What is the difference between Copilot Business and Copilot Enterprise?

Copilot Business ($19/user/month) includes IDE integration, CLI access, IP indemnity, and audit logs. Copilot Enterprise ($39/user/month) adds GitHub.com Chat, knowledge bases, custom models trained on your codebase, and 1,000 premium requests per user. Enterprise requires GitHub Enterprise Cloud.

Can I use Copilot Enterprise without GitHub Enterprise Cloud?

No, Copilot Enterprise requires GitHub Enterprise Cloud. However, you can use Copilot Business with a standalone enterprise account specifically for Copilot licensing, which gives you enterprise-grade SSO and SCIM provisioning without requiring full GitHub Enterprise licenses for all users.

How do I prevent Copilot from suggesting code that matches public repositories?

In your organization settings, go to Copilot > Policies and set 'Suggestions matching public code' to 'Blocked'. This enables a duplicate detection filter that prevents suggestions closely matching public code from being surfaced.

What audit log events are available for Copilot?

Copilot audit logs capture seat assignments, seat removals, policy changes, enablement changes, and access revocations. Logs are retained for 180 days and can be exported as JSON or CSV. Enterprise Cloud users can also access logs via GraphQL and REST APIs.

How to Set Up GitHub Copilot for Enterprise Organizations

Deploying GitHub Copilot across an enterprise organization requires careful planning around licensing, security policies, SSO integration, and compliance. This guide walks through the complete setup process for Copilot Business and Enterprise plans.

Understanding Copilot Plans for Organizations

Before deployment, choose the right plan for your organization:

Feature	Copilot Business	Copilot Enterprise
Price	$19/user/month	$39/user/month
IDE Integration	Yes	Yes
Copilot CLI	Yes	Yes
IP Indemnity	Yes	Yes
Audit Logs	Yes	Enhanced
Public Code Filter	Yes	Yes
Content Exclusion	Yes	Yes
GitHub.com Chat	No	Yes
Knowledge Bases	No	Yes
Custom Models	No	Yes
Premium Requests	Pay-as-you-go	1,000 included
Requirement	Organization	GitHub Enterprise Cloud

Cost Tip: Users consuming more than 800 premium requests monthly would save money on a Copilot Enterprise plan.

Prerequisites

Before beginning the setup:

For Copilot Business: An existing GitHub organization or the ability to create an enterprise account
For Copilot Enterprise: An active GitHub Enterprise Cloud subscription
Enterprise Owner or Organization Owner permissions
Access to your identity provider (IdP) for SSO configuration (optional but recommended)
Firewall/proxy allowlist access (if applicable)

Step 1: Enable Copilot at the Enterprise or Organization Level

Option A: Enterprise-Level Assignment (Recommended for Large Organizations)

Enterprise-level management provides centralized control over Copilot licenses across all organizations:

Navigate to your enterprise at https://github.com/enterprises/YOUR_ENTERPRISE
Click Settings in the left sidebar
Select Copilot under the "Code, planning, and automation" section
Click Enable Copilot
Choose your plan:
- Copilot Business: $19/user/month
- Copilot Enterprise: $39/user/month (requires Enterprise Cloud)
Select the assignment approach:
- Assign licenses directly to users: Best for organizations wanting centralized control without requiring organization membership
- Enable for organizations: Allows organization owners to manage their own seat assignments

Option B: Organization-Level Setup

For smaller deployments or when you want organization owners to manage their own Copilot access:

Go to your organization at https://github.com/YOUR_ORG
Click Settings > Copilot
Click Enable Copilot or Get Copilot from enterprise (if your enterprise has Copilot enabled)
Choose between Copilot Business or Copilot Enterprise

Option C: Standalone Enterprise for Copilot Business

If you do not already have GitHub Enterprise Cloud but want enterprise-grade identity management:

Create a dedicated enterprise account for Copilot licensing at https://github.com/account/enterprises/new
This approach provides:
- Enterprise-grade SSO and SCIM integration
- Centralized license management
- No requirement for GitHub Enterprise licenses per user
Configure SAML SSO (optional but recommended - see Step 3)

Step 2: Configure Copilot Policies

Organization owners can configure policies that affect all Copilot users within their organization.

Access the Policy Settings

Navigate to your organization settings
Under "Code, planning, and automation", click Copilot
Click Policies

Key Policy Settings

Suggestions Matching Public Code

Controls whether Copilot can suggest code that matches publicly available code:

Allowed: Copilot may suggest code matching public repositories
Blocked: Copilot checks suggestions against ~150 characters of surrounding code and blocks matches or near-matches

Recommendation: Set to Blocked for organizations with strict IP protection requirements.

Copilot > Policies > Suggestions matching public code: Blocked

Copilot in GitHub.com (Enterprise Only)

Enable or disable Copilot Chat on GitHub.com:

Enabled: Users can access Copilot Chat throughout GitHub.com
Disabled: Chat only available in IDEs

Additional sub-options when enabled:

Opt in to user feedback collection: Allows users to provide feedback on Copilot features
Opt in to preview features: Enables access to beta features not yet generally available

Copilot CLI Access

Control whether organization members can use Copilot CLI:

Enabled: CLI access for assigned users
Disabled: CLI functionality blocked regardless of individual user settings

Enterprise vs. Organization Policy Hierarchy

Important: If your organization is part of an enterprise with explicitly configured policies, you cannot override those settings at the organization level.

Enterprise sets Enabled: Organizations can choose Enabled or Disabled
Enterprise sets Disabled: Organizations cannot enable the feature
Enterprise sets Unconfigured: Organization policy defaults to Disabled (as of November 2025 policy update)

Step 3: Configure SAML Single Sign-On (SSO)

SSO configuration ensures users authenticate through your corporate identity provider before accessing Copilot.

Enterprise-Level SAML Configuration

Navigate to your enterprise settings
Under "Settings", click Authentication security
Select Require SAML authentication
Configure your IdP settings:

Microsoft Entra ID (Azure AD) Example

In Entra ID:

Go to Enterprise Applications > New Application
Search for GitHub Enterprise Cloud
Under Single sign-on, select SAML
Configure Basic SAML settings:

Identifier (Entity ID): https://github.com/orgs/YOUR_ORG
Reply URL: https://github.com/orgs/YOUR_ORG/saml/consume
Sign on URL: https://github.com/orgs/YOUR_ORG/sso

Download the Federation Metadata XML
In GitHub, upload the metadata or manually configure:
- Sign on URL
- Issuer
- Public certificate

Enterprise Managed Users (EMU)

For the highest level of identity control, use Enterprise Managed Users:

All user accounts are provisioned through your IdP via SCIM
Users sign in exclusively through your IdP (no personal GitHub accounts)
Provides full control over the user lifecycle

Supported IdPs for EMU:

Microsoft Entra ID
Okta
PingFederate
Any SAML 2.0 + SCIM 2.0 compliant system

Organization-Level SAML

If you need SCIM provisioning without enterprise accounts:

Organization Settings > Security > Authentication security > Enable SAML authentication

Note: Organization-level SAML is required if you want to use SCIM provisioning without Enterprise Managed Users.

Step 4: Configure Content Exclusion

Prevent Copilot from accessing sensitive files and repositories.

Organization-Level Exclusion

Go to Organization Settings > Copilot > Content exclusion
Add paths to exclude:

# Exclude all files in secrets directory
- "/**/secrets/**"

# Exclude environment files
- "**/.env"
- "**/.env.*"

# Exclude specific repositories
- "org-name/sensitive-repo/**"

# Exclude configuration files
- "**/config/production/**"
- "**/*.pem"
- "**/*.key"

Repository-Level Exclusion

Repository administrators can add exclusions in their repository settings:

Go to Repository Settings > Copilot > Content exclusion
Add repository-specific patterns

Exclusion Hierarchy

Enterprise rules apply to all Copilot users in the enterprise
Organization rules apply to users with seats assigned by that organization
Repository rules apply to that specific repository

Note: Content exclusion does not currently apply to Copilot CLI, Copilot coding agent, or Agent mode in Copilot Chat.

Step 5: Set Up Audit Logging

Copilot audit logs help you track usage, policy changes, and compliance.

Accessing Audit Logs

Organization Level

Click your profile photo > Your organizations
Select your organization > Settings
Under "Archives", click Logs > Audit log

Enterprise Level

Click your profile photo > Your enterprises
Select your enterprise > Settings
Click Audit log in the sidebar

Searching Copilot Events

Use the action:copilot qualifier to filter Copilot-specific events:

# All Copilot events
action:copilot

# Seat assignments
action:copilot.cfb_seat_assignment_created

# Seat removals
action:copilot.cfb_seat_cancelled

# Policy changes
action:copilot.cfb_seat_management_changed

# Enterprise enablement changes
action:copilot.enable_copilot_for_enterprise_changed

Key Audit Events

Event	Description
`cfb_seat_assignment_created`	Copilot seat assigned to a user
`cfb_seat_cancelled`	Copilot seat removed from a user
`cfb_seat_management_changed`	Seat management setting changed
`enable_copilot_for_enterprise_changed`	Enterprise enablement policy changed
`cfb_enterprise_copilot_access_revoked`	Copilot access revoked due to subscription end

Exporting Audit Logs

Apply your filters using search qualifiers
Click the Export dropdown
Choose JSON or CSV format

Enterprise Cloud users can also access logs programmatically:

GraphQL API
REST API

Log Retention

Audit logs are retained for 180 days. For longer retention:

Export logs regularly to your SIEM
Use the API to automate exports
Configure log streaming to external services

Step 6: Deploy to Users

Option A: Enable for All Organization Members

Go to Organization Settings > Copilot > Access
Under "Seat management", select Enabled for all members
All current and future organization members automatically receive access

Option B: Enable for Specific Users/Teams

Go to Organization Settings > Copilot > Access
Select Enabled for selected members
Click Add user or Add team to grant access
Search and select users or teams

Option C: Enterprise Teams (Public Preview)

For enterprise-level user management:

Navigate to enterprise settings > Teams
Create Enterprise Teams grouping users across organizations
Assign Copilot licenses to entire teams
Users do not need organization membership to receive licenses

Self-Service Model

Many successful rollouts use self-service:

Create a request process (GitHub Issue template, internal ticketing)
Organization owner or enterprise admin approves and assigns
Users can request at https://github.com/settings/copilot and click "Get Copilot from an organization"

Step 7: Configure Network Access

If your organization uses firewalls or proxy servers, ensure Copilot can communicate with GitHub services.

Required URLs to Allowlist

Add these URLs to your firewall/proxy allowlist:

URL	Port	Purpose
`github.com`	443	GitHub.com access
`api.github.com`	443	API calls
`copilot-proxy.githubusercontent.com`	443	Copilot suggestions
`copilot-telemetry.githubusercontent.com`	443	Telemetry (optional)
`default.exp-tas.com`	443	Experimentation service
`*.githubcopilot.com`	443	Copilot services

Note: The complete and current allowlist is available in the GitHub Copilot allowlist reference.

Subscription-Based Network Routing

For Enterprise plans, you can use network routing to control access:

Allow: Add copilot-proxy.githubusercontent.com to allowlist
Block: Remove the URL to prevent Copilot Enterprise usage on your network

Proxy Configuration

Users behind corporate proxies may need additional configuration in their IDE settings or environment variables. See the proxy server and firewall settings documentation.

Custom SSL Certificates

If your organization uses SSL inspection:

Export your organization's root CA certificate
Install on developer machines
Configure IDEs to trust the certificate

Step 8: Platform-Specific Deployment

macOS Deployment

MDM Distribution (Jamf, Kandji, etc.):

Download the Copilot CLI package or create a custom package
Deploy via your MDM solution
Use a post-install script for authentication:

#!/bin/bash
# Pre-configure environment for managed deployment
# Users still need to authenticate individually

# Add to /etc/paths.d/ for system-wide CLI access
echo "/usr/local/bin" >> /etc/paths.d/copilot-cli

Homebrew with Managed Deployment:

# Install Homebrew if not present
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

# Install Copilot CLI
brew install copilot-cli

Windows Deployment

Group Policy / SCCM / Intune:

Create a deployment script:

# Silent installation via WinGet
winget install GitHub.Copilot --silent --accept-package-agreements --accept-source-agreements

For environments without WinGet, use npm:

# Requires Node.js pre-installed
npm install -g @github/copilot

PowerShell Requirements: Ensure PowerShell 6+ is deployed. Windows 11 ships with 5.1 by default.

Linux Deployment

Ansible Playbook Example:

- name: Install GitHub Copilot CLI
  hosts: developer_workstations
  tasks:
    - name: Install via npm
      npm:
        name: "@github/copilot"
        global: yes
        state: present
      when: ansible_os_family == "Debian" or ansible_os_family == "RedHat"

    - name: Alternative - Install via script
      shell: curl -fsSL https://gh.io/copilot-install | bash
      args:
        creates: /usr/local/bin/copilot

Package Manager Options:

# Install script (recommended)
curl -fsSL https://gh.io/copilot-install | bash

# npm (requires Node.js)
npm install -g @github/copilot

# Homebrew (if available)
brew install copilot-cli

Step 9: Monitor and Optimize

Usage Metrics

Track Copilot adoption and usage:

Go to Organization Settings > Copilot > Overview
Review metrics including:
- Active users
- Suggestions accepted
- Lines of code from suggestions

Identifying Underutilized Seats

Regularly review seat utilization to optimize costs:

Check the Access page for users who have not activated Copilot
Consider reassigning seats from inactive users
Set up automated reminders for users who have not onboarded

Gathering Feedback

Enable feedback collection to improve your deployment:

Enable Opt in to user feedback collection in policies
Create internal channels for users to share experiences
Use feedback to refine policies and training

Compliance Considerations

SOC 2 Compliance

GitHub provides SOC 2 Type II compliance reports for Copilot Business and Enterprise. Request reports through your GitHub account representative.

Copilot does not store prompts or suggestions after processing
Code context is processed in real-time and not retained
Enterprise customers can work with GitHub on specific data residency requirements

Audit Documentation

Maintain documentation for auditors:

Access controls: SSO configuration, role-based access
Audit logs: Regular exports showing Copilot activity
Policy configuration: Screenshots or exports of policy settings
User lifecycle: SCIM provisioning records

Next Steps

After completing the setup:

Communicate to users: Announce Copilot availability and provide onboarding resources
Provide training: Share documentation and best practices
Establish guidelines: Create internal policies for Copilot usage
Monitor adoption: Track usage metrics and gather feedback
Iterate policies: Adjust content exclusions and settings based on organizational needs

Additional Resources

Need help with your GitHub Copilot enterprise deployment? Inventive HQ offers comprehensive Copilot implementation services, from initial planning to organization-wide rollout. Contact us for a free consultation.