Microsoft Team Onboarding

If you work on or with the .NET Team, you will need to onboard into various GitHub projects in order to get your work done.

Join .NET teams in dotnet and Microsoft orgs

You need to link your GitHub and @microsoft.com accounts. Click the link:

Link your GitHub account

You need to join teams in two organizations. Click the two links:

After you join the teams:

Users will be able to @mention you on .NET Core Repos
You will be able to access to private repos we maintain
You will get write access to a subset of repos

Configure your GitHub account as a Microsoft employee (recommended)

Publicly associate yourself with dotnet and Microsoft orgs
- For Microsoft, go to https://github.com/orgs/Microsoft/people
- For dotnet, go to https://github.com/orgs/dotnet/people
- Search for your GitHub handle in the list
- Choose Public from the drop-down list of organization visibility
- Note: Everyone will now see an org badge on your GH profile in the Organizations section
Update your profile
- Go to https://github.com/settings/profile
- Match your Name on GitHub with full name in address book (so other employees can find you and contact you internally when needed)
- Set @Microsoft as your Company
- Upload your picture, ideally showing your face
  - Hint: You can grab your GAL picture from https://microsoft-my.sharepoint.com

Install Microsoft open source tools (recommended)

The tools make it easier to use open source and participate in open source projects:

Browser Extension -- Identifies Microsoft employees on GitHub.
VS Code Extension -- Provides information about known vulnerabilities.

The browser extension is recommended. The VS code extension is optional.

Get write permissions to repos (optional)

Join teams to gain write access to repos:

Request team membership via https://repos.opensource.microsoft.com/teams
Ask someone if you don't know which team(s) to join.
Select Request to join this team on the right side - it will send email request to maintainers of the team

Security best practices

Enabling 2FA doesn't necessarily mean your account is secure. SMS (phone texts) is not secure as a 2FA method and should be avoided if possible. You can see failed login attempts on your account to get some sense of the risk you have.

The following best practices are required for org owners, and recommended for repo admins.

Do register a security key(s) as a two factor method.
Do register an authenticator app -- registering a one-time-password with an app like 1Password is recommended (not tied to your phone).
Do store recorvery codes in a safe place, like OneDrive Vault, 2FA-protected OneNote or in a password vault like 1Password.
Do register your GitHub account with your 2FA-protected Facebook account for GitHub account recovery. This is the absolute last recovery option and is considered secure (even if your Facebook account is breached).
Do not use SMS for 2FA or as a recovery fallback.

Note: If you completely lose access to login to your account, GitHub support will not be able to recover your account. That's why all of these options are covered.

A few more notes on hardware keys:

You should have at least one hardware key that does not travel with you, but is stored in a secure location (like at home) as a last resort in case you lose access to other factors.
If you have a FIDO2 key, it can be used with mysignins.
If you have USB-C and USB-A only devices, and want to use hardware keys for them, then you need separate keys. This explains why the example below has three keys registered (one securely stored at home, and two keys for daily use for USB-C and USB-A only devices).
You can use Windows Hello to signin as a hardware key. This is fine to use, but doesn't replace the need for hardware key that you store in a secure location.Your Windows Hello key is not tied to you, but the machine. It won't survive hardware failures or re-installing Windows.

A correctly configured account should look similar to the following: