The GH-100 doesn't test GitHub. It tests whether you can govern it at scale. Every question is framed around what an enterprise admin would configure, enforce, or report on, not what a developer would commit or push. That distinction separates candidates who pass on the first attempt from those who spend 80 hours studying the wrong things.
The Short Version
- The exam has five domains as of July 2026. If your study materials reference seven domains, they're outdated. Update your sources before you start.
- Security (Domain 3) is 25–30% of the exam. It should get the most of your time, by a wide margin.
- Actions (Domain 4) is 20–25%. The exam tests admin policy controls over Actions, not how to write workflow YAML. This trips up a lot of DevOps candidates.
- GHEC vs GHES is a recurring test vector across multiple domains. Build a comparison table early and keep adding to it.
- The exam includes interactive/simulation components, not just multiple choice. Visit the exam sandbox at GHCertDemo.starttest.com before you book.
- Study hours vary widely depending on your background. Some community reports suggest 30–80 hours; the official GitHub community recommends a 4-week structured approach. Neither is a guarantee.
- Pass rate isn't published. Specific community pass rate data is limited because the exam only moved to Pearson VUE in July 2025. Don't base your confidence on benchmarks that don't exist yet.
What This Exam Is Really Optimizing For
Most enterprise certifications test whether you know what a product does. GH-100 tests something harder: whether you understand what an administrator is responsible for, and how GitHub's security and governance controls map to that responsibility.
The question style reflects this. You'll rarely see "what does this feature do?" You'll see "a security team requires all repositories to scan for hardcoded credentials before merge, which configuration achieves this?" That's not a vocabulary question. It's a judgment call about which GitHub control fits which enterprise requirement, and why.
The mental model that makes this click: every GitHub feature you study is a control that an admin either enables, enforces, delegates, or restricts. If you study SAML SSO, study it as a policy decision, who does it apply to, at what level (org or enterprise), what happens to existing sessions when you enforce it, and what breaks. That's the framing the exam rewards.
Exam at a Glance
| Item | Details |
|---|---|
| Exam Code | GH-100 |
| Cost | $99 USD (varies by country/region) |
| Duration | 100 minutes |
| Questions | Approximately 66 scored questions (community-reported; official count not published); may include unscored beta items |
| Passing Score | 700/1000 |
| Format | Multiple choice, multiple response, scenario-based, simulation/interactive components |
| Validity | 2 years (certifications earned via Pearson VUE on or after July 1, 2025) |
| Testing Options | Online proctored (OnVUE) or test center (Pearson VUE) |
| Retake Policy | 24 hours after first attempt; subsequent retake timing follows Microsoft policy |
| Current Version | Updated July 2026 (7-domain to 5-domain restructure) |
100 minutes for approximately 66 questions works out to roughly 90 seconds per question. That's tighter than it sounds for scenario-based items, some questions have four plausible answers and require you to identify the best administrative response, not just a technically correct one. The interactive/simulation components, where you may navigate a simulated GitHub interface to configure settings, don't let you skip and return easily. Read instructions before clicking.
The July 2026 restructure consolidated the original seven domains into five. Domain weights shifted significantly: the security domain dropped from approximately 36% to 25–30% (still the heaviest domain), and two new combined domains absorbed content from multiple old ones. If you find a study guide that references "Domain 5: Security and Compliance" at 36%, or mentions a standalone Packages domain, it's pre-restructure. The official Microsoft Learn study guide at learn.microsoft.com is the canonical source, check its Skills Measured section before trusting any third-party breakdown, including this one.
Scoring is scaled from 0–1000. The passing threshold is 700. Community reports of actual passing scores are limited given the exam's recent beta history, so don't calibrate your readiness to a specific target score. Hit 700. Everything above that is margin.
Who Should Take This Exam (and Who Should Wait)
This cert is designed for people managing GitHub at the organization or enterprise level: platform engineers owning GHEC deployments, DevOps leads responsible for Actions runner infrastructure, IT administrators governing user access across a company's GitHub environment, and security engineers building compliance processes on top of GitHub Advanced Security.
If you've spent 6–12 months doing hands-on GitHub Enterprise administration, configuring SSO, managing runners, reviewing audit logs, setting security policies, you're in the right place. The exam assumes you already know what a pull request is, what a branch does, and how repositories work. It doesn't explain fundamentals.
Who should wait: developers who use GitHub daily but have never administered an organization or enterprise account. The gap between "I push code to GitHub" and "I govern GitHub for 500 developers" is significant, and this exam is firmly on the administration side. If you're new to Enterprise, get hands-on time in a real or trial GitHub organization before scheduling.
The Five Domains, in Prep Order
The study guide presents domains in a numbered sequence. I'd suggest studying them in a different order, weighted by exam impact.
Domain 3, Implement Secure Software Development and Compliance (28%)28%
Start here. At 25–30% of the exam, this is the domain that determines whether you pass or fail. The community is consistent on this point: it requires scenario-based reasoning, not just feature memorization.
The scope covers secret scanning, CodeQL code scanning, Dependabot (alerts, security updates, and the dependency graph), security advisories, audit logging via REST and GraphQL APIs, and the full token governance model. That last one is denser than it looks. There are five distinct token types: personal access tokens (PATs), installation tokens, OAuth tokens, device tokens, and refresh tokens. Each has specific use cases. The exam tests you on which token type applies in which scenario, not just that they exist.
GitHub Apps vs OAuth Apps is another area that candidates underestimate. The exam expects you to understand the security implications of each, when an enterprise admin would approve or deny an app based on policy, and how permissions differ. It's deeper than a single bullet in a study guide.
The audit log API questions test specific use cases for REST vs GraphQL. The pattern across pass reports: know that REST is appropriate for point queries and simple exports, while GraphQL is preferred for streaming audit log data or complex filtered queries. Know both at the org and enterprise level, and know what evidence each produces for compliance reporting.
On exam day, every question in this domain presents a security requirement and asks you to map it to the correct GitHub control. Pure memorization fails here. You need to understand why CodeQL catches what it catches, what secret scanning does and doesn't cover, and what triggers a Dependabot security update vs a version update.
Domain 4, Manage GitHub Actions (23%)23%
Second in weight, and the domain with the highest candidate confusion rate. The failure pattern is predictable: DevOps engineers who know Actions well prepare by reviewing workflow YAML syntax. The exam doesn't test YAML. At all.
What it tests: policies that restrict which actions can run in an organization or enterprise, how runner groups control which repositories can access which runners, the security implications of self-hosted runners on public repositories, IP allow list effects on both GitHub-hosted and self-hosted runners, encrypted secret scoping at repository vs organization vs enterprise level, and how to distribute reusable workflows across an enterprise. That last point, enterprise-wide required workflows, is specifically in scope and often underrepresented in prep materials.
Runner proxies, labels, group management, and Azure private networking for GitHub-hosted runners are all in scope. Third-party vault integration for secrets management also appears, and it's less studied than it should be.
If you can answer "which policy setting prevents an organization from using actions from outside GitHub.com?" and "what happens to a self-hosted runner's security posture when it's accessible from a public repository?", you're thinking in the right direction.
Domain 1, Manage GitHub Identities and Access (18%)18%
The identity and access domain covers two distinct conceptual layers that the exam treats as closely related: who you are in GitHub, and what you're allowed to do.
On the identity side: Enterprise Managed Users (EMU) vs personal accounts, SAML SSO configuration at org and enterprise level, SCIM provisioning with Azure AD and Okta, and how IdP choice affects what features are available. EMU appears heavily on this exam. You need to know what EMU restricts (members can't own personal repositories outside the enterprise, can't contribute to external organizations), what it enables (centralized identity lifecycle management), and what the architectural trade-offs are.
The SCIM vs team synchronization distinction is tested precisely. These mechanisms are related but not the same: SCIM handles user provisioning and deprovisioning via the IdP, while team synchronization maps IdP groups to GitHub teams. They have different supported providers, different configuration steps, and different failure modes. Candidates who conflate them lose points on multiple questions.
On the access side: organization roles, enterprise roles, repository roles, and outside collaborators vs organization members. Rulesets vs branch protection rules is another precision trap, know the difference, when each applies, and which can be enforced at enterprise level.
The principle of least privilege is a recurring framing for access questions. If the exam gives you a scenario with multiple role assignment options, the correct answer is almost always the one that grants necessary access without excess.
Domain 2, Administer GitHub Enterprise Environment (13%)13%
This domain covers the deployment models, licensing, and operational support layer. The four deployment scenarios are: GHEC with EMU, GHEC with Data Residency plus EMU, GHEC with personal accounts, and GHES. You need to know which capabilities are available in which model, data residency, for example, is only available in specific GHEC configurations and not in standard GHES deployments.
Billing deserves more attention than candidates give it. Seat licenses, metered GitHub Actions minutes, and Packages storage all work differently. The exam tests whether you understand these models at the level an admin would when explaining consumption to a finance team.
The admin vs GitHub Support boundary questions test practical judgment. Some issues can be resolved by an enterprise admin; others require escalating to GitHub Support with a support bundle. Know the difference, and know how to generate a support bundle.
Some candidates report unexpected depth on GHES-specific topics despite this domain's lower weight. Don't completely ignore GHES operational concepts.
Domain 5, Monitor and Optimize GitHub Usage (13%)13%
This domain was created in the July 2026 restructure. Limited community data on specific question patterns exists because the restructure is recent. Based on overlap with previous content, limited community reports suggest scenario questions about identifying underutilized features, interpreting billing and consumption reports, and knowing when to escalate to GitHub Support vs handle internally. GitHub REST and GraphQL API knowledge for pulling usage and audit data is likely tested here as well as in Domain 3.
Some community reports suggest this domain covers familiar operational territory and is less pressure-intensive given the lower weight. Take that assessment with appropriate caution, it's based on limited post-restructure data.
The Week-by-Week Prep Path
Weeks 1–2: Foundation and identity.
Start with the official Microsoft Learn learning paths for foundational concepts, both Part 1 and Part 2 of the GitHub Administration path, then transition to scenario-based practice with CertCompanion's GH-100 question bank at /exams/microsoft-github-administration-gh-100 to prepare for exam-style questions. The Microsoft Learn paths are free, maintained by the exam provider, and give you the vocabulary and conceptual framework you need before going deeper. The weakness: they're beginner-oriented. Finishing both modules doesn't mean you're ready for the exam. Don't mistake completion for readiness.
During these two weeks, also build your GHEC vs GHES comparison table. This is the single most impactful study artifact for this exam. Column headers: feature name. Rows: availability in GHEC with personal accounts, GHEC with EMU, GHEC with Data Residency plus EMU, and GHES. Fill it in as you study each domain. You'll use it until exam day.
Take the official Microsoft Learn free practice assessment early, not to judge readiness, but to identify gaps. It's free, it's from the exam provider, and it tells you where you're soft. Do it in Week 1, not the night before.
Weeks 3–4: Security and Actions deep dive.
Allocate your most focused study time here. Domain 3 gets the most time. Domain 4 gets the second most. Read the GitHub Advanced Security documentation directly: CodeQL, secret scanning, Dependabot. Then read the GitHub Actions administration documentation: runner groups, IP allow lists, encrypted secrets scoping, required workflows.
This is also when hands-on practice pays off. If you have access to a GitHub organization, even a free personal one, configure SSO settings (even without enforcing them), set up a Dependabot alert workflow, and review your audit log. Test the REST API for audit log queries. The exam rewards people who've seen these configuration screens, not just read about them.
Week 4–Day before: Practice exams and gap-closing.
Practice with CertCompanion's GH-100 question bank at /exams/microsoft-github-administration-gh-100. Aim for consistent 80–85% before scheduling. The pattern across pass reports: people who rushed to schedule after one 70% practice run regretted it.
Also visit GHCertDemo.starttest.com to experience interactive question types. If the exam includes simulation components requiring you to navigate a GitHub UI, you want to see that format once before exam day.
How to Prepare: Resources
The official learning path is your starting point, not your finish line. The two Microsoft Learn GitHub Administration paths (Part 1 and Part 2) cover the conceptual territory and are updated to reflect current exam objectives. Work through them in order. Flag every term you're uncertain about and look it up in the official GitHub documentation.
Use the GitHub documentation directly for Domains 3 and 4. The GitHub Enterprise Cloud documentation, GitHub Advanced Security documentation, and GitHub Actions administration documentation are the primary sources for exam content. Reading a summary of CodeQL is not the same as reading the actual CodeQL documentation once.
Practice exams, use CertCompanion as your primary tool for readiness measurement. The GH-100 question bank is built around the 5-domain structure and lets you drill by domain, which matters here because Domain 3 and Domain 4 together represent nearly half the exam.
Official tools and resources:
- Microsoft Learn free practice assessment, free, from the exam provider, worth doing twice (once early to find gaps, once late to confirm readiness)
- GHCertDemo.starttest.com, the exam sandbox; use it before you schedule so interactive question types don't surprise you
- Official GH-100 study guide at learn.microsoft.com, the canonical domain and sub-topic list; treat this as your checklist, not a summary
- GitHub Community 4-week prep discussion (#174475), official GitHub-run study group with curated resources and Q&A with GitHub staff; free
One piece of advice worth pushing back on: several community sources recommend aiming for 90% on practice exams before scheduling. That's a high bar, and it can cause candidates to over-prepare on material they already know while neglecting genuine weak spots. A consistent 80–85% with clear understanding of where your remaining errors cluster is a better signal than a raw percentage.
One thing to skip: detailed study of GitHub CLI commands. They're not tested on the administration certification. Every hour spent there is an hour not spent on the audit log API, which absolutely is tested.
ROI: What the Cert Costs vs What It Pays
The GH-100 costs $99 for the exam. Budget another $0–50 in prep materials if you use only free resources (official Microsoft Learn paths, the exam sandbox). Call it $150–200 all-in if you add a practice test subscription.
Per Indeed, DevOps engineers average $132,304/year in the United States. Roles explicitly requiring GitHub Enterprise administration skills sit in the $80,000–$160,000+ range depending on seniority and industry. Community reports suggest a meaningful share of certified professionals see salary movement post-certification, though no verified figure specific to GH-100 holders exists.
A conservative 3–5% salary bump on a $120,000 base is $3,600–$6,000 per year. The all-in prep cost for GH-100 is under $200. The ROI math works in the first month if the cert helps you land a role bump, a new position, or pass a credential check for a regulated-industry contract.
The more realistic framing: this cert signals something that's harder to demonstrate in an interview. Enterprise GitHub administration requires knowing how SAML SSO interacts with EMU at the org vs enterprise level, why SCIM and team synchronization aren't the same thing, and which audit log API to use for compliance evidence. That's operational credibility, and it matters in environments where GitHub governs access to production code.
Where Candidates Lose Points
The failure reports are consistent on this point: most candidates who fail GH-100 don't fail because the material is obscure. They fail because they studied the wrong things confidently.
The most common failure patterns, in roughly descending frequency: studying Actions workflow YAML syntax instead of admin policy controls, skipping the GHEC vs GHES feature comparison, underestimating Domain 3's scenario-based reasoning requirements, confusing SCIM with team synchronization, and using study materials that reference the old 7-domain structure.
A few surprises that multiple experience threads mention: the depth on token types is greater than most candidates expect. Five token types, each with specific use cases, is not a quick review. The GitHub Apps vs OAuth Apps distinction requires understanding security implications, not just knowing both exist. And the audit log API questions distinguish between REST and GraphQL use cases specifically, not generically.
What shows up repeatedly in community threads as a registration mistake: using a work or school Azure AD account instead of a personal Microsoft Account (MSA). Certifications tied to work accounts can be permanently inaccessible if you leave that employer. Register with a personal MSA. This is one of those things that's obvious in hindsight and painful to discover after the fact.
Study Hours by Background
Community reports on study time have limited source depth given the exam's recent history. The ranges below reflect available data and should be treated as estimates, not benchmarks.
| Background | Estimated Hours | Notes |
|---|---|---|
| GitHub Enterprise admin with 1+ years hands-on GHEC/GHES experience | 20–40 hours | Familiar with SAML SSO, Actions, security features. Focus study on token types, SCIM vs team sync distinctions, and Domain 5 (new content). |
| DevOps engineer or org admin with 6–12 months GitHub experience | 40–60 hours | Knows GitHub basics, limited Enterprise exposure. Spend proportionally on GHEC vs GHES comparison and Domain 3 scenario practice. |
| IT admin or developer new to GitHub Enterprise | 60–100+ hours | Needs foundational GitHub Enterprise concepts plus administration depth. The official 4-week structured prep is a reasonable anchor. |
On Exam Day
Online proctored (OnVUE) requires a completely clear desk, no books, no second monitors, no phones in reach. Run the Pearson VUE system check a few days before the exam, not the morning of. Schedule during low-distraction times; OnVUE is available 24/7.
If your internet connection is unreliable or your home environment is noisy, book a test center. The proctoring experience is more predictable.
Bring valid government-issued photo ID with a signature. The name on your ID must match your registration exactly, a mismatch is treated as a missed appointment with no refund.
For the exam itself: 90 seconds per question is the ceiling, not the target. Flag difficult scenario questions and return after completing items you're confident on. For interactive/simulation questions, read the instructions before clicking, navigation in a simulated GitHub UI may have specific requirements that aren't obvious from the prompt alone.
You can schedule up to 90 days in advance via Pearson VUE through Microsoft Learn. Cancel or reschedule at least 24 hours before your appointment or you forfeit the exam fee.
Scores post immediately for most question formats. Your Credly badge and Microsoft certification transcript update within a few days of passing.
After You Pass
The GH-100 validates something specific: you understand how to govern GitHub at enterprise scale. That's a capability that matters in organizations running GHEC or GHES deployments for hundreds or thousands of developers, particularly in regulated industries like finance, healthcare, and government where audit evidence and access controls carry compliance weight.
Per Indeed's 2025 salary data, DevOps engineers in the US average $132,304/year, with senior roles reaching $175,000+. According to Glassdoor, GitHub-employed professionals average around $137,000. These figures reflect the broader DevOps and platform engineering market, not GH-100 holders specifically, but roles listing GitHub Enterprise administration as a requirement sit in that range.
The cert is valid for 2 years. Microsoft hasn't published a specific recertification exam yet, but the pattern for Microsoft credentials is a recertification exam at renewal.
Where to go next:
GitHub Advanced Security (GH-500) is the natural follow-on. It deepens everything you studied in Domain 3, CodeQL, secret scanning, Dependabot, into a full security specialization. If Domain 3 was your strongest domain on GH-100, GH-500 is the logical next step.
GitHub Actions (GH-200) is the right path if Domain 4 is where you want to go deeper. It moves beyond admin controls into full workflow design and CI/CD pipeline management. For DevOps-focused engineers, pairing GH-100 and GH-200 covers the administrative and engineering sides of the same platform.
For engineers working in Azure environments alongside GitHub, the Azure DevOps Engineer Expert (AZ-400) pairs well with GH-100 for organizations running both platforms. The HashiCorp Terraform Associate is worth considering if you're managing self-hosted runner infrastructure or IaC workflows.
Frequently Asked Questions
Is GH-100 hard?
Frankly, it depends on what you bring to it. GitHub Enterprise admins with a year of hands-on experience often find the content familiar, the challenge is the scenario-based framing and the precision the exam requires around terminology. Developers who use GitHub daily but have never administered an enterprise account face a steeper curve. The security domain (Domain 3) is the hardest for most candidates, not because it's abstract, but because it requires matching specific GitHub controls to specific enterprise requirements under exam conditions.
How many hours do I need to study?
There's no one-size-fits-all answer here. Available reports suggest a range of 30–80 hours depending on your background, with the official GitHub community recommending a 4-week structured approach. Enterprise admins with deep GHEC/GHES experience may need closer to 20–40 hours. Candidates new to GitHub Enterprise should budget 60–100+ hours. What's consistent across all backgrounds: hands-on practice in a real GitHub organization matters as much as study time.
Does GH-100 expire?
Yes. Certifications earned via Pearson VUE on or after July 1, 2025 are valid for 2 years. You'll need to recertify before the credential expires.
Are there prerequisites?
No formal prerequisites. However, the exam assumes working knowledge of GitHub fundamentals (repositories, pull requests, organizations) and targets people with enterprise administration experience. If you've never managed a GitHub organization or worked with GitHub Enterprise, treat the experience recommendation seriously, 6–12 months hands-on is the community guidance.
What's the GH-100 pass rate?
No published pass rate exists. Reliable community pass rate data isn't available given the exam's recent beta launch and transition to Pearson VUE in July 2025. Don't base your preparation strategy on a pass rate benchmark that doesn't exist.
What happens if I fail?
You can retake the exam 24 hours after your first attempt. Subsequent retakes follow Microsoft's standard retake policy. The $99 fee applies each attempt. Budget for the possibility of a retake when planning your prep.
Is the GH-100 worth it for my career?
The cert is worth it for people managing or aiming to manage GitHub at enterprise scale, platform engineers, DevOps leads, security engineers, IT administrators in organizations running GHEC or GHES. For pure developers with no administrative responsibilities, the ROI is lower. The strongest case is in regulated industries where proving GitHub governance competence matters for compliance contracts or internal credentialing requirements.
My study materials show seven domains. Is that right?
No. The exam restructured from seven domains to five in July 2026. Domain names, weights, and some content changed significantly. Use the official Microsoft Learn study guide (learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/gh-100) as your canonical reference. Any third-party guide listing a standalone Domain 6 for Actions or Domain 5 for Security at 36% is using pre-restructure content.
Closing
GH-100 is a policy and governance exam built on top of a platform most candidates think they already know. The candidates who pass without drama are the ones who study it that way: not as a GitHub features quiz, but as an enterprise administration decision-making test. Build the GHEC vs GHES comparison table. Allocate disproportionate time to Domain 3. Don't touch Actions YAML. Practice with scenario-based questions until the "which control addresses this requirement" pattern becomes automatic.
The exam costs $99. The prep path, done right, takes four to six weeks. What you come out with is a credential that demonstrates operational maturity with GitHub at enterprise scale, backed by the Microsoft certification ecosystem.
Start with the official practice assessment to find your gaps, then work through the domain breakdown at CertCompanion's GH-100 exam page to close them before you book.