github · docs-bot · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026
diff --git a/content/admin/managing-iam/index.md b/content/admin/managing-iam/index.md
@@ -24,5 +24,6 @@ children:
   - /provisioning-user-accounts-with-scim
   - /reconfiguring-iam-for-enterprise-managed-users
   - /managing-recovery-codes-for-your-enterprise
+  - /respond-to-incidents
 ---
 
diff --git a/content/admin/managing-iam/respond-to-incidents/index.md b/content/admin/managing-iam/respond-to-incidents/index.md
@@ -0,0 +1,15 @@
+---
+title: Responding to security incidents in your enterprise
+intro: Take bulk action when facing a major security incident.
+versions:
+  feature: revoke-enterprise-tokens
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+children:
+  - /revoke-authorizations-or-tokens
+  - /lock-down-sso
+shortTitle: Respond to incidents
+---
diff --git a/content/admin/managing-iam/respond-to-incidents/lock-down-sso.md b/content/admin/managing-iam/respond-to-incidents/lock-down-sso.md
@@ -0,0 +1,38 @@
+---
+title: Locking down single sign-on in your enterprise
+intro: 'Take action in a security incident by blocking SSO for all users except enterprise owners.'
+permissions: 'Enterprise owners and users with the "Manage enterprise single sign-on configuration" fine-grained permission'
+product: 'Enterprises with managed users, or enterprises that have enabled SAML SSO for the enterprise or its organizations'
+versions:
+  feature: revoke-enterprise-tokens
+type: how_to
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+shortTitle: Lock down SSO
+---
+
+When your enterprise is affected by a major security incident, you can temporarily block single sign-on for all users except enterprise owners. This allows you to lock down access to your enterprise in order to investigate the incident within a more isolated surface area.
+
+The outcome of this action depends on your enterprise type:
+
+* **{% data variables.product.prodname_emus %}**: Prevents users from signing in to their {% data variables.enterprise.prodname_managed_user %} entirely.
+* **Enterprise with personal accounts**: Prevents users from authenticating to access SSO-protected resources or authorize tokens for SSO, but does not prevent them from signing in to their account and accessing non-protected resources.
+
+In either case, all existing active SSO sessions are terminated, including for enterprise owners, who can reauthenticate with SSO to access the enterprise during the lockdown.
+
+## Locking down single sign-on
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. Find the correct page for your enterprise type:
+   * **{% data variables.product.prodname_emus %}**: At the top of the page, click **Identity provider**.
+   * **Personal accounts**: Click **Settings** at the top of the page, then click **Authentication security** in the left sidebar.
+1. Scroll down to the "Danger zone" section and, next to "Single sign-on lockdown", click **Enable**.
+
+   >[!IMPORTANT] If you have the "Manage enterprise single sign-on configuration" permission but are **not** an enterprise owner, you can enable the lockdown, but you will be unable to authenticate with SSO while the lockdown is active. If your enterprise uses {% data variables.product.prodname_emus %} or has enabled SAML at the enterprise level, this means you will not be able to authenticate to disable the lockdown later.
+
+1. If you are an enterprise owner, reauthenticate with SSO.
+1. Once the investigation is complete and you are confident in resuming SSO authentication, come back to this section and disable the lockdown.
diff --git a/content/admin/managing-iam/respond-to-incidents/revoke-authorizations-or-tokens.md b/content/admin/managing-iam/respond-to-incidents/revoke-authorizations-or-tokens.md
@@ -0,0 +1,109 @@
+---
+title: Revoking SSO authorizations or deleting credentials in your enterprise
+intro: 'Respond to a security incident by taking bulk action on credentials with access to your enterprise.'
+permissions: 'Enterprise owners and users with the "Manage enterprise credentials" fine-grained permission'
+product: 'Enterprises with managed users, or enterprises that have enabled SAML SSO for the enterprise or its organizations'
+versions:
+  feature: revoke-enterprise-tokens
+type: how_to
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+shortTitle: Revoke authorizations or tokens
+---
+
+When your enterprise is affected by a major security incident, you can respond by preventing programmatic access to your enterprise or its organizations.
+
+In the  "Authentication security" section of your enterprise settings, you can review counts for user tokens and keys that are authorized for single sign-on (SSO). Then, if needed, you can use one of the following bulk actions in the "Danger zone":
+
+* **Revoke SSO authorizations** to remove access to SSO-protected organization resources for user credentials in your enterprise.
+* **Delete keys and tokens** to remove user tokens and SSH keys in your enterprise, even if they don't have an SSO authorization ({% data variables.product.prodname_emus %} only).
+
+>[!WARNING] These are high-impact actions that should be reserved for major security incidents. They are likely to break automations, and it could take months of work to restore your original state. For alternative options for responding to individual compromised tokens on a smaller scale, see the [Resources for smaller-scale responses](#resources-for-smaller-scale-responses) section.
+
+## Accessing the authentication security page
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Authentication security**.
+
+## Reviewing credentials
+
+In the "Credentials" section, you can view how many credentials of each type have **at least one SSO authorization** for an organization in your enterprise. For more information, see [AUTOTITLE](/authentication/authenticating-with-single-sign-on/about-authentication-with-single-sign-on).
+
+The counts include:
+
+* {% data variables.product.pat_v2_caps_plural %}
+* {% data variables.product.pat_v1_caps_plural %}
+* User SSH keys
+* {% data variables.product.prodname_github_app %} and {% data variables.product.prodname_oauth_app %} user access tokens
+
+An exact count is displayed if there are 10,000 or fewer of a token type. Above that figure, the description `10k+ tokens` is displayed.
+
+## Taking bulk action (danger zone)
+
+Use the **Danger zone** bulk action buttons to respond to a security incident as needed. The following sections describe each action, which SSO authorizations or credentials are impacted, and related audit log events.
+
+>[!NOTE] If your enterprise does **not** use {% data variables.product.prodname_emus %} and has **not** enabled SAML SSO, neither of these actions is available. As an alternative, if you need users to replace {% data variables.product.pat_generic_plural %} as part of your incident response, you can configure an enterprise policy to expire all {% data variables.product.pat_generic_plural %}. See [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-personal-access-tokens-in-your-enterprise).
+
+### Revoke SSO authorizations
+
+This action is available for {% data variables.product.prodname_emus %} or enterprises that use SAML SSO.
+
+Revoking authorizations removes SSO authorizations for user tokens and SSH keys across all organizations in your enterprise.
+
+* Credentials that have had SSO authorizations revoked **cannot be re-authorized** for the affected organizations. To restore access, users must create new credentials and authorize them.
+* The credentials themselves are not deleted, and their permissions for the user and enterprise scopes, and for non-SSO-protected organizations, **remain active**.
+* Credentials that have not been authorized for SSO are **not affected**.
+
+Authorization for **{% data variables.product.pat_v2_plural %}** works differently, so this action has a different effect on this token type. For fine-grained PATs where an organization is the "resource owner," the resource owner is removed, removing access to organization resources. Users can change the resource owner back to the organization account, which may require approval (see [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-personal-access-tokens-in-your-enterprise#enforcing-an-approval-policy-for-fine-grained-personal-access-tokens)).
+
+### Delete keys and tokens
+
+This action is available for {% data variables.product.prodname_emus %} only.
+
+Deleting keys and tokens removes credentials that have access to your enterprise, regardless of whether they are authorized for SSO. The credentials stop working and are no longer visible in the UI.
+
+To restore programmatic access, users must create new credentials, authorize them with organizations if required, and update affected processes to use the new credentials.
+
+### Included credentials
+
+Both actions include the following credential types:
+
+* User SSH keys
+* {% data variables.product.prodname_oauth_apps %} user access tokens (`ghu_`)
+* {% data variables.product.prodname_github_app %} user access tokens
+* {% data variables.product.pat_v1_caps_plural %}
+* {% data variables.product.pat_v2_caps_plural %}
+
+Note that the "revoke authorizations" action works differently for {% data variables.product.pat_v2_plural %}, as explained above.
+
+The following credential types are **not** affected:
+
+* {% data variables.product.prodname_github_app %} installation tokens (`ghs_`)
+* {% data variables.product.pat_v2_caps_plural %}
+* Deploy keys
+* {% data variables.product.prodname_actions %} `GITHUB_TOKEN` access
+
+### Audit and security log events
+
+The "revoke authorizations" action generates the following events:
+
+* `org_credential_authorization.deauthorize`
+* `org_credential_authorization.revoke`
+* `personal_access_token.access_revoked`
+
+The "delete tokens" action also generates those events, and additionally generates the following events:
+
+* `oauth_access.destroy`
+* `personal_access_token.destroy`
+
+## Resources for smaller-scale responses
+
+The following articles describe alternative actions for managing incidents that are smaller in scope, where you can identify specific compromised tokens or user accounts.
+
+* [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)
+* [AUTOTITLE](/code-security/tutorials/remediate-leaked-secrets/remediating-a-leaked-secret)
+* [AUTOTITLE](/rest/credentials/revoke) in the REST API documentation
diff --git a/content/copilot/concepts/billing/copilot-requests.md b/content/copilot/concepts/billing/copilot-requests.md
@@ -92,6 +92,7 @@ The available models vary depending on your {% data variables.product.prodname_c
 > * Discounted multipliers are available for using {% data variables.copilot.copilot_auto_model_selection %} in {% data variables.copilot.copilot_chat_short %} in {% data variables.product.prodname_vscode_shortname %}. See [AUTOTITLE](/copilot/concepts/auto-model-selection).
 >   * {% data reusables.copilot.auto-model-multiplier-discount %} For example, Sonnet 4 would be billed at .9x rather than 1x when using {% data variables.copilot.copilot_auto_model_selection_short %}.
 >   * Discounted multipliers are not available for {% data variables.copilot.copilot_free_short %}.
+> * The multiplier for {% data variables.copilot.copilot_claude_sonnet_46 %} may be subject to change.
 
 Each model has a premium request multiplier, based on its complexity and resource usage. If you are on a paid {% data variables.product.prodname_copilot_short %} plan, your premium request allowance is deducted according to this multiplier.
 

diff --git a/content/copilot/reference/ai-models/model-hosting.md b/content/copilot/reference/ai-models/model-hosting.md
@@ -59,6 +59,7 @@ Used for:
 * {% data variables.copilot.copilot_claude_opus_46 %}
 * {% data variables.copilot.copilot_claude_opus_46_fast %}
 * {% data variables.copilot.copilot_claude_sonnet_40 %}
+* {% data variables.copilot.copilot_claude_sonnet_46 %}
 
 These models are hosted by Amazon Web Services, Anthropic PBC, and Google Cloud Platform. {% data variables.product.github %} has provider agreements in place to ensure data is not used for training. Additional details for each provider are included below:
 

diff --git a/content/copilot/reference/ai-models/supported-models.md b/content/copilot/reference/ai-models/supported-models.md
@@ -92,6 +92,8 @@ The following table shows which AI models are available in each {% data variable
 
 ## Model multipliers
 
+{% data reusables.copilot.sonnet-46-model-multiplier-note %}
+
 Each model has a premium request multiplier, based on its complexity and resource usage. If you are on a paid {% data variables.product.prodname_copilot_short %} plan, your premium request allowance is deducted according to this multiplier.
 
 For more information about premium requests, see [AUTOTITLE](/copilot/managing-copilot/monitoring-usage-and-entitlements/about-premium-requests).

diff --git a/data/features/revoke-enterprise-tokens.yml b/data/features/revoke-enterprise-tokens.yml
@@ -0,0 +1,4 @@
+# Ability to view counts for and revoke tokens in the enterprise, issue #21100
+
+versions:
+  ghec: '*'
diff --git a/data/reusables/copilot/sonnet-46-model-multiplier-note.md b/data/reusables/copilot/sonnet-46-model-multiplier-note.md
@@ -0,0 +1,3 @@
+> [!NOTE]
+The multiplier for {% data variables.copilot.copilot_claude_sonnet_46 %} may be subject to change.
+
diff --git a/data/tables/copilot/model-multipliers.yml b/data/tables/copilot/model-multipliers.yml
@@ -37,6 +37,10 @@
   multiplier_paid: 1
   multiplier_free: Not applicable
 
+- name: Claude Sonnet 4.6
+  multiplier_paid: 1
+  multiplier_free: Not applicable
+
 - name: Gemini 2.5 Pro
   multiplier_paid: 1
   multiplier_free: Not applicable

diff --git a/data/tables/copilot/model-release-status.yml b/data/tables/copilot/model-release-status.yml
@@ -145,6 +145,13 @@
   ask_mode: true
   edit_mode: true
 
+- name: 'Claude Sonnet 4.6'
+  provider: 'Anthropic'
+  release_status: 'GA'
+  agent_mode: true
+  ask_mode: true
+  edit_mode: true
+
 # Google models
 
 - name: 'Gemini 2.5 Pro'

diff --git a/data/tables/copilot/model-supported-clients.yml b/data/tables/copilot/model-supported-clients.yml
@@ -69,6 +69,14 @@
   xcode: true
   jetbrains: true
 
+- name: Claude Sonnet 4.6
+  dotcom: true
+  vscode: true
+  vs: true
+  eclipse: false
+  xcode: false
+  jetbrains: false
+
 - name: Gemini 2.5 Pro
   dotcom: true
   vscode: true

diff --git a/data/tables/copilot/model-supported-plans.yml b/data/tables/copilot/model-supported-plans.yml
@@ -61,6 +61,13 @@
   business: true
   enterprise: true
 
+- name: Claude Sonnet 4.6
+  free: false
+  pro: true
+  pro_plus: true
+  business: true
+  enterprise: true
+
 - name: Gemini 2.5 Pro
   free: false
   pro: true

diff --git a/data/variables/copilot.yml b/data/variables/copilot.yml
@@ -148,6 +148,7 @@ copilot_claude_sonnet_35: 'Claude Sonnet 3.5'
 copilot_claude_sonnet_37: 'Claude Sonnet 3.7'
 copilot_claude_sonnet_40: 'Claude Sonnet 4'
 copilot_claude_sonnet_45: 'Claude Sonnet 4.5'
+copilot_claude_sonnet_46: 'Claude Sonnet 4.6'
 # Gemini:
 copilot_gemini: 'Gemini'
 copilot_gemini_flash: 'Gemini 2.0 Flash'
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		> [!NOTE]
		The multiplier for {% data variables.copilot.copilot_claude_sonnet_46 %} may be subject to change.