github · docs-bot · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026
diff --git a/content/admin/concepts/identity-and-access-management/index.md b/content/admin/concepts/identity-and-access-management/index.md
@@ -10,6 +10,7 @@ topics:
 children:
   - /identity-and-access-management-fundamentals
   - /enterprise-managed-users
+  - /setup-user
   - /user-offboarding
 contentType: concepts
 ---

diff --git a/content/admin/concepts/identity-and-access-management/setup-user.md b/content/admin/concepts/identity-and-access-management/setup-user.md
@@ -0,0 +1,30 @@
+---
+title: Setup user
+intro: 'The setup user is used to configure authentication and provisioning for {% data variables.product.prodname_emus %}.'
+versions:
+  ghec: '*'
+topics:
+  - Accounts
+  - Enterprise
+  - Fundamentals
+---
+
+## How should I use the setup user?
+
+The setup user is **only** intended to be used for:
+
+* Configuring authentication and provisioning
+* SCIM provisioning via its {% data variables.product.pat_generic %}
+* Regaining access to your enterprise in the event of an issue with your identity provider, by utilizing the enterprise's SAML recovery codes
+
+For other enterprise administration tasks, such as creating organizations, use a provisioned managed user account with the appropriate administrative role.
+
+## How do I sign in as the setup user?
+
+After we create your enterprise, you will receive an **email** inviting you to choose a password for the setup user. 
+
+When you create the password, you should enable two-factor authentication (2FA) for the account. All subsequent login attempts for the setup user account will require a successful 2FA challenge response.
+
+If the enterprise account has enabled single sign-on and the setup user has **not** enabled 2FA, they must use an enterprise recovery code to authenticate. To avoid being locked out of your account, after enabling single sign-on, **save your enterprise recovery codes**. See [AUTOTITLE](/admin/managing-iam/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes#downloading-codes-for-an-enterprise-with-enterprise-managed-users).
+
+{% data reusables.enterprise-accounts.emu-password-reset-session %}
diff --git a/...ta-residency/getting-started-with-data-residency-for-github-enterprise-cloud.md b/...ta-residency/getting-started-with-data-residency-for-github-enterprise-cloud.md
@@ -71,10 +71,9 @@ Using an **incognito or private browsing window**:
 
    > [!NOTE]
    > If 2FA isn't enabled, you will need to enter your enterprise's single sign-on (SSO) recovery code each time you sign in as the setup user. You can download these codes once SSO is enabled.
-
 {% data reusables.enterprise-accounts.emu-recommend-password-manager %}
 
-{% data reusables.enterprise-accounts.emu-password-reset-session %}
+{% data reusables.enterprise-accounts.about-setup-user %}
 
 ### Create a {% data variables.product.pat_generic %}
 

diff --git a/...erstanding-iam-for-enterprises/getting-started-with-enterprise-managed-users.md b/...erstanding-iam-for-enterprises/getting-started-with-enterprise-managed-users.md
@@ -40,21 +40,9 @@ Using an **incognito or private browsing window**:
 
    > [!WARNING]
    > All subsequent login attempts for the setup user account will require a successful 2FA challenge response.
-
-   > [!IMPORTANT]
-   > If the enterprise account has enabled single sign-on and the setup user hasn’t enabled 2FA, they must use an enterprise recovery code to authenticate. To avoid being locked out of your account, after enabling single sign-on, save your enterprise recovery codes. For more information, see [AUTOTITLE](/admin/managing-iam/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes#downloading-codes-for-an-enterprise-with-enterprise-managed-users) and the related [changelog on {% data variables.product.prodname_blog %}](https://github.blog/changelog/2025-01-17-setup-user-for-emu-enterprises-requires-2fa-or-use-of-a-recovery-code/).
-
-{% data reusables.enterprise-accounts.emu-password-reset-session %}
-
 {% data reusables.enterprise-accounts.emu-recommend-password-manager %}
 
-   > [!NOTE]
-   > Once single sign-on has been configured on the enterprise, the setup user is only intended to be used going forwards for:
-   >
-   > * SCIM provisioning via its {% data variables.product.pat_generic %}.
-   > * To regain access to your enterprise in the event of an issue with your identity provider by utilizing the enterprise's SAML recovery codes.
-   >
-   > For other enterprise administration tasks, you should use a provisioned managed user account with the enterprise owner role.
+{% data reusables.enterprise-accounts.about-setup-user %}
 
 ## Create a {% data variables.product.pat_generic %}
 

diff --git a/...ecurity/concepts/security-at-scale/about-enabling-security-features-at-scale.md b/...ecurity/concepts/security-at-scale/about-enabling-security-features-at-scale.md
@@ -40,29 +40,19 @@ For more information on purchasing {% data variables.product.prodname_GH_cs_or_s
 
 There are two types of {% data variables.product.prodname_security_configuration %}:
 
-* **The {% data variables.product.prodname_github_security_configuration %}**. This configuration is a collection of enablement settings created and managed by subject matter experts at {% data variables.product.company_short %}. The {% data variables.product.prodname_github_security_configuration %} is designed to adequately secure any repository, and can easily be applied to all repositories in your organization.
-* **{% data variables.product.prodname_custom_security_configurations_caps %}**. These are configurations you can create and edit yourself, allowing you to choose different enablement settings for groups of repositories with specific security needs.
+* **The {% data variables.product.prodname_github_security_configuration %}**, which is a collection of enablement settings created and managed by subject matter experts at {% data variables.product.company_short %}
+* **{% data variables.product.prodname_custom_security_configurations_caps %}**, which are configurations you can create and edit yourself, allowing you to meet your specific security needs
 
-{% endif %}
-
-{% ifversion security-configurations-ghes-only %}
+For more detailed information on {% data variables.product.prodname_security_configurations %}, see [AUTOTITLE](/code-security/concepts/security-at-scale/security-configurations).
 
-You can customize {% data variables.product.prodname_security_configurations %}, allowing you to choose different enablement settings for groups of repositories with specific security needs.
+{% elsif security-configurations-ghes-only %}
 
-You will only ever see enablement settings for features that have been installed on your {% data variables.product.prodname_ghe_server %} instance by an enterprise administrator.
+{% data reusables.security-configurations.custom-configuration-intro-ghes %}
 
 To learn how to create {% data variables.product.prodname_custom_security_configurations %}, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration).
 
 {% endif %}
 
-{% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases %}
-
-Each repository can only have one {% data variables.product.prodname_security_configuration %} applied to it. {% ifversion security-configurations-cloud %}To find out how you should get started with {% data variables.product.prodname_security_configurations %}, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/choosing-a-security-configuration-for-your-repositories).{% endif %}
-
-{% ifversion security-configurations-api %}
-You can also create and manage security configurations using the REST API. For more information, see [AUTOTITLE](/rest/code-security/configurations).
-{% endif %}
-
 ## About {% data variables.product.prodname_global_settings %}
 
 While {% data variables.product.prodname_security_configurations %} determine repository-level security settings, {% data variables.product.prodname_global_settings %} determine your organization-level security settings, which are then inherited by all repositories. With {% data variables.product.prodname_global_settings %}, you can customize how security features analyze your organization{% ifversion ghes < 3.16 %}, as well as grant a team permission to manage security alerts and settings across your organization{% endif %}.

diff --git a/content/code-security/concepts/security-at-scale/about-security-configurations.md b/content/code-security/concepts/security-at-scale/about-security-configurations.md
diff --git a/...ts/security-at-scale/choosing-a-security-configuration-for-your-repositories.md b/...ts/security-at-scale/choosing-a-security-configuration-for-your-repositories.md
diff --git a/content/code-security/concepts/security-at-scale/index.md b/content/code-security/concepts/security-at-scale/index.md
@@ -16,8 +16,7 @@ topics:
 contentType: concepts
 children:
   - /about-enabling-security-features-at-scale
-  - /about-security-configurations
-  - /choosing-a-security-configuration-for-your-repositories
+  - /security-configurations
   - /about-security-overview
   - /about-security-campaigns
   - /auditing-security-alerts