Merge pull request #44895 from github/repo-sync

Repo sync

Author: docs-bot

content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise.md

@@ -76,6 +76,12 @@ The identity data on this page will include the SCIM data that was sent to {% da
 
 {% data reusables.saml.about-authorized-credentials %}
 
+{% ifversion single_user_cred_revocation %}
+
+You can also revoke SSO authorizations for individual users or all users. For enterprises with {% data variables.product.prodname_emus %}, you can delete credentials entirely. This is useful for responding to security incidents. For more information, see [AUTOTITLE](/enterprise-cloud@latest/admin/managing-iam/respond-to-incidents/revoke-authorizations-or-tokens).
+
+{% endif %}
+
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.people-tab %}
 {% data reusables.saml.click-person-revoke-credentials %}

content/admin/managing-iam/respond-to-incidents/revoke-authorizations-or-tokens.md

@@ -1,6 +1,6 @@
 ---
 title: Revoking SSO authorizations or deleting credentials in your enterprise
-intro: Respond to a security incident by taking bulk action on credentials with access to your enterprise.
+intro: Respond to a security incident by taking action on credentials with access to your enterprise.
 permissions: Enterprise owners and users with the "Manage enterprise credentials" fine-grained permission
 product: Enterprises with managed users, or enterprises that have enabled SAML SSO for the enterprise or its organizations
 versions:
@@ -11,14 +11,25 @@ category:
   - Configure authentication
 ---
 
-When your enterprise is affected by a major security incident, you can respond by preventing programmatic access to your enterprise or its organizations.
+When your enterprise is affected by a security incident, you can respond by preventing programmatic access to your enterprise or its organizations.
 
-In the  "Authentication security" section of your enterprise settings, you can review counts for user tokens and keys that are authorized for single sign-on (SSO). Then, if needed, you can use one of the following bulk actions in the "Danger zone":
+Available actions:
 
 * **Revoke SSO authorizations** to remove access to SSO-protected organization resources for user credentials in your enterprise.
 * **Delete keys and tokens** to remove user tokens and SSH keys in your enterprise, even if they don't have an SSO authorization ({% data variables.product.prodname_emus %} only).
 
->[!WARNING] These are high-impact actions that should be reserved for major security incidents. They are likely to break automations, and it could take months of work to restore your original state. For alternative options for responding to individual compromised tokens on a smaller scale, see the [Resources for smaller-scale responses](#resources-for-smaller-scale-responses) section.
+{% ifversion single_user_cred_revocation %}
+
+In the "Authentication security" section of your enterprise settings, you can review counts for user tokens and keys that are authorized for single sign-on (SSO). Then, if needed, you can take action against credentials:
+
+* **For individual members**: Revoke SSO authorizations or delete credentials for a specific user when responding to a targeted incident or performing routine access cleanup.
+* **For all members (bulk action)**: Take bulk action to revoke SSO authorizations or delete credentials across all members when responding to a major security incident.
+
+{% else %}
+
+In the "Authentication security" section of your enterprise settings, you can review counts for user tokens and keys that are authorized for single sign-on (SSO). Then, if needed, you can use bulk actions in the "Danger zone" to revoke SSO authorizations or delete credentials.
+
+{% endif %}
 
 ## Accessing the authentication security page
 
@@ -39,17 +50,17 @@ The counts include:
 
 An exact count is displayed if there are 10,000 or fewer of a token type. Above that figure, the description `10k+ tokens` is displayed.
 
-## Taking bulk action (danger zone)
+## Understanding the available actions
 
-Use the **Danger zone** bulk action buttons to respond to a security incident as needed. The following sections describe each action, which SSO authorizations or credentials are impacted, and related audit log events.
+The following sections describe what each action does, which SSO authorizations or credentials are impacted, and related audit log events.
 
->[!NOTE] If your enterprise does **not** use {% data variables.product.prodname_emus %} and has **not** enabled SAML SSO, neither of these actions is available. As an alternative, if you need users to replace {% data variables.product.pat_generic_plural %} as part of your incident response, you can configure an enterprise policy to expire all {% data variables.product.pat_generic_plural %}. See [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-personal-access-tokens-in-your-enterprise).
+> [!NOTE] If your enterprise does **not** use {% data variables.product.prodname_emus %} and has **not** enabled SAML SSO, neither of these actions is available. As an alternative, if you need users to replace {% data variables.product.pat_generic_plural %} as part of your incident response, you can configure an enterprise policy to expire all {% data variables.product.pat_generic_plural %}. See [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-personal-access-tokens-in-your-enterprise).
 
 ### Revoke SSO authorizations
 
 This action is available for {% data variables.product.prodname_emus %} or enterprises that use SAML SSO.
 
-Revoking authorizations removes SSO authorizations for user tokens and SSH keys across all organizations in your enterprise.
+Revoking authorizations removes SSO authorizations for user tokens and SSH keys{% ifversion single_user_cred_revocation %}, either for a specific user or{% endif %} across all organizations in your enterprise.
 
 * Credentials that have had SSO authorizations revoked **cannot be re-authorized** for the affected organizations. To restore access, users must create new credentials and authorize them.
 * The credentials themselves are not deleted, and their permissions for the user and enterprise scopes, and for non-SSO-protected organizations, **remain active**.
@@ -61,7 +72,7 @@ Authorization for **{% data variables.product.pat_v2_plural %}** works different
 
 This action is available for {% data variables.product.prodname_emus %} only.
 
-Deleting keys and tokens removes credentials that have access to your enterprise, regardless of whether they are authorized for SSO. The credentials stop working and are no longer visible in the UI.
+Deleting keys and tokens removes credentials that have access to your enterprise{% ifversion single_user_cred_revocation %}, either for a specific user or for all users{% endif %}, regardless of whether they are authorized for SSO. The credentials stop working and are no longer visible in the UI.
 
 To restore programmatic access, users must create new credentials, authorize them with organizations if required, and update affected processes to use the new credentials.
 
@@ -97,6 +108,64 @@ The "delete tokens" action also generates those events, and additionally generat
 * `oauth_access.destroy`
 * `personal_access_token.destroy`
 
+{% ifversion single_user_cred_revocation %}
+
+## Taking action against individual members
+
+You can revoke SSO authorizations or delete credentials for a specific user. This is useful for responding to incidents affecting individual accounts, such as a compromised account or lost hardware, or for routine access cleanup.
+
+### Revoking authorizations for a specific user
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Authentication security**.
+1. In the "Danger zone" section, click **Revoke for ▼**, then click **A specific user**.
+1. Select the user whose authorizations you want to revoke.
+1. To confirm, type `USERNAME credentials` (replacing `USERNAME` with the user's username).
+1. Click **Revoke authorizations**.
+
+### Deleting credentials for a specific user
+
+This action is available for {% data variables.product.prodname_emus %} only.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Authentication security**.
+1. In the "Danger zone" section, click **Delete for ▼**, then click **A specific user**.
+1. Select the user whose credentials you want to delete.
+1. To confirm, type `USERNAME credentials` (replacing `USERNAME` with the user's username).
+1. Click **Delete keys and tokens**.
+
+{% endif %}
+
+## Taking bulk action against all members
+
+Use the **Danger zone** bulk action buttons to respond to a major security incident by taking action against all members of your enterprise.
+
+> [!WARNING] Bulk actions are high-impact actions that should be reserved for major security incidents. They are likely to break automations, and it could take months of work to restore your original state.
+
+### Revoking authorizations for all members
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Authentication security**.
+1. In the "Danger zone" section, click **Revoke{% ifversion single_user_cred_revocation %} for ▼**, then click **All users{% endif %}**.
+1. Read the warning about the impact of this action.
+1. To confirm, type the name of your enterprise.
+1. Click **Revoke authorizations**.
+
+### Deleting credentials for all members
+
+This action is available for {% data variables.product.prodname_emus %} only.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Authentication security**.
+1. In the "Danger zone" section, click **Delete{% ifversion single_user_cred_revocation %} for ▼**, then click **All users{% endif %}**.
+1. Read the warning about the impact of this action.
+1. To confirm, type the name of your enterprise.
+1. Click **Delete keys and tokens**.
+
 ## Resources for smaller-scale responses
 
 The following articles describe alternative actions for managing incidents that are smaller in scope, where you can identify specific compromised tokens or user accounts.

content/authentication/keeping-your-account-and-data-secure/index.md

@@ -18,6 +18,7 @@ children:
   - /reviewing-your-ssh-keys
   - /reviewing-your-deploy-keys
   - /token-expiration-and-revocation
+  - /revoking-your-credentials
   - /reviewing-your-security-log
   - /security-log-events
   - /removing-sensitive-data-from-a-repository

content/authentication/keeping-your-account-and-data-secure/preventing-unauthorized-access.md

@@ -19,7 +19,8 @@ After changing your password, you should perform these actions to make sure that
 
 * Enable two-factor authentication on your account so that access requires more than just a password. For more information, see [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/about-two-factor-authentication).
 * Add a passkey to your account to enable a secure, passwordless login. Passkeys are phishing-resistant, and they don't require memorization or active management. See [AUTOTITLE](/authentication/authenticating-with-a-passkey/about-passkeys).
-* Review your SSH keys, deploy keys, and authorized OAuth apps and GitHub Apps and revoke unauthorized or unfamiliar access in your SSH and Applications settings. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys), [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/reviewing-your-deploy-keys), [AUTOTITLE](/apps/oauth-apps/using-oauth-apps/reviewing-your-authorized-oauth-apps), and [AUTOTITLE](/apps/using-github-apps/reviewing-your-authorized-integrations).
+* Review your SSH keys, deploy keys, and authorized OAuth apps and GitHub Apps and revoke unauthorized or unfamiliar access in your SSH and Applications settings. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys), [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/reviewing-your-deploy-keys), [AUTOTITLE](/apps/oauth-apps/using-oauth-apps/reviewing-your-authorized-oauth-apps), and [AUTOTITLE](/apps/using-github-apps/reviewing-your-authorized-integrations).{% ifversion single_user_cred_revocation %}
+* If you believe your account may be compromised, you can revoke all your authorizations or delete all your credentials at once. See [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/revoking-your-credentials).{% endif %}
 {% ifversion fpt or ghec %}
 * Verify all your email addresses. If an attacker added their email address to your account, it could allow them to force an unintended password reset. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/verifying-your-email-address).
 {% endif %}

content/authentication/keeping-your-account-and-data-secure/revoking-your-credentials.md

@@ -0,0 +1,60 @@
+---
+title: Revoking your credentials
+intro: 'If you believe your account credentials may be compromised, you can revoke all your authorizations to protect any enterprises you have access to. If you are a member of an {% data variables.enterprise.prodname_emu_enterprise %}, you can also choose to delete all your credentials.'
+versions:
+  feature: single_user_cred_revocation
+shortTitle: Revoke your credentials
+category:
+  - Manage access credentials
+---
+
+If you believe your account may be compromised, your hardware was lost or stolen, or you otherwise need to immediately revoke all access associated with your account, you can take action on all of your credentials at once to quickly reduce risk.
+
+Depending on your account type, the following actions are available:
+
+* **Revoke all SSO authorizations**: Remove your credentials' access to SSO-protected resources in an enterprise. This action removes SSO authorizations but does not delete the credentials themselves.
+* **Delete all keys and tokens**: Permanently delete all your tokens and SSH keys. This option is available for members of an {% data variables.enterprise.prodname_emu_enterprise %}.
+
+> [!WARNING] These actions are irreversible. Once you revoke authorizations or delete credentials, you cannot restore them. You will need to create new credentials and re-authorize them for any organizations or processes that require access.
+
+## Understanding the impact
+
+Before taking action, consider the following:
+
+* **Automations will break**: Any scripts, CI/CD pipelines, or automated processes that use your tokens will stop working.
+* **Re-authorization required**: After revoking SSO authorizations, you will need to create new credentials and authorize them with each organization.
+* **SSH access**: If you delete your SSH keys, you will need to generate new keys and add them to your account to continue using SSH.
+
+## Revoking all SSO authorizations
+
+{% data reusables.user-settings.access_settings %}
+1. In the "Access" section of the sidebar, click **Credentials**.
+1. Under "Danger zone", click **Revoke all**.
+1. From the **Enterprise** dropdown, select the enterprise where you want to revoke your authorizations.
+1. To confirm, type `USERNAME credentials` (replacing `USERNAME` with your username).
+1. Click **Revoke authorizations**.
+
+## Deleting all keys and tokens
+
+You can bulk-delete your credentials if you are a member of an {% data variables.enterprise.prodname_emu_enterprise %}.
+
+{% data reusables.user-settings.access_settings %}
+1. In the "Access" section of the sidebar, click **Credentials**.
+1. Under "Danger zone", click **Delete all**.
+1. To confirm, type `USERNAME credentials` (replacing `USERNAME` with your username).
+1. Click **Delete keys and tokens**.
+
+## After revoking or deleting credentials
+
+After taking action on your credentials:
+
+1. **Create new credentials**: Generate new {% data variables.product.pat_generic_plural %} and SSH keys as needed. See [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) and [AUTOTITLE](/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account).
+1. **Re-authorize for SSO**: If your organizations require SSO, authorize your new credentials. See [AUTOTITLE](/authentication/authenticating-with-single-sign-on/authorizing-a-personal-access-token-for-use-with-single-sign-on) and [AUTOTITLE](/authentication/authenticating-with-single-sign-on/authorizing-an-ssh-key-for-use-with-single-sign-on).
+1. **Update automations**: Update any scripts, CI/CD pipelines, or other automated processes with your new credentials.
+1. **Review your security**: Consider enabling two-factor authentication and reviewing your authorized applications. See [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/preventing-unauthorized-access).
+
+## Further reading
+
+* [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation)
+* [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys)
+* [AUTOTITLE](/apps/using-github-apps/reviewing-your-authorized-integrations)

content/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation.md

@@ -44,6 +44,12 @@ You can revoke your authorization of a {% data variables.product.prodname_github
 
 Once an authorization is revoked, any tokens associated with the authorization will be revoked as well. To reauthorize an application, follow the instructions from the third-party application or website to connect your account on {% data variables.product.prodname_dotcom %} again.
 
+{% ifversion single_user_cred_revocation %}
+
+You can also revoke all your credentials at once from your account settings. This is useful if you believe your account may be compromised or your hardware was lost or stolen. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/revoking-your-credentials).
+
+{% endif %}
+
 {% ifversion fpt or ghec %}
 
 ## Token revoked by a third party
@@ -77,3 +83,13 @@ The owner of an {% data variables.product.prodname_oauth_app %} can revoke an ac
 ## User token expired due to {% data variables.product.prodname_github_app %} configuration
 
 User access tokens created by a {% data variables.product.prodname_github_app %} will expire after eight hours by default, and then must be regenerated using the included refresh token. Owners of {% data variables.product.prodname_github_apps %} can optionally configure these tokens to never expire instead, but this is not recommended due to the security implications. For more information about configuring your {% data variables.product.prodname_github_app %}'s user access tokens, see [AUTOTITLE](/apps/maintaining-github-apps/activating-optional-features-for-github-apps).
+
+{% ifversion fpt or ghec %}
+
+## Token revoked by enterprise owners
+
+Enterprise owners on {% data variables.product.prodname_ghe_cloud %} can revoke SSO authorizations or delete credentials{% ifversion single_user_cred_revocation %} for individual users or{% endif %} in bulk when responding to security incidents. Revoking SSO authorizations removes access to SSO-protected organization resources, while deleting credentials (available for {% data variables.product.prodname_emus %} only) removes the credentials entirely.
+
+For more information, see [AUTOTITLE](/enterprise-cloud@latest/admin/managing-iam/respond-to-incidents/revoke-authorizations-or-tokens).
+
+{% endif %}