github · docs-bot · Oct 13, 2025 · Oct 13, 2025 · Oct 13, 2025 · Oct 13, 2025
diff --git a/content/actions/reference/security/oidc.md b/content/actions/reference/security/oidc.md
@@ -143,6 +143,19 @@ You can create a subject that filters for specific tag. In this example, the wor
 * Syntax: `repo:ORG-NAME/REPO-NAME:ref:refs/tags/TAG-NAME`
 * Example: `repo:octo-org/octo-repo:ref:refs/tags/demo-tag`
 
+{% ifversion fpt or ghec or ghes > 3.18 %}
+
+### Filtering for metadata containing `:`
+
+Any `:` within the metadata values will be replaced with `%3A` in the subject claim.
+
+You can configure a subject that includes metadata containing colons. In this example, the workflow run must have originated from a job that has an environment named `Production:V1`, in a repository named `octo-repo` that is owned by the `octo-org` organization:
+
+* Syntax: `repo:ORG-NAME/REPO-NAME:environment:ENVIRONMENT-NAME`
+* Example: `repo:octo-org/octo-repo:environment:Production%3AV1`
+
+{% endif %}
+
 ## Configuring the subject in your cloud provider
 
 To configure the subject in your cloud provider's trust relationship, you must add the subject string to its trust configuration. The following examples demonstrate how various cloud providers can accept the same `repo:octo-org/octo-repo:ref:refs/heads/demo-branch` subject in different ways:

diff --git a/...verview/best-practices-for-enterprises.md → ...oncepts/best-practices-for-enterprises.md b/...verview/best-practices-for-enterprises.md → ...oncepts/best-practices-for-enterprises.md
@@ -5,11 +5,13 @@ intro: 'Learn {% data variables.product.company_short %}-recommended practices f
 versions:
   ghec: '*'
   ghes: '*'
-type: overview
+contentType: concepts
 topics:
   - Accounts
   - Enterprise
   - Fundamentals
+redirect_from:
+  - /admin/overview/best-practices-for-enterprises
 ---
 
 {% ifversion ghec %}
@@ -62,5 +64,4 @@ Organizations can have more than one organization owner to avoid lapses in owner
 
 ## Further reading
 
-* [AUTOTITLE](/repositories/creating-and-managing-repositories/best-practices-for-repositories)
 * [AUTOTITLE](/organizations/collaborating-with-groups-in-organizations/best-practices-for-organizations)
diff --git a/...rise-account/about-enterprise-accounts.md → ...prise-fundamentals/enterprise-accounts.md b/...rise-account/about-enterprise-accounts.md → ...prise-fundamentals/enterprise-accounts.md
@@ -1,6 +1,6 @@
 ---
-title: About enterprise accounts
-intro: Learn how enterprise accounts enable scalability by simplifying administration and billing across multiple organizations.
+title: Enterprise accounts
+intro: 'Learn how enterprise accounts enable scalability by simplifying administration and billing across multiple organizations.'
 redirect_from:
   - /articles/about-github-business-accounts
   - /articles/about-enterprise-accounts
@@ -10,10 +10,11 @@ redirect_from:
   - /github/setting-up-and-managing-your-enterprise/about-enterprise-accounts
   - /github/setting-up-and-managing-your-enterprise/managing-your-enterprise-account/about-enterprise-accounts
   - /admin/overview/about-enterprise-accounts
+  - /admin/managing-your-enterprise-account/about-enterprise-accounts
 versions:
   ghec: '*'
   ghes: '*'
-type: overview
+contentType: concepts
 topics:
   - Accounts
   - Enterprise
@@ -52,7 +53,7 @@ Administrators for the enterprise account can:
 
 ## What if I use multiple deployment options?
 
-If you use both {% data variables.product.prodname_ghe_cloud %} and {% data variables.product.prodname_ghe_server %}, you'll have an enterprise account for each.
+If you use both {% data variables.product.prodname_ghe_cloud %} and {% data variables.product.prodname_ghe_server %}, you'll have **an enterprise account for each.**
 
 For the most part, you will manage each enterprise account separately. For example, you will configure the policies and settings for your {% data variables.product.prodname_ghe_server %} instance using the enterprise account on {% data variables.product.prodname_ghe_server %}.
 

diff --git a/content/admin/concepts/enterprise-fundamentals/index.md b/content/admin/concepts/enterprise-fundamentals/index.md
@@ -0,0 +1,15 @@
+---
+title: Enterprise fundamentals
+shortTitle: Fundamentals
+intro: 'Learn the fundamental concepts that you''ll need to understand {% data variables.location.product_location %}, including fundamentals, identity and access management, security and compliance, and best practices.'
+versions:
+  ghes: '*'
+  ghec: '*'
+topics:
+  - Enterprise
+children:
+  - /enterprise-accounts
+  - /teams-in-an-enterprise
+  - /roles-in-an-enterprise
+contentType: concepts
+---
diff --git a/content/admin/overview/about-roles.md → ...se-fundamentals/roles-in-an-enterprise.md b/content/admin/overview/about-roles.md → ...se-fundamentals/roles-in-an-enterprise.md
@@ -1,19 +1,21 @@
 ---
-title: About roles in an enterprise
+title: Roles in an enterprise
 intro: 'Learn how roles allow you to control people''s access to your enterprise''s settings and resources.'
 versions:
   ghec: '*'
   ghes: '*'
-shortTitle: About roles
-type: overview
+shortTitle: Roles
 topics:
   - Enterprise
   - Fundamentals
+redirect_from:
+  - /admin/overview/about-roles
+contentType: concepts
 ---
 
 ## What are roles?
 
-A role is a set of permissions that you can assign to individuals or teams. A permission is the ability to perform a specific action, such as changing billing settings.
+A role is a **set of permissions** that you can assign to individuals or teams. A permission is the ability to perform a specific action, such as changing billing settings.
 
 A user in an enterprise has a role for both the enterprise account itself and for each individual organization in the enterprise.
 
@@ -35,7 +37,7 @@ Enterprise roles are assigned when a user is invited to the enterprise (personal
 
 Organization administrators can grant organization roles and create custom organization roles, but can't affect roles at the enterprise level.
 
-## Next steps
+## Further reading
 
 Review the predefined roles and fine-grained permissions available with custom organization roles, and plan out what roles will be required for your teams to do their jobs on {% data variables.product.github %}.
 

diff --git a/content/admin/overview/about-teams.md → ...se-fundamentals/teams-in-an-enterprise.md b/content/admin/overview/about-teams.md → ...se-fundamentals/teams-in-an-enterprise.md
@@ -1,13 +1,15 @@
 ---
-title: About teams in an enterprise
+title: Teams in an enterprise
 intro: 'Learn how teams simplify administration of user access, licensing, and communication.'
 versions:
   ghec: '*'
-shortTitle: About teams
-type: overview
+shortTitle: Teams
 topics:
   - Enterprise
   - Fundamentals
+redirect_from:
+  - /admin/overview/about-teams
+contentType: concepts
 ---
 
 ## What are teams?
@@ -54,3 +56,7 @@ Unlike organization teams, enterprise teams currently do **not** support:
 In addition, enterprise teams are currently limited to 50 teams for a single enterprise and 500 users to each team.
 
 For more information about the capabilities of organization teams, see [AUTOTITLE](/organizations/organizing-members-into-teams/about-teams).
+
+## Further reading
+
+* [AUTOTITLE](/organizations/organizing-members-into-teams/about-teams)
diff --git a/...rprises/about-enterprise-managed-users.md → ...ss-management/enterprise-managed-users.md b/...rprises/about-enterprise-managed-users.md → ...ss-management/enterprise-managed-users.md
@@ -1,6 +1,6 @@
 ---
-title: 'About {% data variables.product.prodname_emus %}'
-shortTitle: About managed users
+title: About {% data variables.product.prodname_emus %}
+shortTitle: Enterprise Managed Users
 intro: 'Learn how your enterprise can manage the lifecycle and authentication of users on {% data variables.product.prodname_dotcom %} from your identity provider (IdP).'
 redirect_from:
   - /early-access/github/articles/get-started-with-managed-users-for-your-enterprise
@@ -16,9 +16,10 @@ redirect_from:
   - /admin/identity-and-access-management/using-enterprise-managed-users-for-iam
   - /admin/identity-and-access-management/managing-iam-for-your-enterprise/about-enterprise-managed-users
   - /admin/identity-and-access-management/understanding-iam-for-enterprises/about-enterprise-managed-users
+  - /admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users
 versions:
   ghec: '*'
-type: overview
+contentType: concepts
 topics:
   - Accounts
   - Authentication
@@ -27,7 +28,9 @@ topics:
 allowTitleToDifferFromFilename: true
 ---
 
-With {% data variables.product.prodname_emus %}, you manage the lifecycle and authentication of your users on {% data variables.product.prodname_dotcom_the_website %} or {% data variables.enterprise.data_residency_site %} from an external identity management system, or IdP:
+## What are Enterprise Managed Users in {% data variables.product.github %}?
+
+With {% data variables.product.prodname_emus %}, you manage the lifecycle and authentication of your users on {% data variables.product.prodname_dotcom_the_website %} or {% data variables.enterprise.data_residency_site %} **from an external identity management system, or IdP**:
 
 * Your IdP **provisions new user accounts** on {% data variables.product.prodname_dotcom %}, with access to your enterprise.
 * Users must **authenticate on your IdP** to access your enterprise's resources on {% data variables.product.prodname_dotcom %}.
@@ -37,11 +40,11 @@ With {% data variables.product.prodname_emus %}, you manage the lifecycle and au
 
 > [!NOTE] {% data variables.product.prodname_emus %} is not the best solution for every customer. To determine whether it's right for your enterprise, see [AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/choosing-an-enterprise-type-for-github-enterprise-cloud).
 
-## Identity management systems
+## How does EMUs integrate with identity management systems?
 
 {% data reusables.enterprise_user_management.emu-paved-path-iam-integrations %}
 
-### Partner identity providers
+### What are partner identity providers?
 
 Partner IdPs provide authentication using SAML or OIDC, and provide provisioning with System for Cross-domain Identity Management (SCIM).
 
@@ -57,7 +60,7 @@ Partner IdPs provide authentication using SAML or OIDC, and provide provisioning
 
 When you use a single partner IdP for both authentication and provisioning, {% data variables.product.company_short %} provides support for the application on the partner IdP and the IdP's integration with {% data variables.product.prodname_dotcom %}.
 
-### Other identity management systems
+### Can I use identity management systems other than the supported partners?
 
 If you cannot use a single partner IdP for both authentication and provisioning, you can use another identity management system or combination of systems. The system must:
 
@@ -67,7 +70,7 @@ If you cannot use a single partner IdP for both authentication and provisioning,
 
 {% data reusables.emus.mixed-systems-note %}
 
-## Usernames and profile information
+## How are usernames and profile information managed for EMUs?
 
 {% data variables.product.prodname_dotcom %} automatically creates a username for each developer by normalizing an identifier provided by your IdP. If the unique parts of the identifier are removed during normalization, a conflict may occur. See [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/username-considerations-for-external-authentication#resolving-username-problems).
 
@@ -76,13 +79,13 @@ The profile name and email address of a {% data variables.enterprise.prodname_ma
 * The IdP can only provide one email address.
 * Changing a user's email address in your IdP will unlink the user from the contribution history associated with the old email address.
 
-## Managing roles and access
+## How are roles and access managed for EMUs?
 
 In your IdP, you can give each {% data variables.enterprise.prodname_managed_user %} a **role in your enterprise**, such as member, owner, or guest collaborator. See [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise).
 
 Organization memberships (and repository access) can be managed manually, or you can **update memberships automatically using IdP groups**. See [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups).
 
-## Authentication for {% data variables.enterprise.prodname_managed_users %}
+## How do {% data variables.enterprise.prodname_managed_users %} authenticate to {% data variables.product.prodname_dotcom %}?
 
 The locations where {% data variables.enterprise.prodname_managed_users %} can authenticate to {% data variables.product.prodname_dotcom %} depends on how you configure authentication (SAML or OIDC). See [AUTOTITLE](/authentication/authenticating-with-single-sign-on/authenticating-with-a-managed-user-account).
 

diff --git a/...s/about-identity-and-access-management.md → ...ity-and-access-management-fundamentals.md b/...s/about-identity-and-access-management.md → ...ity-and-access-management-fundamentals.md
@@ -1,15 +1,16 @@
 ---
-title: About identity and access management
-shortTitle: About IAM
+title: Identity and access management fundamentals
+shortTitle: Fundamentals
 intro: 'Administrators must decide how users will access the enterprise''s resources on {% data variables.product.github %}.'
 versions:
   ghec: '*'
   ghes: '*'
-type: overview
+contentType: concepts
 redirect_from:
   - /admin/identity-and-access-management/managing-iam-for-your-enterprise/about-authentication-for-your-enterprise
   - /admin/identity-and-access-management/managing-iam-for-your-enterprise/about-identity-and-access-management
   - /admin/identity-and-access-management/understanding-iam-for-enterprises/about-identity-and-access-management
+  - /admin/managing-iam/understanding-iam-for-enterprises/about-identity-and-access-management
 topics:
   - Accounts
   - Authentication
@@ -18,7 +19,7 @@ topics:
   - SSO
 ---
 
-## About IAM for {% data variables.product.github %}
+## What is IAM for {% data variables.product.github %}?
 
 {% ifversion ghec %}
 
@@ -32,7 +33,7 @@ Administrators who configure a {% data variables.product.prodname_ghe_server %}
 
 {% endif %}
 
-## Authentication methods
+## Which authentication method are available to me?
 
 {% ifversion ghec %}
 
@@ -81,7 +82,7 @@ If you choose to use external authentication, you can also configure fallback au
 
 {% endif %}
 
-## About provisioning
+## How does provisioning work?
 
 {% ifversion ghec %}
 
@@ -97,17 +98,15 @@ If you configure built-in authentication, CAS, LDAP, or SAML, {% data variables.
 
 {% ifversion emu-public-scim-schema %}
 
-## About supported IdPs
+## Which IdPs are supported?
 
 {% data reusables.enterprise_user_management.ghec-supported-idps %}
 
 {% endif %}
 
 ## Further reading
 
-* [AUTOTITLE](/get-started/learning-about-github/types-of-github-accounts)
 * [AUTOTITLE](/admin/overview/about-enterprise-accounts)
 {%- ifversion ghec %}
 * [AUTOTITLE](/organizations/managing-membership-in-your-organization/can-i-create-accounts-for-people-in-my-organization)
-* [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/switching-your-saml-configuration-from-an-organization-to-an-enterprise-account)
 {%- endif %}
diff --git a/content/admin/concepts/identity-and-access-management/index.md b/content/admin/concepts/identity-and-access-management/index.md
@@ -0,0 +1,14 @@
+---
+title: Identity and access management
+shortTitle: Identity and access management
+intro: 'Learn the concepts around identity and access management (IAM) for {% data variables.location.product_location %}, including authentication, authorization, {% ifversion ghec %}Enterprise Managed Users, {% endif %}and user management.'
+versions:
+  ghes: '*'
+  ghec: '*'
+topics:
+  - Enterprise
+children:
+  - /identity-and-access-management-fundamentals
+  - /enterprise-managed-users
+contentType: concepts
+---
diff --git a/content/admin/concepts/index.md b/content/admin/concepts/index.md
@@ -0,0 +1,16 @@
+---
+title: Concepts for enterprises
+shortTitle: Concepts
+intro: 'Learn the core concepts that you''ll need to understand {% data variables.location.product_location %}.'
+versions:
+  ghes: '*'
+  ghec: '*'
+topics:
+  - Enterprise
+children:
+  - /enterprise-fundamentals
+  - /identity-and-access-management
+  - /security-and-compliance
+  - /best-practices-for-enterprises
+contentType: concepts
+---
diff --git a/...bout-the-audit-log-for-your-enterprise.md → ...compliance/audit-log-for-an-enterprise.md b/...bout-the-audit-log-for-your-enterprise.md → ...compliance/audit-log-for-an-enterprise.md
@@ -1,7 +1,7 @@
 ---
-title: About the audit log for your enterprise
+title: Audit log for an enterprise
 intro: 'To support debugging and internal and external compliance, {% data variables.product.github %} provides logs of audited{% ifversion ghes %} system,{% endif %} user, organization, and repository events.'
-shortTitle: About audit logs
+shortTitle: Audit logs
 redirect_from:
   - /enterprise/admin/articles/audit-logging
   - /enterprise/admin/installation/audit-logging
@@ -11,18 +11,19 @@ redirect_from:
   - /github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/auditing-activity-in-your-enterprise
   - /admin/authentication/managing-your-enterprise-users-with-your-identity-provider/auditing-activity-in-your-enterprise
   - /admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/auditing-activity-in-your-enterprise
+  - /admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/about-the-audit-log-for-your-enterprise
 versions:
   ghes: '*'
   ghec: '*'
-type: overview
+contentType: concepts
 topics:
   - Auditing
   - Enterprise
   - Logging
   - Security
 ---
 
-## About audit logs
+## What are audit logs?
 
 > [!NOTE]
 > {% data reusables.webhooks.webhooks-as-audit-log-alternative %}
@@ -38,7 +39,7 @@ topics:
 
 In addition to viewing your audit log, you can monitor activity in your enterprise in other ways, such as {% ifversion ghes %}viewing push logs and {% endif %}managing global webhooks. For more information, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/exploring-user-activity). You can also use the audit log, and other tools, to monitor the actions taken in response to security alerts. For more information, see [AUTOTITLE](/code-security/getting-started/auditing-security-alerts).
 
-## Using your audit logs
+## How to use audit logs
 
 As an enterprise owner{% ifversion ghes %} or site administrator{% endif %}, you can interact with the audit log data for your enterprise in several ways:
 * You can view the audit log for your enterprise. For more information, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/accessing-the-audit-log-for-your-enterprise).