Teams connected to IdP group can be children of regular teams

[ReneSchumacher]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

The article https://docs.github.com/en/enterprise-cloud@latest/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups states that teams connected to an IdP group cannot be children of other teams. However, they can (tested with Microsoft Entra in GHEC with EMU).

What part(s) of the article would you like to see updated?

The second to last paragraph in the section About team management with Enterprise Managed Users should describe how to nest IdP connected teams in regular teams.

Additional information

I have tested the functionality in my own GHEC with EMU account.

[welcome]

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

[subatoi]

Thank you for raising an issue and linking it to your PR—as noted in the PR, we've triaged it for review by a member of the team

[ReneSchumacher]

Just to ensure the discussion is not lost in the closed PR:

@subatoi Thanks for the update.

Maybe this is not the place to discuss the topic, but wouldn't it make sense to allow child teams to be connected to IdP groups? I'm trying hard to find a reason why this should not be possible.

Let's assume you want to create a notification hierarchy like this: Everyone -> [ Administration, Operations, Development -> [ Developers, Testers, Architects ] ]. So, Everyone is the top team to notify everyone in the org, then you have three child teams for different groups based on their area of expertise, where the Development group is split further into Developers, Testers, and Architects.

With teams connected to IdP groups, you could connect the lowest-level teams (Administration, Operations, Developers, Testers, Architects) to IdP groups, then aggregate them in GitHub teams not connected to IdP groups. You only have to maintain these lowest-level groups in IdP, not the aggregated groups.

In a pure Entra scenario, we would use nested Entra groups (i.e., Development would be a group containing the Developers, Testers, and Architects groups). However, team sync does not allow syncing nested groups 😞. Thus, we are forced to either maintain all groups manually in Entra (i.e., put all the individual members from Developers, Testers, and Architects groups into the Development group) or manually maintain the teams in GitHub by putting individual members into the teams. This results in a lot of overhead, which is (imho) what we try to minimize using team sync and SCIM provisioning.

Hence, I wonder why it shouldn't possible to use Idp connected child teams, esp. since it seams to be working 😆.