Why can't I see user's email address?
Or also:
- How can I identify users in my GitHub organisation?
- How can I see the real name of the user?
You are a GitHub organisation owner, you’ve added a number of users into your organisation over past few weeks/months/years. Now you want to clean it up and trying to remove the users who either left the company or no longer need to have access to your organisation. You log into your org and see the following:
Who is this Pink Elephant ?!?! And who is this Grumpy Ukrainian?! (Well, if you worked with me you might get some idea ;) ) Are they still employed by the company?! Or are they one of those who left two years ago but we never removed their accounts and they still have the access!? Should I remove them? CAN I GET THEIR REAL NAME AND EMAIL ADDRESS so I can identify them and make the decision?!?!
The answer is (my favourite): it depends. It depends on a few things:
- is this an Enterprise Managed Users (EMU) or standard enterprise account? If you never heard of EMUs - you are highly unlikely to have an EMU account.
- have you verified a domain name?
- what email(s) have the user specified in their profile and was it made public?
- have you configured and enforced SAML SSO in your organisation
Let’s start from the beginning.
Enterprise Managed Users (a.k.a. EMU)
Let’s get EMU’s out of the way first. With EMUs (check this if you don’t know what EMU is) you still can’t see the email addresses but usually this is not an issue. GitHub will pull the name and the username for each user from your identity provider, so everyone will have their real name (or at least whatever their “real name” is in yout IdP) into their GitHub profile and users won’t be able to modify it. The only way to change it is through your IdP. So org owners will always know who each user is: 
Bottom line: You won’t have this issue in EMU enterprise account.
Classic (a.k.a. Standard) GitHub
This is where it becomes tricky. And it all starts… long time ago, when GitHub was built as a platform for individuals to build and collaborate on. The keyword is individuals. With exception of EMUs, all accounts on GitHub are personal; they belong to individual users (read GitHub account for personal and business use for more details). Each user can decide what username they want to pick, what name they want to provide to the public, what email address they want to add to their profile and whether they want to make that email public. So let’s see when it’s actually possible to either see the email address or find the identity of the user.
Profile settings
Each user decides whether they want to share their email addresses publicly in their profiles. Here’s how ak-honkyponky’s profile look like when she doesn’t share her email address: 
Now, ak-honkyponky adds her public email address: 
And her public profile now includes email address (under Follow button): 
Bottom line: if the user shares their email address publicly, you will be able to see it in their profile.
Verified domains
As organisation owner, you have an option to verify your domain names. If you do so, you are technically proving to GitHub that you own that domain name and as result own/manage all email addresses within that domain. So if a user in your organisation specified an email address with your domain name in their settings - that email address will appear on the list of organisation members. For example, andrek.com is my domain name and I verified it in my organisation settings. As result, I can see Ryan’s and my email addresses, even though both of us made it private in our profiles. 
What’s more, I can see two of Ryan’s email addresses because I also own and have verified kolodochka.com 
But I can’t see ak-honkyponky’s email addresses! Also I can’t see the second email address I configured in my account. That’s because none of those email addresses are from my verified domains: 
So the bottom line is: you will be able to see email addresses of users as long as that email is from one of your verified domains in your organisation.
SAML SSO configured?
This is where it gets even trickier. The ability to connect your organisation to your Identity Provider (Entra ID, Okta, Google, etc) is a feature of GitHub Enterprise plan. If you are on a Free or Team plan - this section does not apply to you. You can read more about how it works in my another page (in GitHub’s flavour of SAML SSO section).
When a user logs into your SAML-protected organisation for the first time, their GitHub username will be linked to their identity in your IdP and the link will be stored under their organisational profile. Simply click on username and go to “SSO identity linked” section. While this won’t necessarily give you the name (although in many cases the linkage is done on email address, which often includes user’s name), it will tell you what to search for in your IdP to identify the users:
You can even use GitHub APIs to create a script to extract linked identities for all users in your organisation.
Bottom line: Configuring SAML SSO will let you cross reference and identify the user from your IdP.
But what about the name?
Well, similar to email address in user’s profile, it’s up to the user what to set as their public name. If the user decides to name themselves “Pink Elephant” instead of “Alana Grant” - there is absolutely nothing you can do. But you still can identify the user if you have SAML SSO configured.
So… what can you do?
Just like I said at the beginning: it depends ;)
You could always use notifications engine to contact the user. Say, create an issue for each user you don’t recognise, put something like “contact IT” in issue description and assign the issue to the user or tag the user. If the user doesn’t respond and doesn’t want to make their real name public - there is absolutely nothing you can do to identify them (but you still can removed them from your organisation!).
With email - there are a few things that you can though.
- Verify the domains you own in your enterprise or organisation. This will make any user’s email address from your domain visible in members list.
- Point #1 above doesn’t address the case where your org members don’t add company email to their profile. While you can’t enforce users to specify company email address in their profile, you can sort of nudge users to do so by restricting where GitHub notifications go. Essentially, if that setting is configured and the user doesn’t add company email to their profile - they will never receive notifications from your organisation. This, in addition to verifying your domain, will allow you to see user emails in members list.
- If you are on Enterprise plan - configure and enforce SAML SSO and use GitHub APIs to obtain linked SSO identity. Here’s an example API call you can use:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
organization(login: "your_organisation-name") { samlIdentityProvider { externalIdentities(first:10) { edges { node { user { login } samlIdentity { familyName givenName nameId username } } } } }
One important note: sometimes I get requests from customers to provide them with the email address of a particular account. Sometimes it is a valid request where a past employee created an account, created a few repositories then left a company and the company lost access to those repositories. Or it is a machine account and IT team forgot the password and the email address so they can’t reset the password or create a new token for the integration. While there are some tools available to GitHub Solutions Engineers to see some details of GitHub accounts, under no circumstances we will ever provide those details to anybody. If you need to obtain such account details you should contact GitHub support and they will determine whether such a request is valid and whether it is within GitHub policies to disclose that information.