• Our Services
  • Careers
  • Blog
  • Testimonials
    • Back to Blog

    GitHub Enterprise User Offboarding SOP

    Published by Sean Kuriyan on
    GitHub Enterprise offboarding process ensuring secure user removal and Copilot license management.

    GitHub made a quiet but important change recently: how user management works across Enterprise accounts, including how Copilot licenses are handled when someone leaves your organization. If you missed it, the announcement explains that enterprises can now manage users and Copilot access through Enterprise Teams. Cool feature. But for those of us who care about compliance and governance (and we do), it means your old offboarding checklist might suddenly be out of date.

    At Monachus, we’ve been guiding our customers on how to handle this change cleanly, both in terms of process and tooling. Here’s a quick guide we’ve put together for GitHub Enterprise user offboarding.

    Here’s what you need to know

    On September 4, 2025, GitHub announced a change to how user removal is handled as part of the “Manage Copilot and users via Enterprise Teams” update (GitHub Blog Announcement).

    With this change, users removed from all organizations within an enterprise are now retained as unaffiliated users instead of being automatically removed.

    • Unaffiliated users no longer have access to private or internal repositories.

    • They can still consume Copilot licenses if assigned at the enterprise level.

    • They remain visible in enterprise member lists until explicitly removed.

    This necessitates an update to enterprise offboarding processes.

    Offboarding Risks

    If unaffiliated users are not removed:

    • They may continue to consume paid Copilot seats.

    • They may appear active in enterprise audit reports.

    • They can introduce compliance risks for SOC 2, ISO 27001, and NIST AC-2.

    How To Navigate The Updated Offboarding Process

    Option 1 - Manual Removal

    1. Navigate to Enterprise → People.

    2. Locate the user in the list.

    3. Select Remove enterprise member.

    4. Confirm removal.

    Option 2 - Automated Removal via GraphQL API

    Organizations with automated identity management can script this process using the GraphQL API.

     

    Example Mutation:

    mutation {

      removeEnterpriseMember(input: {

        enterpriseId: "ENTERPRISE_ID",

        userId: "USER_ID"

      }) {

        clientMutationId

      }

    }

     

    Requirements:

    • Enterprise admin permissions.

    • Personal access token with enterprise:admin scope.

    • Integration with identity platforms such as Okta, Azure AD, or Google Workspace.

    Reference: GitHub API Docs – removeEnterpriseMember

    Verification

    1. Go to Enterprise → People.

    2. Apply the Unaffiliated Users filter.

    3. Confirm the user no longer appears.

    4. Optionally verify license deallocation under Enterprise → Settings → Copilot → Licenses.

    Recommended Offboarding Checklist

    Step

    Action

    Responsible Role

    1

    Disable user in identity provider (Okta, Azure AD, Google Workspace)

    IT / HR

    2

    Remove user from all GitHub organizations

    DevOps / Admin

    3

    Remove enterprise membership (manual or automated)

    Enterprise Owner

    4

    Confirm removal from People list

    Admin

    5

    Verify Copilot license deallocation

    Billing / Admin

    Audit Readiness

    Maintain evidence for compliance, including:

    • Screenshots of removed users.

    • API logs showing successful mutation.

    • Regular reviews of unaffiliated user lists.

    These serve as artifacts for SOC 2, ISO 27001, and NIST AC-2 controls.

    Ongoing Maintenance

    • Review the Enterprise People view monthly for unaffiliated users.

    • Automate removal wherever possible.

    • Perform quarterly license reconciliation.

    Because Good Offboarding Is Good Governance

    GitHub’s change to user removal might seem small, but it has real implications for compliance, billing, and day-to-day governance. The new behavior around unaffiliated users means that even after someone leaves your company, they might still linger, visible in your enterprise, possibly holding a Copilot seat, and definitely showing up in your audit data.

    That’s why we created this guide to make sure no one falls through the cracks and more importantly, that it’s something your own teams can run confidently, without adding extra software or complexity.

    At Monachus, we believe good compliance isn’t about more tools, it’s about clear process, strong visibility, and teams that know exactly how to manage change like this. If you’re adjusting your own GitHub Enterprise offboarding flow, this guide will keep things clean, secure, and license-smart.

    Back to Blog
    Cookie Settings
    We use cookies to improve your experience. By continuing, you agree to our use of cookies. Manage preferences in our privacy policy.

    Cookie Settings

    We use cookies to improve user experience. Choose what cookie categories you allow us to use. You can read more about our Cookie Policy by clicking on Cookie Policy below.

    These cookies enable strictly necessary cookies for security, language support and verification of identity. These cookies can’t be disabled.

    These cookies collect data to remember choices users make to improve and give a better user experience. Disabling can cause some parts of the site to not work properly.

    These cookies help us to understand how visitors interact with our website, help us measure and analyze traffic to improve our service.

    These cookies help us to better deliver marketing content and customized ads.

    View Cookie Policy