How to Pass GitHub Certified Administrator in 2026: Complete Study Guide

If you manage GitHub at the organization or enterprise level — setting up access controls, enforcing security policies, running GitHub Enterprise Server, or configuring GitHub Advanced Security — the GitHub Certified Administrator exam validates everything you do every day. This certification is aimed at platform engineers, DevSecOps leads, and IT administrators who own the GitHub environment at their company. This guide walks through every domain, the exam format, key concepts, and a 4-week study plan designed for someone who works with GitHub administration regularly but needs to fill in the gaps before exam day.

Exam Format and Registration

The Administrator exam is considered harder than GitHub Foundations and roughly equivalent in depth to GitHub Actions. It covers a wider breadth — including GitHub Enterprise Server (GHES) specifics — so candidates with only GitHub.com experience should allocate extra time for the enterprise sections.

Domain Breakdown and Weights

Domain 1: Authentication and Access Management

This is the highest-weight domain and for good reason — authentication is the front door to your entire GitHub environment. Misconfigure it and nothing else matters.

Key concepts to master:

• SAML SSO: Organizations can enforce SAML single sign-on so all member access goes through the corporate identity provider (IdP). Know the difference between enabling SAML (optional) and enforcing SAML (required — members who don't authenticate via SSO lose access).
• SCIM provisioning: System for Cross-domain Identity Management automatically provisions and deprovisions GitHub organization membership based on IdP group assignments. Requires SAML SSO to be enabled first.
• Enterprise Managed Users (EMU): A GitHub Enterprise Cloud feature where all user accounts are fully managed by the enterprise — no personal GitHub accounts. EMU users cannot interact with public repositories outside the enterprise.
• Two-factor authentication (2FA): Organization owners can require 2FA for all members and outside collaborators. Users without 2FA enabled are removed from the organization when enforcement is turned on.
• Personal access tokens (PATs): Fine-grained PATs (newer) vs classic PATs. Organizations can require PAT approval for fine-grained tokens, or can restrict classic PAT access entirely.
• OAuth Apps vs GitHub Apps: OAuth Apps act as users; GitHub Apps act as themselves with specific installation permissions. GitHub Apps are preferred for integrations because they have granular permissions and can be installed on specific repositories only.
• SSH keys and deploy keys: Deploy keys are repository-specific SSH keys that grant read (or read-write) access to a single repository, typically for automated systems.

Domain 2: Repository and Team Management

Repository and team management covers the day-to-day administration of who can do what in which repository. This domain is heavily scenario-based on the exam.

Key concepts to master:

• Repository roles: Read, Triage, Write, Maintain, Admin — each with increasingly broad permissions. Know what each role can and cannot do (e.g., Maintain can manage issues and PRs but cannot delete the repository; Admin can).
• Teams: Groups of organization members. Teams can be granted repository access at any role level. Team permissions are additive — if a user is in two teams with different access levels to the same repo, they get the higher level.
• Outside collaborators: Individual users added to specific repositories who are not organization members. They do not count against seat limits in the same way, but they also cannot be added to teams.
• Branch protection rules: Require status checks, require reviews, require signed commits, restrict who can push, require linear history, require conversation resolution. Know which settings apply only to Admins vs all users.
• CODEOWNERS: A file defining who owns which paths in a repository. CODEOWNERS automatically request reviews from the relevant team when a PR changes files in their owned paths.
• Repository templates: Template repositories create new repos with predefined structure, workflows, and settings — useful for standardizing project setup across an organization.
• Rulesets: The newer, more flexible replacement for branch protection rules. Rulesets can be defined at the organization level and apply to multiple repositories at once using repository naming patterns.

Domain 3: GitHub Actions and Packages

From an administrator's perspective, GitHub Actions management is about controlling what workflows can do, what runners they can use, and what packages they can publish.

Key concepts to master:

• Actions policies: Organization admins can restrict which actions can be used — allow all, allow only local actions, allow only verified creators, or specify an allow list of specific actions.
• Runner groups: Org-level runner groups control which repositories can use self-hosted runners. Enterprise-level groups can be shared across organizations.
• GitHub Packages: Registry for containers, npm packages, Maven, NuGet, etc. Packages inherit visibility from their associated repository by default. Private packages require authentication.
• Spending limits: GitHub Actions and Packages have usage limits. Org admins set spending limits for additional minutes and storage beyond the included allocation.
• Required workflows: Organizations can mandate that specific workflows run on all repositories — enforcing security scans or compliance checks organization-wide.

Domain 4: Enterprise Administration

This domain covers GitHub Enterprise Cloud (GHEC) and GitHub Enterprise Server (GHES) — the two options for large-scale GitHub deployments.

Key concepts to master:

• GHES architecture: Self-hosted GitHub running on your own infrastructure (VM on-premises or cloud). Runs as a single appliance or in High Availability (HA) configuration. Data stays on your infrastructure.
• GHES High Availability: Active/passive replica configuration. The primary appliance handles all traffic; the replica stays in sync and can be promoted if the primary fails.
• GitHub Connect: Feature that connects a GHES instance to GitHub.com. Enables unified search, GitHub.com actions usage on GHES, and license management.
• Enterprise policies: Enterprise owners can set policies that apply to all organizations in the enterprise — for example, requiring SAML SSO, restricting repository visibility, or requiring 2FA enterprise-wide.
• Enterprise vs organization: Organizations are the primary unit of collaboration; an enterprise is an umbrella that contains multiple organizations. Enterprise owners have access to all organizations in the enterprise.
• GHES updates: GHES uses release channels (stable, feature) and requires periodic maintenance window updates. Major version upgrades must be done sequentially (no skipping).

Domain 5: Monitoring, Security, and Compliance

This domain covers the audit and security features that administrators use to understand and prove what is happening in their GitHub environment.

Key concepts to master:

• Audit log: Records all events in an organization or enterprise. Available via UI, REST API, and streaming. Events include authentication, team changes, repository changes, and Actions events.
• Audit log streaming: Enterprise feature to stream audit events to external SIEM systems (Azure Event Hubs, Amazon S3, Google Cloud Storage, Splunk, Datadog).
• GitHub Advanced Security (GHAS): Add-on (included with GHEC) that provides code scanning, secret scanning, and Dependabot. Each feature can be enabled per-repository or enforced organization-wide.
• Secret scanning: Scans repository content and commit history for known secret patterns. Push protection blocks commits containing secrets before they are pushed.
• Security overview: Organization and enterprise level dashboards showing the security posture across all repositories — how many have code scanning enabled, alert counts, etc.
• Security manager role: A special organization role that grants access to all security alerts across all repositories in the organization without granting Admin access.
• Dependabot: Alerts for known vulnerabilities in dependencies; automatic PRs for security and version updates. Know the difference between Dependabot alerts, security updates, and version updates.

4-Week Study Plan

Passing Tips

• Know the policy hierarchy. Enterprise > Organization > Repository. Many questions are answered by understanding which level a setting lives at and which level overrides it.
• Understand EMU limitations. Enterprise Managed Users cannot access public repositories, cannot have personal accounts, and cannot leave the enterprise. These restrictions come up repeatedly in exam scenarios.
• Don't confuse roles. Organization owner vs enterprise owner, team maintainer vs org member, outside collaborator vs member — these distinctions appear in nearly every domain.
• GHES is on the exam even if you've never used it. Allocate time to study GHES architecture, HA, and GitHub Connect even if your day job is on GitHub.com. Expect 10–15 questions on GHES topics.
• Read the GitHub documentation. GitHub publishes thorough documentation for all of these features. The exam is based on the official docs, not third-party interpretations.