Microsoft GitHub Administration Exam Syllabus

• Distinguish problems that can be solved by an administrator from those that need GitHub Support
• Describe how to generate support bundles and diagnostics
• Describe how GitHub’s products and services are used within the enterprise to identify underutilized features, integrations in use, most active teams, and repositories
• Recommend standards for developer workflows, including code collaboration (fork-and-pull versus branching), branching, branch protection rules, code owners, the code review process, automation, and release strategy
• Explain the tooling ecosystem at the enterprise
• Explain the enterprise’s CI/CD strategy
• Discuss how to recommend tooling and workflows to teams within an enterprise
• Explain how GitHub APIs can be used to extend the capabilities of the administrator from the user interface, such as querying or storing the audit log
• Locate an asset from the GitHub Marketplace for a specific need (i.e., find the Azure Pipelines GitHub App in the Marketplace, install it, and configure it to deploy your code)
• Contrast a GitHub App and an action (i.e., their permissions, how they’re built, how they’re consumed)
• List the benefits and risks of using apps and actions from the GitHub Marketplace

• List the implications of enabling SAML single sign-on (SSO) for an individual organization versus all organizations in an enterprise account
• List the steps to enable and enforce SAML SSO for a single organization and multiple organizations using enterprise accounts
• Explain how to require two-factor authentication (2FA) for an organization
• Explain how to choose supported identity providers
• Describe how identity management and authorization works on GitHub
• List the consequences of a user’s membership in the instance, an organization, or multiple organizations
• Describe the authentication and authorization model (specifically, how users get to the system, and how they’re granted access to specific things within GitHub)
• List the supported SCIM providers (Azure, Okta, self-created)
• Describe how the SCIM protocol works and how GitHub supports it
• Describe how Team synchronization works
• Contrast team synchronization and SCIM

• Describe GitHub Enterprise Cloud (GHEC)
• Describe GitHub Enterprise Server (GHES)
• Describe GitHub AE

- Differentiate how products are billed, including seat licenses, GitHub Actions, and GitHub Packages

• Describe pricing for GitHub Actions
• Describe pricing and support options for organizations
• Describe how to find statistics of license usage for a specific organization
• Describe how to find statistics of license usage for machine accounts and peripheral services
• Explain the consumption of metered products given a report (i.e., GitHub Actions minutes or storage for GitHub Packages)

• Explain the benefits and costs of deploying a single organization versus multiple organizations
• Describe how to set default read permissions versus default write permissions across organizations
• Describe Team sync through AD
• Explain maintainability; writing scripts against multiple orgs and multiple access rights
• Describe how to adjust enterprise policies and organization permissions in alignment with a company’s trust and control position

- Describe enterprise permissions and policies

• Define a GitHub organization
• List the possible roles of an organization member
• Contrast permissions for organization members, owners, and billing managers
• Describe the difference between being an organization member and an outside collaborator
• List the consequences of a user’s membership in an instance or organization
• Explain how to give a user the minimum required permissions for repository, organization, or team access.
• List the benefits and the drawbacks of creating a new organization

- Describe team permissions

• Define Teams in a GitHub organization
• List the possible roles of a team member
• Describe the different permission models

- Repository permissions

• Explain the actions of a user given a list of their permissions, such as repository role, team membership, or organization membership
• List the repository membership options
• Explain audit access to a repository

• Explain how GitHub supports the enterprise’s security posture
• Describe scrubbing sensitive data from a Git repository (filter-branch/BFG)
• Describe scrubbing sensitive data from GitHub (contacting support)
• Explain how to choose a policy based on how much control is required
• Explain the impacts of choosing a specific set of policies
• Define organization policies
• Define enterprise policies

- Describe how to use the audit log APIs (Rest and GraphQL) to explain a missing asset

• Define the use case for audit logs
• Describe security and compliance concepts with GitHub
• Explain how to provide reports for auditing

- Define and explain the importance of the security features of a GitHub repository

• Explain the importance of a security policy
• Define a vulnerability
• Describe a vulnerable dependency
• Explain the importance of secret scanning
• Explain the importance of code scanning
• Describe automated code scanning (CodeQL)
• Explain the dependency graph
• Explain the importance of a security advisory
• Describe Dependabot
• Detect and fix outdated dependencies with security vulnerabilities
• Describe security vulnerability alerts
• Create and implement a security response plan that addresses sensitive data on a GitHub repository
• Describe how to use SSH keys and Deploy keys to access repository data

- API access and integrations

• List supported access tokens (e.g. PAT, Installation Tokens, OAuth and GitHub app OAuth tokens, Device Tokens, Refresh tokens)
• Explain how to find a token’s rate limits
• Describe GitHub Apps, their repository permissions, user permissions, and event subscriptions
• Describe OAuth Apps, their permissions, and event subscriptions
• Contrast the use of a personal access token (PAT) or a GitHub App for authenticating a machine account
• Describe the use of machine accounts versus GitHub apps
• Explain how to approve or deny user-created GitHub Apps and OAuth apps based on a security policy
• Define an enterprise managed user (EMU)

• Identify reuse templates for actions and workflows
• Define an approach for managing and leveraging reusable components (i.e., repos for storage, naming conventions for files/folders, plans for ongoing maintenance)
• Define how to distribute actions for an enterprise
• Explain how to control access to actions within the enterprise
• Configure organizational use policies for GitHub Actions

- Manage runners for the enterprise

• Describe the effects of configuring IP allow lists on GitHub-hosted and self-hosted runners
• Configure IP allow lists on internal applications and systems to allow interaction with GitHub-hosted runners
• List the effects and potential abuse vectors of enabling self-hosted runners on public repositories
• Select appropriate runners to support workloads (i.e., using a self-hosted versus GitHub-hosted runner, choosing supported operating systems)
• Contrast GitHub-hosted and self-hosted runners
• Configure self-hosted runners for enterprise use (i.e., including proxies, labels, networking)
• Manage self-hosted runners using groups (i.e., managing access, moving runners into and between groups)
• Monitor, troubleshoot, and update self-hosted runners

- Manage encrypted secrets in the enterprise

• Identify the scope of encrypted secrets
• Explain how to access encrypted secrets within actions and workflows
• Explain how to manage organization-level encrypted secrets
• Describe how to manage repository-level encrypted secrets
• Describe how to use third-party vaults