" page.
- It is not possible to remove a managed user account from the enterprise completely.
For instructions, see Removing a member from your enterprise.
What happens when a user is offboarded?
When you offboard a user by following the instructions linked above:
- The offboarded user loses access to private and internal resources in your enterprise and organizations.
- The user's personal access tokens, SSH keys, and app authorizations can no longer be used to access your enterprise's and organizations' resources. Access to your resources is restored if the user is added back to the enterprise and relevant organizations.
- The user stops consuming licenses granted from your enterprise, including GitHub Enterprise and GitHub Copilot licenses. This change may not be reflected on your bill until the next billing cycle.
- If you use Enterprise Managed Users, the user will no longer be able to sign in to their managed user account.
- If you use an enterprise with personal accounts, the user will still be able to sign in to their account and access other resources on GitHub, even if you have enabled SAML SSO for your enterprise or organizations. This is because SSO only applies to your enterprise- or organization-owned resources.
- The user's commits, issues, pull requests, comments, and so on are retained in organization-owned repositories. However, the user's username is obfuscated if you use Enterprise Managed Users.
For Enterprise Managed Users, you will find a more exhaustive list of effects of offboarding in Deprovisioning and reinstating users with SCIM.
What about removing a user from all organizations?
Historically, some enterprises' offboarding processes have relied on removing a user from all organizations in the enterprise. However, in many cases, this approach is not sufficient for fully offboarding a user.
When is a user removed from the enterprise?
If a user loses access to all organizations in an enterprise, the user is also removed from the enterprise account if all of the following things are true:
- You use an enterprise with personal accounts.
- Your enterprise has disabled the policy described in Controlling user offboarding with the unaffiliated users policy.
- The user does not have the enterprise owner or enterprise billing manager role.
What happens if a user remains in the enterprise?
In any other situation, a user who loses access to all organizations remains in the enterprise.
- If the user has the enterprise owner or enterprise billing manager role, they remain in the enterprise with this role.
- If the user doesn't have one of those roles, the user becomes an unaffiliated user.
Users without organization membership cannot access internal repositories in the enterprise. They also do not consume a GitHub Enterprise license, unless they meet another criterion listed in People who consume a license in an organization. However, they keep other privileges including enterprise roles and GitHub Copilot licenses granted directly from the enterprise.
For more information, see Abilities of roles in an enterprise.