Team Sync opt-out for membership provisioning (#35441)

content/admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise.md

@@ -26,6 +26,10 @@ If you use SAML at the enterprise level with Azure AD as your IdP, you can enabl
 
 {% data reusables.identity-and-permissions.about-team-sync %}
 
+{% ifversion team-sync-manage-org-invites %}
+{% data reusables.identity-and-permissions.team-sync-org-invites %}
+{% endif %}
+
 {% data reusables.identity-and-permissions.sync-team-with-idp-group %}
 
 {% data reusables.identity-and-permissions.team-sync-disable %}
@@ -53,3 +57,12 @@ You can also configure and manage team synchronization for an individual organiz
 {% data reusables.identity-and-permissions.team-sync-confirm %}
 7. Review the details for the IdP tenant you want to connect to your enterprise account, then click **Approve**.
 8. To disable team synchronization, under "Team synchronization", click **Disable team synchronization**.
+
+{% ifversion team-sync-manage-org-invites %}
+## Managing whether team synchronization can invite non-members to organizations
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+1. Under "Team synchronization", select or deselect **Do not allow Team Sync to invite non-members to organizations.**
+{% endif %}

content/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization.md

@@ -27,6 +27,10 @@ You can enable team synchronization between your IdP and {% data variables.produ
 
 {% data reusables.identity-and-permissions.supported-idps-team-sync %}
 
+{% ifversion team-sync-manage-org-invites %}
+{% data reusables.identity-and-permissions.team-sync-org-invites %}
+{% endif %}
+
 {% data reusables.identity-and-permissions.sync-team-with-idp-group %}
 
 You can also enable team synchronization for all organizations owned by an enterprise account. If SAML is configured at the enterprise level, you cannot enable team synchronization on an individual organization. Instead, you must configure team synchronization for the entire enterprise. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise)."
@@ -88,6 +92,15 @@ For help on provisioning users that have missing a missing SCIM linked identity,
 1. In the "URL" field, type the URL for your Okta instance.
 1. Review the identity provider tenant information you want to connect to your organization, then click **Create**.
 
+{% ifversion team-sync-manage-org-invites %}
+## Managing whether team sync can invite non-members to your organization
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.organizations.security %}
+1. Under "Team synchronization", select or deselect **Do not allow Team Sync to invite non-members to this organization.**
+{% endif %}
+
 ## Disabling team synchronization
 
 {% data reusables.identity-and-permissions.team-sync-disable %}

content/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group.md

@@ -28,6 +28,10 @@ Once a {% data variables.product.prodname_dotcom %} team is connected to an IdP
 
 {% ifversion ghec %}{% data reusables.enterprise-accounts.team-sync-override %}{% endif %}
 
+{% ifversion team-sync-manage-org-invites %}
+{% data reusables.identity-and-permissions.team-sync-org-invites %} For more information, see "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization#managing-whether-team-synchronization-can-invite-non-members-to-your-organization)" and "[AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise#managing-whether-team-synchronization-can-invite-non-members-to-organizations)."
+{% endif %}
+
 {% ifversion ghec %}
 All team membership changes made through your IdP will appear in the audit log on {% data variables.product.product_name %} as changes made by the team synchronization bot. Team synchronization will fetch group information from your IdP at least once every hour, and reflect any changes in IdP group membership into {% data variables.product.product_name %}.
 Connecting a team to an IdP group may remove some team members. For more information, see "[Requirements for members of synchronized teams](#requirements-for-members-of-synchronized-teams)."
@@ -47,7 +51,10 @@ To manage repository access for any {% data variables.product.prodname_dotcom %}
 ## Requirements for members of synchronized teams
 
 After you connect a team to an IdP group, team synchronization will add each member of the IdP group to the corresponding team on {% data variables.product.product_name %} only if:
-- The person is a member of the organization on {% data variables.product.product_name %}.
+
+{%- ifversion team-sync-manage-org-invites %}
+- If team synchronization is not allowed to invite non-members to your organization, the person is already a member of the organization on {% data variables.product.product_name %}.
+-{%- endif %}
 - The person has already logged in with their personal account on {% data variables.product.product_name %} and authenticated to the organization or enterprise account via SAML single sign-on at least once.
 - The person's SSO identity is a member of the IdP group.
 

data/features/team-sync-manage-org-invites.yml

@@ -0,0 +1,2 @@
+versions:
+  ghec: '*'

data/reusables/identity-and-permissions/team-sync-org-invites.md

@@ -0,0 +1 @@
+By default, team synchronization does not invite non-members to join organizations, which means that a user will only be successfully added to a team if they are already an organization member. If you prefer, you can allow team synchronization to invite non-members to join organizations.