Microsoft acquired GitHub in 2018 for $7.5 billion. Since then, GitHub has become the cornerstone of Microsoft's developer platform strategy — and the commercial strategy has evolved significantly from GitHub's pre-acquisition, open-source-led, developer-friendly pricing. Enterprise buyers in 2026 are managing GitHub as part of a broader Microsoft estate, which creates both complexity and commercial opportunity.
This guide covers GitHub Enterprise licensing from the perspective of an enterprise buyer: what the tiers mean, how GitHub Copilot for Business fits into the stack, where Advanced Security creates value, and — critically — how to negotiate GitHub as part of your Microsoft EA rather than buying it in isolation.
GitHub's Tier Structure
GitHub's commercial product tiers are structured around three core plans, plus the Copilot and Advanced Security add-ons that create most of the enterprise licensing complexity:
GitHub Free
Unlimited public and private repositories, 2,000 GitHub Actions minutes per month, 500MB Packages storage. Suitable for open-source projects and individual developers. Not a realistic option for enterprise with compliance, access control, or security requirements.
GitHub Team
$4 per user per month (billed annually). Adds required access controls for enterprise use: required pull request reviewers, code owners, protected branches, private wikis, draft pull requests, and 3,000 Actions minutes per month. GitHub Team is often where engineering teams start before IT procurement gets involved.
GitHub Enterprise
$21 per user per month (billed annually) — or negotiated price via Microsoft EA. This is the appropriate tier for regulated organisations, large enterprises, or any organisation with SSO, audit log, SAML, IP allow lists, or enterprise support requirements. GitHub Enterprise is available in two deployment options:
- GitHub Enterprise Cloud (GHEC): SaaS delivery on GitHub.com infrastructure. Data residency options available (EU, Australia). Includes all Enterprise features plus GitHub.com's CI/CD ecosystem and marketplace integrations.
- GitHub Enterprise Server (GHES): Self-hosted deployment on your own infrastructure (on-premises or in Azure/AWS/GCP). Required for organisations with strict data sovereignty requirements, air-gapped environments, or regulatory constraints that prohibit cloud-based source code storage.
| Feature | GitHub Free | GitHub Team | GitHub Enterprise Cloud | GitHub Enterprise Server |
|---|---|---|---|---|
| List price (per user/month) | Free | $4 | $21 | $21 (+ infrastructure) |
| SAML SSO | ❌ | ❌ | ✓ | ✓ |
| Audit log API | ❌ | ❌ | ✓ | ✓ |
| IP allow lists | ❌ | ❌ | ✓ | ✓ |
| Data residency | ❌ | ❌ | EU/AU available | Your infrastructure |
| GitHub Actions minutes | 2,000/mo | 3,000/mo | 50,000/mo | Self-hosted runners |
| GitHub Advanced Security | ❌ | ❌ | Add-on required | Add-on required |
| Enterprise Managed Users | ❌ | ❌ | ✓ (optional) | N/A |
| Microsoft EA eligibility | ❌ | ❌ | ✓ | ✓ |
GitHub Copilot for Business: Licensing Reality
GitHub Copilot for Business is priced at $19 per user per month as a standalone add-on. For enterprise, GitHub Copilot Enterprise — which adds Copilot Chat in GitHub.com, pull request summaries, and repository-aware chat — is priced at $39 per user per month.
These prices represent the starting point for negotiation, not the final price. As part of a Microsoft EA renewal that includes Azure and M365 commitments, GitHub Copilot is a directly negotiable line item. The discount achievable depends on the scale of your overall Microsoft relationship, but 15–20% is realistic for organisations with significant Azure MACC commitments.
There is also a critical overlap between GitHub Copilot and Microsoft 365 Copilot that many enterprise buyers do not resolve cleanly. A developer with both GitHub Enterprise and M365 E5 may be eligible for GitHub Copilot capabilities through the M365 E5 bundle — or may need a separate GitHub Copilot licence. The answer depends on the specific use case (IDE integration vs GitHub.com chat vs repository-aware features) and which Copilot licence was purchased through which channel. Before committing to GitHub Copilot seats, confirm exactly which features you need and whether any are covered by your existing M365 entitlements.
Copilot Seat Count Governance
GitHub Copilot is licensed per active user. The billing model for Business/Enterprise tiers charges per assigned seat, not per active user in a given period. This creates a common waste pattern: developers are assigned Copilot seats during onboarding and rarely offboarded when they change roles, leave the project, or stop using it. In organisations with more than 500 Copilot seats, unmanaged seat attrition typically results in 15–25% of seats being paid for but unused. Implementing a quarterly Copilot utilisation review — using GitHub's usage metrics in the enterprise admin console — is a straightforward cost governance measure.
GitHub Advanced Security: When It's Worth It
GitHub Advanced Security (GHAS) is a significant add-on purchase — historically priced at $49 per active committer per month, though enterprise pricing varies. GHAS includes:
- Code scanning: Automated vulnerability detection using CodeQL, the industry-leading semantic code analysis engine
- Secret scanning: Detection of accidentally committed credentials, API keys, and tokens — with partner alerts for live secret revocation
- Dependency review: Block pull requests introducing vulnerable dependencies before they reach main
- Security campaigns: Bulk remediation workflows for addressing known vulnerability backlogs at scale
The "active committer" pricing model for GHAS is one of the more contentious elements of GitHub Enterprise licensing. An active committer is anyone who commits code to a private or internal repository in the billing period. In organisations with irregular contribution patterns — spikes during sprints, quiet periods between releases — the active committer count can fluctuate significantly, making budget forecasting difficult.
GHAS vs Azure DevOps Security Features
Organisations that use Azure DevOps as their primary repository may have some overlap between GHAS capabilities and Azure DevOps Advanced Security, which Microsoft introduced for Azure Repos. The feature sets are not identical — CodeQL-based scanning is deeper than Azure DevOps Advanced Security's current implementation — but for organisations using Azure Repos rather than GitHub, Azure DevOps Advanced Security may provide sufficient coverage at lower cost. The key evaluation criterion is your primary repository platform, not your preferred security tool vendor.
Is GHAS Worth the Cost?
The ROI case for GHAS depends heavily on your developer-to-repository ratio, your regulatory environment (DORA, NIS2, FCA requirements increasingly point toward automated security testing), and whether you have the engineering culture to act on the alerts GHAS generates. A tool that produces 10,000 vulnerability alerts and has no triage or remediation process is an expensive compliance checkbox, not a security improvement.
Before purchasing GHAS, run a 30-day trial on your highest-risk repositories and measure: how many high-severity findings does it surface, how long does triage take, and how many are remediated versus suppressed? If the triage-to-remediation ratio is below 30%, invest in the process before paying for the tool.
Enterprise Managed Users (EMU)
Enterprise Managed Users is a GitHub Enterprise Cloud configuration option that fundamentally changes the identity model. Under standard GHEC, developers use their personal GitHub.com accounts linked to the enterprise. Under EMU, all developer identities are provisioned and managed by the enterprise through an Identity Provider (Azure AD/Entra ID being the most common).
EMU is the right choice for organisations with strict identity governance requirements — financial services, government, healthcare, and defence. The trade-off is that EMU users cannot contribute to public repositories or personal projects using their enterprise identity, which can be a friction point in organisations where open-source contribution is part of the engineering culture or recruitment brand.
From a licensing perspective, EMU has no separate cost — it is a configuration choice within GitHub Enterprise Cloud. The cost implication is in the Entra ID (formerly Azure AD) configuration, which requires P1 or P2 licences for SCIM provisioning and conditional access policies. See the Entra ID P1 vs P2 guide for the relevant licensing detail.
Negotiating GitHub as Part of Your Microsoft EA
This is where most organisations leave money on the table. GitHub Enterprise is a Microsoft product, procured through the same commercial channel as Azure and M365. Yet the majority of enterprise GitHub deployments are purchased directly through GitHub.com by an engineering team using a corporate card — outside the EA framework, at list price, with no volume discount.
How to Bring GitHub into Your EA
GitHub Enterprise is available through the Microsoft Enterprise Agreement as a standalone product or as part of the Microsoft 365 developer-focused bundles. The path to EA pricing involves:
- Establish the current spend baseline: Audit all GitHub charges across credit cards, departmental cost codes, and existing subscriptions. For large organisations, this total is frequently surprising — multiple GitHub organisations, legacy Team subscriptions, Copilot licences purchased by different business units at different rates.
- Consolidate under a single enterprise account: Before approaching Microsoft for EA pricing, consolidate all GitHub usage under a single enterprise account. Fragmented purchasing has no negotiating leverage.
- Bring GitHub into the EA renewal conversation: Position GitHub as part of the EA renewal discussion, alongside Azure, M365, and any other Microsoft products. Your AE can route GitHub through the EA; many AEs do not proactively suggest this because GitHub has a separate sales team and commission structure.
- Use GitHub as MACC-eligible consumption: GitHub Actions minutes, Packages storage, and Copilot usage may be eligible against your Azure MACC commitment depending on how your EA is structured. Verify with your account team whether GitHub consumption can count toward MACC thresholds.
GitHub Discount Structure in EA
GitHub Enterprise discounts in EA follow the general Microsoft deal desk structure: larger overall Microsoft commitment = greater GitHub discount eligibility. Organisations with £5M+ annual Microsoft spend should realistically target 15–20% on GitHub Enterprise and Copilot. Organisations at £1M–£5M can typically achieve 8–15%. Below £1M, the EA pathway may add administrative complexity without meaningful discount benefit.
GitHub Enterprise Server vs Cloud: The Decision Framework
The GHES vs GHEC decision is primarily a data sovereignty and operational complexity question. Here is the framework for making it cleanly:
Choose GitHub Enterprise Cloud if:
- Your organisation can store source code in a SaaS environment — legal and security have reviewed and approved this
- You want to reduce operational overhead of maintaining self-hosted infrastructure
- Your developers rely heavily on GitHub marketplace integrations and third-party CI/CD tools that are optimised for GitHub.com
- You need data residency in EU or Australia (GHEC data residency is available as of 2024)
Choose GitHub Enterprise Server if:
- Regulatory requirements (DORA, FFIEC, HIPAA, government data handling rules) mandate on-premises or private cloud code storage
- You operate in an air-gapped environment with no outbound internet connectivity
- You have existing infrastructure investment in on-premises CI/CD that GHES integrates with and GHEC cannot replicate
- Your security team requires full control of the GitHub platform without SaaS dependencies
GHES requires you to manage the server infrastructure — upgrades, availability, backup, and security patches are your responsibility. Microsoft/GitHub releases major GHES versions roughly every 6 months, with 18 months of security support per release. Organisations that fall behind on GHES upgrades accumulate security exposure and operational debt. Factor the operational cost of GHES maintenance into your total cost of ownership calculation.
Optimise Your GitHub Enterprise Licensing
Most enterprises overpay for GitHub by purchasing outside the EA at list price. We can fix that.
Developer Licensing Review
Audit your current GitHub spend, identify consolidation opportunities, and model the EA pricing pathway for your organisation.
Request ReviewEA Negotiation Advisory
Include GitHub, Azure DevOps, and all developer licensing in your next EA negotiation — not just M365 and Azure.
Explore AdvisoryDeveloper Licensing Guide
The complete Microsoft developer and DevOps licensing guide: GitHub, Azure DevOps, Visual Studio, and Copilot.
Read the GuideCommon GitHub Enterprise Licensing Issues
Fragmented Purchasing Outside EA
Engineering teams purchase GitHub through GitHub.com using corporate cards because it is fast and self-service. The cumulative effect is an enterprise spending $300K+ annually on GitHub at list price, across multiple billing accounts, with no enterprise discount and no consolidated visibility. A one-time audit to consolidate and bring into EA pricing typically pays back its cost in the first year.
GitHub Actions Overage Charges
GitHub Enterprise includes 50,000 Actions minutes per month per organisation. Large organisations with automated testing, CI/CD pipelines, and frequent deployments regularly exceed this allocation — and overage pricing ($0.008–$0.016 per minute depending on runner type) adds up quickly. Organisations with high Actions consumption should evaluate: self-hosted runners on Azure (which can use Azure MACC credit), GitHub's larger hosted runners, or Actions minutes add-on bundles. This is an architectural and commercial decision that belongs in the EA conversation, not only in engineering's backlog.
Copilot Seat Proliferation
GitHub Copilot is one of the easiest products for developers to request and get approved. A developer submits a request, a manager approves it, IT provisions it — and the seat is never reviewed again. In organisations with 1,000+ developers, unreviewed Copilot seat proliferation creates a material and avoidable cost. Implement a quarterly active-user review against seats assigned and deprovision seats with zero usage in the quarter.
GHAS Active Committer Spikes
Sprint-end contribution spikes, hackathons, and dependency update bots can cause temporary active committer count increases that generate unexpected GHAS billing. Understand your contribution patterns before committing to GHAS, and negotiate a smoothing mechanism or committed minimum seat count in your enterprise agreement that avoids billing spikes for temporary activity.
The Bottom Line on GitHub Enterprise
GitHub is not a niche developer tool — it is a $19+ per user per month enterprise SaaS product that, for a 1,000-developer organisation, represents a $228,000+ annual commitment at list price. At that scale, it deserves the same commercial rigour as any other major enterprise software purchase.
Bring it into your EA. Consolidate fragmented purchasing. Review Copilot seat allocation quarterly. Evaluate GHAS against your actual security programme maturity, not against a vendor's feature checklist. And use GitHub's position in the Microsoft portfolio as leverage in your broader EA negotiation — not as a separate purchase that happens to be on your Microsoft invoice.
For the complete Microsoft developer and DevOps licensing picture, see the Developer & DevOps licensing guide. For Azure DevOps licensing in detail, see the Azure DevOps licensing guide.