Update permission instructions for IDP integrations (#98)

* Update IDP documentation to reflect recent improvements on permissions required
for the various integrations.
* Added a note for those who would prefer to add delete permissions

src/pages/selfhosted/identity-providers.mdx

@@ -149,7 +149,7 @@ In this step we will grant `Org User Manager` role to `netbird` service user.
 Your authority OIDC configuration will be available under:
 
 ```bash
-https://< YOUR_ZITADEL_HOST_AND_PORT >/.well-known/openid-configuration
+https://<YOUR_ZITADEL_HOST_AND_PORT>/.well-known/openid-configuration
 ```
 
 :::caution
@@ -386,7 +386,7 @@ The client will need secret to authenticate. To do this:
     <img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloak-backend-client-credentials.png" alt="high-level-dia" className="imagewrapper"/>
 </p>
 
-#### Step 9: Add manage-users role to netbird-backend
+#### Step 9: Add view-users role to netbird-backend
 
 - Open the Keycloak Admin Console
 - Make sure, that the selected realm is `Netbird`
@@ -394,7 +394,7 @@ The client will need secret to authenticate. To do this:
 - Choose `netbird-backend` from the list
 - Switch to `Service accounts roles` tab
 - Click `Assign roles` button
-- Select `Filter by clients` and search for `manage-users`
+- Select `Filter by clients` and search for `view-users`
 
 <p>
     <img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloak-service-account-role.png" alt="high-level-dia" className="imagewrapper"/>
@@ -406,9 +406,17 @@ The client will need secret to authenticate. To do this:
     <img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloak-add-role.png" alt="high-level-dia" className="imagewrapper"/>
 </p>
 
+<Note>
+Optional
+
+NetBird offers the ability to automatically delete a user from the Keycloak side when the user is deleted from the associated account.
+ To enable this functionality, simply include the `--user-delete-from-idp` flag in the management startup command within your Docker Compose configuration. If you choose to enable this feature,
+ please ensure that you assign the `manage-users` role to the `netbird-backend` following the steps outlined above.
+</Note>
+
 Your authority OIDC configuration will be available under:
 ```bash
-https://< YOUR_KEYCLOAK_HOST_AND_PORT >/realms/netbird/.well-known/openid-configuration
+https://<YOUR_KEYCLOAK_HOST_AND_PORT>/realms/netbird/.well-known/openid-configuration
 ```
 <Note>
     Double-check if the endpoint returns a JSON response by calling it from your browser.
@@ -421,8 +429,8 @@ NETBIRD_USE_AUTH0=false
 NETBIRD_AUTH_CLIENT_ID=`netbird-client`
 NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
 NETBIRD_AUTH_AUDIENCE=`netbird-client`
-NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=`netbird-client`. Optional,
-it enables the [Interactive SSO Login feature](/how-to/getting-started#running-net-bird-with-sso-login) (Oauth 2.0 Device Authorization Flow)
+
+NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=`netbird-client`
 
 NETBIRD_MGMT_IDP="keycloak"
 NETBIRD_IDP_MGMT_CLIENT_ID="netbird-backend"
@@ -647,21 +655,6 @@ In this step, we will create and configure NetBird application in azure AD.
 </p>
 
 
-- Add `Application permissions` to Microsoft Graph
-- Click `Add a permission`
-- Click `Microsoft Graph` and then click `Application permissions` tab
-- Search for `User.ReadWrite.All` and under `User` sections  and check `User.ReadWrite.All` checkbox  section
-
-<p>
-    <img src="/docs-static/img/integrations/identity-providers/self-hosted/azure-user-permissions.png" alt="high-level-dia" className="imagewrapper"/>
-</p>
-
-- Search for `Application.ReadWrite.All` and under `Application` sections  and check `Application.ReadWrite.All` checkbox  section and click `Add permissions`
-
-<p>
-    <img src="/docs-static/img/integrations/identity-providers/self-hosted/azure-applications-permissions.png" alt="high-level-dia" className="imagewrapper"/>
-</p>
-
 - Click `Grant admin conset for Default Directory` and click `Yes`
 
 <p>
@@ -815,7 +808,7 @@ In this step, we will generate netbird api token in okta for authorizing calls t
 
 Your authority OIDC configuration will be available under:
 ```bash
-https://< YOUR_OKTA_ORGANIZATION_URL >/.well-known/openid-configuration
+https://<YOUR_OKTA_ORGANIZATION_URL>/.well-known/openid-configuration
 ```
 <Note>
     Double-check if the endpoint returns a JSON response by calling it from your browser.
@@ -850,6 +843,12 @@ You've configured all required resources in Okta. You can now continue with the
 This guide is a part of the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide) and explains how to integrate 
 **self-hosted** NetBird with [Google Workspace](https://workspace.google.com/).
 
+<Note>
+Beginning with NetBird version v0.23.6 and onwards, the Google Workspace IdP manager no longer requires the creation of a custom admin role called `User and Schema Management`. 
+Instead, we are transitioning towards a more tailored role explicitly designed for managing read-only user information. 
+Consequently, you have the option to remove the previously established custom admin role and refer to the documentation to configure the admin role scope for read-only access correctly.
+</Note>
+
 Before you start creating and configuring an Google Workspace application, ensure that you have the following:
 - An Google Workspace account: To create an Google Work application, you must have an Google Workspace. If you don't have one, sign up at https://workspace.google.com/business/signup/welcome.
 - User account with admin permissions: You must have an Google Workspace user account with the admin permissions to create and manage Google Workspace applications. If you don't have the required permissions, ask your workspace administrator to grant them to you.
@@ -924,42 +923,13 @@ Read how to manage and secure your service keys [here](https://cloud.google.com/
 
 - Open downloaded json file and take note of `client_id` will be used later as `Service Account Client ID`
 
-#### Step 5: Grant user and schema management admin role to service account
-- Navigate to [Admin Console](https://admin.google.com/ac/home) page
-- Select `Account` on the left menu and then click `Admin Roles`
-- Click `Create new role`
-- Fill in the form with the following values and click `CREATE`
-    - name: `User and Schema Management Admin`
-    - description: `User and Schema Management Admin`
-- Click `CONTINUE`
-<p>
-    <img src="/docs-static/img/integrations/identity-providers/self-hosted/google-new-role-info.png" alt="high-level-dia" class="imagewrapper"/>
-</p>
-
-- Scroll down to `Admin API privileges` and add the following provileges
-    - Users: `Create`, `Read` and  `Update Custom Attributes`
-    - Schema Management: `Schema Management` and `Schema Read`
-- Click `CONTINUE`
-<p>
-    <img src="/docs-static/img/integrations/identity-providers/self-hosted/google-privileges-review.png" alt="high-level-dia" class="imagewrapper"/>
-</p>
-- Verify preview of assigned Admin API privileges to ensure that everything is properly configured, and then click `CREATE ROLE`
-- Click `Assign service accounts`, add service account email address and then click `ADD`
-<p>
-    <img src="/docs-static/img/integrations/identity-providers/self-hosted/google-assign-role.png" alt="high-level-dia" class="imagewrapper"/>
-</p>
-- Click `ASSIGN ROLE` to assign service account to `User and Schema Management Admin` role
-<p>
-    <img src="/docs-static/img/integrations/identity-providers/self-hosted/google-service-account-privileges.png" alt="high-level-dia" class="imagewrapper"/>
-</p>
-
-#### Step 6: Granting service account access to organization data
+#### Step 5: Granting service account access to organization data
 - Navigate to [Admin Console](https://admin.google.com/ac/home) page
 - Select `Security` > `Access and data control` > `API controls` and then click `MANAGE DOMAIN WIDE DELEGATION`
 - Click `Add new`
 - Fill in the form with the following values
     - Client ID: `<Service Account Client ID>`
-    - OAuth scopes: `https://www.googleapis.com/auth/admin.directory.user`, `https://www.googleapis.com/auth/admin.directory.userschema`
+    - OAuth scopes: `https://www.googleapis.com/auth/admin.directory.user.readonly`
 <p>
     <img src="/docs-static/img/integrations/identity-providers/self-hosted/google-new-domain-delegation.png" alt="high-level-dia" class="imagewrapper"/>
 </p>
@@ -995,7 +965,7 @@ NETBIRD_IDP_MGMT_EXTRA_SERVICE_ACCOUNT_KEY="<BASE64_SERVICE_ACCOUNT_KEY>"
 NETBIRD_IDP_MGMT_EXTRA_CUSTOMER_ID="<GOOGLE_WORKSPACE_CUSTOMER_ID>"
 ```
 
-#### Step 7: Continue with the NetBird Self-hosting Guide
+#### Step 6: Continue with the NetBird Self-hosting Guide
 You've configured all required resources in Google Workspace. You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-4-disable-single-account-mode-optional).
 
 ### Auth0
@@ -1113,6 +1083,13 @@ This application will be used to authorize access to Auth0 Management API.
     <img src="/docs-static/img/integrations/identity-providers/self-hosted/auth0-machine-authorization.png" alt="high-level-dia" className="imagewrapper"/>
 </p>
 
+<Note>
+Optional
+
+NetBird offers the ability to automatically delete a user from the Auth0 side when the user is deleted from the associated account.
+To enable this functionality, include the `--user-delete-from-idp` flag in the management startup command within your Docker Compose configuration. If you choose to enable this feature, please ensure that you assign the `delete:users` permission following the steps outlined above.
+</Note>
+
 - Click `Settings` tab
 - Copy **`Client ID`** to `NETBIRD_IDP_MGMT_CLIENT_ID` in the `setup.env` file
 - Copy **`Client SECRET`** to `NETBIRD_IDP_MGMT_CLIENT_SECRET` in the `setup.env` file