Verified domains for enterprise accounts: public beta (#16875)

* Add new articles

* Move images and reusables into public repo

* Add redirect

* Split content between articles

* Use reusables

* Use reusable

* Add content about how organization-level settings interact w/ enterprise-level settings

* Add permissions for email restrictions

* Add 💅

* Fix FM

* Use reusable

* Fix reuasbles

* Clarify what email restrictions even are

Co-authored-by: Melanie Yarbrough <11952755+myarb@users.noreply.github.com>

Co-authored-by: Melanie Yarbrough <11952755+myarb@users.noreply.github.com>

Author: lecoursen

assets/images/help/enterprises/add-a-domain-button.png

@@ -39,6 +39,7 @@ Organization members can have *owner*{% if currentVersion == "free-pro-team@late
 | Access the organization audit log | **X** |  |  |
 | Edit the organization's profile page (see "[About your organization's profile](/articles/about-your-organization-s-profile)" for details) | **X** |  |  |
 | Verify the organization's domains (see "[Verifying your organization's domain](/articles/verifying-your-organization-s-domain)" for details) | **X** |  |  |
+| Restrict email notifications to verified domains (see "[Restricting email notifications to an approved domain](/github/setting-up-and-managing-organizations-and-teams/restricting-email-notifications-to-an-approved-domain)" for details) | **X** |  |  |
 | Delete **all teams** | **X** |  |  |
 | Delete the organization account, including all repositories | **X** |  |  |
 | Create teams (see "[Setting team creation permissions in your organization](/articles/setting-team-creation-permissions-in-your-organization)" for details) | **X** | **X** |  |

assets/images/help/enterprises/verified-domains-tab.png

@@ -9,14 +9,19 @@ versions:
   free-pro-team: '*'
 ---
 
-When restricted email notifications are enabled in an organization, members can only receive email notifications about organization activity at an email address associated with the organization's verified domain. For more information, see "[Verifying your organization's domain](/articles/verifying-your-organization-s-domain)."
+### About email restrictions
+
+When restricted email notifications are enabled in an organization, members can only use an email address associated with the organization's verified domains to receive email notifications about organization activity. For more information, see "[Verifying your organization's domain](/articles/verifying-your-organization-s-domain)."
 
 Outside collaborators are not subject to restrictions on email notifications for verified domains. For more information on outside collaborators, see "[Permission levels for an organization](/github/setting-up-and-managing-organizations-and-teams/permission-levels-for-an-organization#outside-collaborators)."
 
+If your organization is owned by an enterprise account, organization members will be able to receive notifications from any domains verified for the enterprise account, in addition to any domains verified for the organization. For more information, see "[Verifying your enterprise account's domain](/github/setting-up-and-managing-your-enterprise/verifying-your-enterprise-accounts-domain)."
+
+### Restricting email notifications to an approved domain
+
 {% data reusables.profile.access_profile %}
 {% data reusables.profile.access_org %}
 {% data reusables.organizations.org_settings %}
 {% data reusables.organizations.verified-domains %}
-5. Under "Enforcement preferences", select **Restrict email notifications to domain email**.
-  ![Checkbox to restrict email notifications to verified domain emails](/assets/images/help/organizations/restrict-email-notifications-to-domain.png)
+{% data reusables.organizations.restrict-email-notifications %}
 6. Click **Save**.

content/github/setting-up-and-managing-organizations-and-teams/permission-levels-for-an-organization.md

@@ -8,46 +8,34 @@ versions:
   free-pro-team: '*'
 ---
 
+### About domain verification
+
 To verify domains on {% data variables.product.product_name %}, you must have owner permissions in the organization. For more information, see "[Permission levels for an organization](/articles/permission-levels-for-an-organization)." You will also need access to modify domain records with your domain hosting service.
 
 After verifying ownership of your organization's domains, a "Verified" badge will display on the organization's profile. If your organization is on {% data variables.product.prodname_ghe_cloud %} and has agreed to the Corporate Terms of Service, organization owners will be able to verify the identity of organization members by viewing each member's email address within the verified domain. For more information, see "[About your organization's profile page](/articles/about-your-organization-s-profile/)" and "[Upgrading to the Corporate Terms of Service](/articles/upgrading-to-the-corporate-terms-of-service)."
 
-To display a "Verified" badge, the website and email information shown on your organization's profile must match the verified domain or domains. If the website and email address shown on your organization's profile are hosted on different domains, you must verify both domains.
-
-{% note %}
-
-**Note:** If the email address and website shown on your organization's profile use variants of the same domain, you must verify both variants. For example, if your organization's profile shows the website `www.example.com` and the email address `info@example.com`, you would need to verify both `www.example.com` and `example.com`.
+If your organization is owned by an enterprise account, a "Verified" badge will display on your organization's profile for any domains verified for the enterprise account, in addition to any domains verified for the organization. For more information, see "[Verifying your enterprise account's domain](/github/setting-up-and-managing-your-enterprise/verifying-your-enterprise-accounts-domain)."
 
-{% endnote %}
+{% data reusables.organizations.verified-domains-details %}
 
 On {% data variables.product.prodname_ghe_cloud %}, after verifying ownership of your organization's domain, you can restrict email notifications for the organization to that domain. For more information, see "[Restricting email notifications to an approved domain](/articles/restricting-email-notifications-to-an-approved-domain)."
 
+### Verifying your organization's domain
+
 {% data reusables.profile.access_profile %}
 {% data reusables.profile.access_org %}
 {% data reusables.organizations.org_settings %}
 {% data reusables.organizations.verified-domains %}
 5. Click **Add a domain**.
 ![Add a domain button](/assets/images/help/organizations/add-a-domain-button.png)
-6. In the domain field, type the domain you'd like to verify, then click **Add domain**.
-![Add a domain field](/assets/images/help/organizations/add-domain-field.png)
-7. Follow the instructions under **Add a DNS TXT record** to create a DNS TXT record with your domain hosting service. It may take up to 72 hours for your DNS configuration to change. Once your DNS configuration has changed, continue to the next step.
-![Instructions to create a DNS txt record](/assets/images/help/organizations/create-dns-txt-record-instructions.png)
-
-   {% tip %}
-
-   **Tip:** You can confirm your DNS configuration has changed by running the `dig` command on the command line. In the example command, replace `ORGANIZATION` with the name of your organization, and `example.com` with the domain you'd like to verify. You should see your new TXT record listed in the command output.
-
+{% data reusables.organizations.add-domain %}
+{% data reusables.organizations.add-dns-txt-record %}
+1. Wait for your DNS configuration to change, which may take up to 72 hours. You can confirm your DNS configuration has changed by running the `dig` command on the command line, replacing `ORGANIZATION` with the name of your organization and `example.com` with the domain you'd like to verify. You should see your new TXT record listed in the command output.
    ```shell
    $ dig _github-challenge-<em>ORGANIZATION</em>.<em>example.com</em> +nostats +nocomments +nocmd TXT
    ```
-
-   {% endtip %}
-
 8. After confirming your TXT record is added to your DNS, navigate to the Verified domains tab in your organization's settings. You can follow steps one through four above to locate the Verified domains tab.
 ![Verified domains settings page with pending domain](/assets/images/help/organizations/pending-domain-verification.png)
-9. Next to the domain that's pending verification, click {% octicon "kebab-horizontal" aria-label="The horizontal kebab icon" %}, then click **Continue verifying**.
-![Continue verifying domain button](/assets/images/help/organizations/continue-verifying-domain.png)
-10. Click **Verify domain**.
-![Verify domain button](/assets/images/help/organizations/verify-domain-final-button.png)
+{% data reusables.organizations.continue-verifying-domain %}
 11. Optionally, once the "Verified" badge is visible on your organization's profile page, you can delete the TXT entry from the DNS record at your domain hosting service.
 ![Verified badge](/assets/images/help/organizations/verified-badge.png)

content/github/setting-up-and-managing-organizations-and-teams/restricting-email-notifications-to-an-approved-domain.md

@@ -34,6 +34,8 @@ versions:
     {% link_in_list /enforcing-team-policies-in-your-enterprise-account %}
     {% link_in_list /enforcing-security-settings-in-your-enterprise-account %}
     {% link_in_list /configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta %}
+    {% link_in_list /verifying-your-enterprise-accounts-domain %}
+    {% link_in_list /restricting-email-notifications-for-your-enterprise-account-to-approved-domains %}
     {% link_in_list /enforcing-a-policy-on-dependency-insights-in-your-enterprise-account %}
     {% link_in_list /enforcing-github-actions-policies-in-your-enterprise-account %}
     {% link_in_list /configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-enterprise-account %}

content/github/setting-up-and-managing-organizations-and-teams/verifying-your-organizations-domain.md

@@ -0,0 +1,26 @@
+---
+title: Restricting email notifications for your enterprise account to approved domains
+intro: "You can prevent your enterprise's information from leaking into personal accounts by restricting email notifications about activity in organizations owned by your enterprise account to verified domains."
+product: '{% data reusables.gated-features.enterprise-accounts %}'
+versions:
+  free-pro-team: '*'
+permissions: Enterprise owners can restrict email notifications for an enterprise account.
+---
+
+{% data reusables.enterprise-accounts.verifying-domains-release-phase %}
+
+### About email restrictions for your enterprise account
+
+When you restrict email notifications to verified domains, enterprise members can only use an email address associated with a verified domain to receive email notifications about activity in organizations owned by your enterprise account. The domains can be inherited from the enterprise account or configured for the specific organization. For more information about email restrictions for organizations, see "[Restricting email notifications to an approved domain](/github/setting-up-and-managing-organizations-and-teams/restricting-email-notifications-to-an-approved-domain)."
+
+If email restrictions are enabled for an enterprise account, organization owners cannot disable email restrictions for any organization owned by the enterprise account. If changes occur that result in an organization having no verified domains, either inherited from an enterprise account that owns the organization or for the specific organization, email restrictions will be disabled for the organization.
+
+### Restricting email notifications for your enterprise account
+
+Before you can restrict email notifications for your enterprise account, you must verify at least one domain for the enterprise account. For more information, see "[Verifying your enterprise account's domain](/github/setting-up-and-managing-your-enterprise/verifying-your-enterprise-accounts-domain)."
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.verified-domains-tab %}
+{% data reusables.organizations.restrict-email-notifications %}
+1. Click **Save**.

content/github/setting-up-and-managing-your-enterprise/index.md

@@ -0,0 +1,44 @@
+---
+title: Verifying your enterprise account's domain
+intro: 'You can confirm the identity of organizations owned by your enterprise account by verifying ownership of your domain names with {% data variables.product.company_short %}.'
+product: '{% data reusables.gated-features.enterprise-accounts %}'
+versions:
+  free-pro-team: '*'
+permissions: Enterprise owners can verify an enterprise account's domain.
+redirect_from:
+  - /github/articles/verifying-your-enterprise-accounts-domain
+  - /early-access/github/articles/verifying-your-enterprise-accounts-domain
+---
+
+{% data reusables.enterprise-accounts.verifying-domains-release-phase %}
+
+### About domain verification
+
+You can confirm that the websites and email addresses listed on the profiles of any organization owned by your enterprise account are controlled by your enterprise by verifying the domains. Verified domains for an enterprise account apply to every organization owned by the enterprise account, and organization owners can verify additional domains for their organizations. For more information, see "[Verifying your organization's domain](/github/setting-up-and-managing-organizations-and-teams/verifying-your-organizations-domain)."
+
+After you verify ownership of your enterprise account's domains, a "Verified" badge will display on the profile of each organization that has the domain listed on its profile. {% data reusables.organizations.verified-domains-details %}
+
+Organization owners will be able to verify the identity of organization members by viewing each member's email address within the verified domain. 
+
+After you verify domains for your enterprise account, you can restrict email notifications to verified domains for all the organizations owned by your enterprise account. For more information, see "[Restricting email notifications for your enterprise account to approved domains](/github/setting-up-and-managing-your-enterprise/restricting-email-notifications-for-your-enterprise-account-to-approved-domains)."
+
+Even if you don't restrict email notifications for the enterprise account, if an organization owner has restricted email notifications for the organization, organization members will be able to receive notifications from any domains verified for the enterprise account, in addition to any domains verified for the organization. For more information about restricting notifications for an organization, see "[Restricting email notifications to an approved domain](/github/setting-up-and-managing-organizations-and-teams/restricting-email-notifications-to-an-approved-domain)."
+
+### Verifying your enterprise account's domain
+
+To verify your enterprise account's domain, you must have access to modify domain records with your domain hosting service.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.verified-domains-tab %}
+1. Click **Add a domain**.
+    ![Add a domain button](/assets/images/help/enterprises/add-a-domain-button.png)
+{% data reusables.organizations.add-domain %}
+{% data reusables.organizations.add-dns-txt-record %}
+1. Wait for your DNS configuration to change, which may take up to 72 hours. You can confirm your DNS configuration has changed by running the `dig` command on the command line, replacing `ENTERPRISE-ACCOUNT` with the name of your enterprise account, and `example.com` with the domain you'd like to verify. You should see your new TXT record listed in the command output.
+   ```shell
+   dig _github-challenge-<em>ENTERPRISE-ACCOUNT</em>.<em>example.com</em> +nostats +nocomments +nocmd TXT
+   ```
+{% data reusables.organizations.continue-verifying-domain %}
+1. Optionally, after the "Verified" badge is visible on your organizations' profiles, delete the TXT entry from the DNS record at your domain hosting service.
+![Verified badge](/assets/images/help/organizations/verified-badge.png)

content/github/setting-up-and-managing-your-enterprise/restricting-email-notifications-for-your-enterprise-account-to-approved-domains.md

@@ -0,0 +1,2 @@
+1. Under "Settings", click **Verified domains**.
+    !["Verified domains" tab](/assets/images/help/enterprises/verified-domains-tab.png)

content/github/setting-up-and-managing-your-enterprise/verifying-your-enterprise-accounts-domain.md

@@ -0,0 +1,5 @@
+{% note %}
+
+**Note:** Verifying an enterprise account's domain is currently in beta and subject to change.
+
+{% endnote %}