Click to upload or drag and drop
PDF, DOCX, PPTX, TXT, JPG, JPEG, PNG, HEIC, ODP, ODT, BMP, or TIFF
up to 20MB
Uploading...
GitHub Administration certification questions come from five domains, and the weighting surprises most candidates: identity and access management, the work everyone associates with admins, is only 15 to 20 percent of Exam GH-100. The biggest domain is secure software development and compliance at 25 to 30 percent, followed by GitHub Actions governance at 20 to 25 percent. You get 100 minutes, the exam is proctored, Microsoft's pricing feed lists GitHub exams under one family code at $99 US, and there is an official practice assessment on the certification page. The official change log says the exam changed significantly in July 2026, so any question set written earlier is testing the previous exam.
This guide walks through what the questions actually cover, domain by domain, based on the skills-measured outline on Microsoft Learn, stamped as of July 2026 and read in July 2026.
| Domain | Weight | What the questions ask about |
|---|---|---|
| Implement secure software development and compliance | 25 to 30% | Policies, rulesets, audit logging, secret scanning, CodeQL, Dependabot, security response plans, PAT and app governance |
| Manage GitHub Actions | 20 to 25% | Actions use policies, runner groups, IP allow lists, Azure private networking, secret scoping, third-party vaults |
| Manage GitHub identities and access | 15 to 20% | Managed users vs personal accounts, SAML SSO, 2FA, SCIM vs team sync, roles, enterprise teams, access audits |
| Administer GitHub Enterprise environment | 10 to 15% | The four deployment scenarios, licensing and billing, support bundles, developer process standards |
| Monitor and optimize GitHub usage | 10 to 15% | Audit log and API analysis, adoption patterns, metered product reports, license optimization |
Add the top two rows: security plus Actions governance is 45 to 55 percent of the paper. An admin who spends the day managing users and repositories has daily exposure to at most a quarter of the exam. That gap, not trick wording, is why experienced admins fail. The full breakdown with every named objective is on our GitHub Administration certification practice test page.
GitHub exam questions are scenario-first. Instead of "what does SCIM do," expect "a company syncs its identity provider groups to GitHub teams and new hires are not getting repository access; what is misconfigured?" The outline's verbs tell you the level: describe, configure, enforce, audit, monitor, recommend. That means single-best-answer multiple choice built around a situation, plus the interactive components the exam policy explicitly allows for.
Three scenario families show up across the whole outline. First, choose the right deployment: the July 2026 outline names four scenarios verbatim (GHEC with EMU, GHEC with Data Residency plus EMU, GHEC with personal accounts, and GHES), and questions hinge on what each one can and cannot do. Second, pick the right control at the right scope: repository ruleset or organization policy or enterprise policy, and what wins on conflict. Third, diagnose from evidence: an audit log excerpt, a licensing report, a failing runner group, and the question asks what an admin resolves versus what goes to GitHub Support with a support bundle.
The change log states the exam changed significantly in July 2026: objectives added, removed, moved between functional groups, and all reworded. Four additions stand out because older prep rarely touches them: the Data Residency deployment scenario, Azure private networking for GitHub-hosted runners, third-party vault integration for secrets, and a whole objective on interpreting usage reports for metered products and optimizing spend. That last one is a real shift: the exam now expects the admin to own the bill, reading consumption reports the way a finance-minded platform lead would, the same discipline teams apply to cloud cost management across the rest of their stack.
These are our own illustrations of the question style the outline implies, written against the July 2026 objectives. They are not leaked exam content.
1. Identity. A regulated company requires that developer accounts be fully owned and provisioned by the organization, with no personal repositories or public activity from those identities, and its data must stay in a specific region. Which deployment fits? Answer: GHEC with Data Residency plus EMU. Enterprise Managed Users gives the company-owned identity model, and Data Residency satisfies the regional requirement; GHEC with personal accounts fails the ownership constraint, and GHES alone is the heavier answer when the managed cloud variant meets both needs.
2. Actions governance. A platform team must let repositories use actions from the company organization and a short vetted list of third-party actions, nothing else. Where is that enforced? Answer: an organization-level (or enterprise-level) GitHub Actions policy restricting allowed actions, not repository workflow files; per-repo YAML can be edited by any contributor with write access, so it is a convention, not a control.
3. Security response. After a leaked credential incident, leadership asks for evidence of who accessed a repository in the affected window. Where does the admin go? Answer: the audit log, filtered by repository and time range, exported for the report; commit history shows code changes, not access, and support bundles are a GHES diagnostics artifact, not an access record.
Notice what each question really tests: choosing the right scope or the right evidence source, not reciting features. That is what the describe, configure, enforce and audit verbs in the outline translate to on the paper.
There are three legitimate free sources, and one trap. The free sources: Microsoft's official practice assessment, linked from the certification page, which previews real question style; the study guide itself, which is specific enough after the rewrite to turn every bullet into a self-test question; and question generation from your own material, uploading the study guide or your admin notes to build unlimited fresh questions weighted to the five domains. The trap is question dumps. Beyond the ethics, dumps have a shelf-life problem GH-100 just made fatal: anything harvested before mid-2026 tests the previous exam, with no Data Residency, no private networking, no metered products. Stale dumps do not just waste time; they calibrate you against the wrong blueprint.
Day one, read the outline and mark every bullet you cannot explain aloud. Days two and three, close the security domain: rulesets vs policies, secret scanning and CodeQL enablement order, audit log reporting. Day four, Actions governance: build a runner group mentally, attach an IP allow list, scope a secret at three levels. Day five, identities: write the SCIM vs team sync distinction from memory, then check it. Day six, generate a full mixed question set from the study guide and sit it in one 100-minute block. Day seven, take the official practice assessment and book only if both scores agree you are ready.
GH-100 is the governance end of a six-exam family. Since its biggest domain is security rollout, it pairs directly with the GitHub Advanced Security certification practice test, which covers the GHAS features GH-100 expects you to deploy. If you are newer to the platform, the GitHub Foundations practice test covers the fundamentals underneath, and the full ordering logic across all six exams is in our GitHub certification path guide. Whatever you sit next, build your questions from the current study guide; July 2026 reset the clock on every older bank.
Z tej samej rodziny narzędzi