github
Azure AD (AAD) Conditional Access Support for GHEC EMUs (GA)
Summary
Many GitHub Enterprise customers leverages Azure AD Conditional Access to ensure access to their Enterprise SaaS applications are compliant with corporate policies. These access policies include but are not limited to trusted networks, trusted devices, time of day, and geography. Today, AAD already enforces Conditional Access upon web Single Sign-On (SSO) where the user's authentication context is evaluated before completing the SSO exchange. However, GitHub has its own set of credentials that are not managed by AAD: PATs and SSH. These credentials are not subject to CAP evaluation and pose a security gap for our enterprise customers.
This feature is currently in public beta - this issue tracks the GA of the feature.
Intended Outcome
This initiative enables customers to centralize their Conditional Access Policy management into their Identity Provider, so that they do not need to manage such policies separately in GitHub. This will both simplify policy management, and greatly extend the scope of policies that can be applied to a GitHub Enterprise - providing them with new security controls out of the box.
How will it work?
Enterprise customers will migrate to or start with the OpenID Connect-based EMU application in the AAD App Gallery, which allows GitHub to trigger CA policy for PATs and SSH keys using the issued refresh token. Once configuration and/or migration has completed, AAD admins can validate their Conditional Access policies in their tenant.
Supported conditions are:
- IP conditions
- User, group, and application permissions
Due to the nature of PAT and SSH usage, the following condition types will not be considered when re-evaluating CAP:
- Device compliance
- Geographic location (GPS)
- Browser or device type
