Teams connected to IdP groups as child teams

[ReneSchumacher]

The documentation wrongly states that teams connected to an IdP group cannot be children of other teams. However, they can as long as the creation process is followed correctly.

Why:

Closes: #36078

What's being changed (if available, include any code snippets, screenshots, or gifs):

Check off the following:

• A subject matter expert (SME) has reviewed the technical accuracy of the content in this PR. In most cases, the author can be the SME. Open source contributions may require an SME review from GitHub staff.
• The changes in this PR meet the docs fundamentals that are required for all content.
• All CI checks are passing and the changes look good in the preview environment.

[welcome]

Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

[github-actions]

👓 Previews for changed content

This comment is 🤖 automatically generated and will be overwritten every time changes are committed to this branch.

The table contains an overview of files in the content directory that have been changed in this pull request. It's provided to make it easy to review your changes on the review server. Please note that changes to the data directory will not show up in this table.

---

Content directory changes

You may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.

Source	Preview	Production	What Changed
admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups.md	ghec ghes@ 3.15 3.14	ghec ghes@ 3.15 3.14

---

Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server
This table is posted from the Content Changes Table Comment workflow.

[github-actions]

Thanks for opening a pull request! We've triaged this issue for technical review by a subject matter expert 👀

[subatoi]

Hi @ReneSchumacher, thank you for raising a PR—I'll get this triaged for review by a member of the team

[ReneSchumacher]

Hi @subatoi, could you find a reviewer yet?

I'm running a couple GitHub trainings over the last and upcoming weeks and currently tell attendees that I'm not sure yet if this is a bug in GitHub or a bug in the docs 😃

[subatoi]

Hi @ReneSchumacher, thank you for your patience—let me chase this up internally

[subatoi]

Hi @ReneSchumacher, and thanks again for your patience

I can confirm this is a bug with GitHub, not the docs, so whilst we can't accept this contribution, we do really appreciate you reporting it. A fix will be tracked internally, and follow soon.

Many thanks

[ReneSchumacher]

@subatoi Thanks for the update.

Maybe this is not the place to discuss the topic, but wouldn't it make sense to allow child teams to be connected to IdP groups? I'm trying hard to find a reason why this should not be possible.

Let's assume you want to create a notification hierarchy like this: Everyone -> [ Administration, Operations, Development -> [ Developers, Testers, Architects ] ]. So, Everyone is the top team to notify everyone in the org, then you have three child teams for different groups based on their area of expertise, where the Development group is split further into Developers, Testers, and Architects.

With teams connected to IdP groups, you could connect the lowest-level teams (Administration, Operations, Developers, Testers, Architects) to IdP groups, then aggregate them in GitHub teams not connected to IdP groups. You only have to maintain these lowest-level groups in IdP, not the aggregated groups.

In a pure Entra scenario, we would use nested Entra groups (i.e., Development would be a group containing the Developers, Testers, and Architects groups). However, team sync does not allow syncing nested groups 😞. Thus, we are forced to either maintain all groups manually in Entra (i.e., put all the individual members from Developers, Testers, and Architects groups into the Development group) or manually maintain the teams in GitHub by putting individual members into the teams. This results in a lot of overhead, which is (imho) what we try to minimize using team sync and SCIM provisioning.

Hence, I wonder why it shouldn't possible to use Idp connected child teams, esp. since it seams to be working 😆.