One of the challenges moving to GitHub Enterprise Cloud (GHEC) Enterprise Managed Users (EMU) is the different in user provisioning compared to the typical LDAP setup with GitHub Enterprise Server. While AD groups have traditionally been used to determine who to provision, with an LDAP setup you can also create a main group that gates access. For example, a group called 'GitHubEnterprise' that determines whether a user is provisioned or not. And then other groups like TeamA, TeamB, and so on that are used for team membership. If an individual is in TeamA but not in the GitHubEnterprise group they do not get provisioned.
GitHub Enterprise Cloud users SAML or OIDC with SCIM provisioning. In SCIM provisioning, group-based filtering is not an option so the above scenario cannot be completed. However, [scoping filters](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts?pivots=app-pro