GHES SCIM Documentation Updates (Batch 2/3) (#55212)

taylorreis · saritai · web-flow · commit a9a2372a94b4 · 2025-04-18T17:54:25.000Z
Co-authored-by: Sarita Iyer &lt;66540150+saritai@users.noreply.github.com&gt;
diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users.md
@@ -44,7 +44,7 @@ Before suspending site administrators, you must demote them to regular users. Se
 If you use certain external authentication features, you cannot manage user suspension from the site admin dashboard or command line:
 
 * If LDAP Sync is enabled for {% data variables.location.product_location %}, users are automatically suspended based on the scenarios that are described in [AUTOTITLE](/admin/identity-and-access-management/using-ldap-for-enterprise-iam/using-ldap#enabling-ldap-sync).
-* If SCIM provisioning is enabled, SCIM-provisioned users must be suspended or unsuspended through your identity provider.
+* If SCIM provisioning is enabled, SCIM-provisioned users must be suspended or unsuspended through your identity provider.{% ifversion scim-for-ghes-public-beta %} See [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api#provisioning-users-with-the-rest-api).{% endif %}
 
 ## Viewing suspended users in the site admin dashboard
 
diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md
@@ -126,6 +126,8 @@ To ensure you can continue to sign in and configure settings when SCIM is enable
 {% data reusables.enterprise-accounts.security-tab %}
 1. Under "SCIM Configuration", select **Enable SCIM configuration**.
 
+You can confirm that SCIM is now enabled by checking your instance's [audit logs](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise). You should expect to see a "business.enable_open_scim" event, indicating that GitHub's [SCIM REST API](/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api) has been enabled on your instance.
+
 {% endif %}
 
 {% ifversion ghec %}
@@ -191,12 +193,15 @@ If you don't use a partner IdP, or if you only use a partner IdP for authenticat
 
 {% ifversion scim-for-ghes-public-beta %}
 
-## 6. Disable optional settings
+## 6. Update settings
+
+After you have finished the configuration process, you should disable the following setting in the Management Console:
+
+* **Disable administrator demotion/promotion**: Disable this setting to allow assignment of the enterprise owner role via SCIM. If this setting remains enabled, you will not be able to provision enterprise owners via SCIM.
 
-After you have finished the configuration process, you can disable the following settings in the Management Console:
+Optionally, you can disable the following setting in the Management Console as well:
 
 * **Allow creation of accounts with built-in authentication**: Disable this setting if you want all users to be provisioned from your IdP.
-* **Disable administrator demotion/promotion**: Disable this setting if you want to be able to grant the enterprise owner role via SCIM.
 
 {% endif %}
 
diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/disabling-scim-provisioning-for-users.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/disabling-scim-provisioning-for-users.md
@@ -0,0 +1,51 @@
+---
+title: Disabling SCIM provisioning for users
+shortTitle: Disable SCIM provisioning
+intro: 'You can disable SCIM provisioning for your enterprise''s user accounts.'
+permissions: Site administrators
+versions:
+  feature: scim-for-ghes-public-beta
+topics:
+  - Accounts
+  - Enterprise
+---
+
+{% data reusables.scim.ghes-beta-note %}
+
+## How do I disable SCIM?
+
+To disable SCIM provisioning while keeping SAML on:
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+4. Deselect **Enable SCIM configuration**.
+
+When this happens, users will still be able to use SAML single sign-on through your identity provider, but SCIM provisioning will no longer work. Instead, SAML JIT provisioning will be used again. For more information on SAML provisioning, see [AUTOTITLE](/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise).
+
+If for some reason you no longer have access to your instance, you will need to sign in to the management console and enable built-in authentication. For more information, see [AUTOTITLE](/admin/managing-iam/using-built-in-authentication/configuring-built-in-authentication#configuring-built-in-authentication). Once this is complete, you can sign in to your instance with the SCIM setup user you created when enabling SCIM, and uncheck the **Enable SCIM configuration** checkbox described above.
+
+## How else can be SCIM disabled?
+
+In addition to directly disabling SCIM provisioning on your instance, SCIM will be disabled if any of the following actions are taken:
+
+* The **SAML** radio button is unselected in the "Authentication" section of the Management Console.
+* The SAML **Issuer** or **Single sign-on URL** field is updated in the "Authentication" section of the Management Console.
+
+## What happens if I disable SCIM?
+
+When SCIM is disabled on {% data variables.product.prodname_ghe_server %}:
+
+* In your instance's [audit logs](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise), you should expect to see a "business.disable_open_scim" event.
+* All linked SCIM identities and SCIM-provisioned groups will be deleted from the instance.
+* Requests to the SCIM API endpoints on your instance will no longer succeed.
+* All SCIM external identities on {% data variables.product.prodname_ghe_server %} will be deleted.
+* All user accounts will remain with the same usernames, and they will not be suspended when SCIM is disabled.
+* All of the external groups that were previously provisioned by SCIM will be deleted.
+* All user accounts, including SCIM-provisioned user accounts, will remain on the instance and will not be suspended.
+* Site administrators will be able to manage the lifecycle of SCIM-provisioned users, such as suspension and deletion, from the site admin dashboard.
+* Users will still be able to sign on via SAML, if enabled.
+* The "Suspended Members" page in your enterprise settings will no longer be present. Suspended members can still be seen in the [Site Admin dashboard](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users#viewing-suspended-users-in-the-site-admin-dashboard)
+{%- ifversion scim-for-ghes-ga %}
+* You will be able to see the "SAML authentication" section on the `https://HOSTNAME/users/USER/security` site admin page for users. If any SAML mappings were previously created for users on the {% data variables.product.prodname_ghe_server %} before SCIM was enabled, it will be possible to once again view and update them in this section.
+{%- endif %}
diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/index.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/index.md
@@ -16,6 +16,7 @@ children:
   - /configuring-authentication-and-provisioning-with-entra-id
   - /configuring-authentication-and-provisioning-with-pingfederate
   - /configuring-scim-provisioning-with-okta
+  - /disabling-scim-provisioning-for-users
   - /provisioning-users-and-groups-with-scim-using-the-rest-api
   - /managing-team-memberships-with-identity-provider-groups
   - /troubleshooting-team-membership-with-identity-provider-groups
diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md
@@ -101,32 +101,9 @@ After an IdP administrator grants a person access to {% data variables.location.
 
 {% ifversion scim-for-ghes-public-beta %}
 
-## What happens if I disable SCIM?
+## How is SCIM disabled?
 
-SCIM will be disabled on {% data variables.product.prodname_ghe_server %} if any of the following things happens.
-
-* The **Enable SCIM configuration** checkbox is unselected on the "Authentication security" page in the enterprise settings.
-* The **SAML** radio button is unselected in the "Authentication" section of the Management Console.
-* The SAML **Issuer** or **Single sign-on URL** field is updated in the "Authentication" section of the Management Console.
-
-When SCIM is disabled on {% data variables.product.prodname_ghe_server %}:
-
-* All linked SCIM identities and SCIM-provisioned groups will be deleted from the instance.
-* Requests to the SCIM API endpoints on your instance will no longer succeed.
-* All SCIM external identities on {% data variables.product.prodname_ghe_server %} will be deleted.
-* All user accounts will remain with the same usernames, and they will not be suspended when SCIM is disabled.
-* All of the external groups that were previously provisioned by SCIM will be deleted.
-* All user accounts, including SCIM-provisioned user accounts, will remain on the instance and will not be suspended.
-* Site administrators will be able to manage the lifecycle of SCIM-provisioned users, such as suspension and deletion, from the site admin dashboard.
-* Users will still be able to sign on via SAML, if enabled.
-* The "Suspended Members" page in your enterprise settings will no longer be present. Suspended members can still be seen in the [Site Admin dashboard](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users#viewing-suspended-users-in-the-site-admin-dashboard)
-{%- ifversion scim-for-ghes-ga %}
-* You will be able to see the "SAML authentication" section on the `https://HOSTNAME/users/USER/security` site admin page for users. If any SAML mappings were previously created for users on the {% data variables.product.prodname_ghe_server %} before SCIM was enabled, it will be possible to once again view and update them in this section.
-{%- endif %}
-
-{% endif %}
-
-{% ifversion scim-for-ghes-public-beta %}
+For more information on the different ways that SCIM can be disabled, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/disabling-scim-provisioning-for-users).
 
 ## Getting started
 
diff --git a/content/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise.md b/content/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise.md
@@ -146,4 +146,5 @@ You can enable or disable SAML authentication for {% data variables.location.pro
 {%- endif %}
 {%- ifversion ghes %}
 * [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/promoting-or-demoting-a-site-administrator)
+{% ifversion scim-for-ghes-public-beta %}* [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users){% endif %}
 {%- endif %}
