docs: azure add actions and no mfa prompt (#4655)

* docs: azure ad actions and no mfa prompt

* lockfile

* rm space

* rm lines

* docs: azure ad actions and no mfa prompt

* docs: azure ad actions and no mfa prompt

* docs: azure ad actions and no mfa prompt

* docs: azure ad actions and no mfa prompt

* docs: link to actions marketplace

* Update docs/docs/apis/actions.md

Co-authored-by: mffap <mpa@zitadel.com>

* Update docs/docs/concepts/features/actions.md

Co-authored-by: mffap <mpa@zitadel.com>

* Update docs/docs/guides/integrate/azuread-oidc.md

Co-authored-by: mffap <mpa@zitadel.com>

* Update docs/docs/guides/integrate/azuread-oidc.md

Co-authored-by: mffap <mpa@zitadel.com>

* Update docs/docs/guides/integrate/azuread-oidc.md

Co-authored-by: mffap <mpa@zitadel.com>

* Update docs/docs/guides/integrate/azuread-oidc.md

Co-authored-by: mffap <mpa@zitadel.com>

* Update docs/docs/guides/integrate/azuread-oidc.md

Co-authored-by: mffap <mpa@zitadel.com>

* Update docs/docs/guides/integrate/azuread-oidc.md

Co-authored-by: mffap <mpa@zitadel.com>

* docs: function name

* docs: function name

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: mffap <mpa@zitadel.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>

docs/docs/apis/actions.md

@@ -104,3 +104,4 @@ ZITADEL supports only the external authentication flow at the moment.
 
 - [Actions concept](../concepts/features/actions)
 - [Actions guide](../guides/manage/customize/behavior)
+- [Actions Marketplace: Find example actions to use in ZITADEL](https://github.com/zitadel/actions)

docs/docs/concepts/features/actions.md

@@ -35,4 +35,5 @@ Within the JavaScript code, you can read and manipulate the state.
 ## Further reading
 
 - [Assign users a role after they register using an external identity provider](../../guides/manage/customize/behavior)
-- [Actions reference](../../apis/actions)
+- [Actions reference](../../apis/actions)
+- [Actions Marketplace: Find example actions to use in ZITADEL](https://github.com/zitadel/actions)

docs/docs/guides/integrate/azuread-oidc.md

@@ -23,7 +23,7 @@ Browse to the [App registration menus create dialog](https://portal.azure.com/#v
 ![Create an Application](/img/guides/azure_app_register.png)
 
 :::info
-Mare sure to select `web` as application type in the `Redirect URI (optional)` section.
+Make sure to select `web` as application type in the `Redirect URI (optional)` section.
 You can leave the second field empty since we will change this in the next step.
 :::
 
@@ -79,9 +79,49 @@ Once you created the IdP you need to activate it, to make it usable for your use
 
 ![Active AzureAD](/img/guides/azure_zitadel_active.png)
 
+#### Disable 2-Factor prompt
+
+If a user has no 2-factor configured, ZITADEL does ask on a regularly basis, if the user likes to add a new 2-factor for more security.
+If you don't want your users to get this prompt when using Azure, you have to disable this feature.
+
+1. Go to the login behaviour settings of your instance or organization, depending if you like to disable it for all or just a specific organization respectively
+2. Set "Multi-factor init lifetimes" to 0
+
+![img.png](../../../static/img/guides/login_lifetimes.png)
+
+#### Create user with verified email
+
+Azure AD does not send the "email verified claim" in its token.
+Due to that the user will get an email verification mail to verify his email address.
+
+To create the user with a verified email address you must add an action.
+
+1. Go to the actions of your organization
+2. Create a new action with the following code to set the email to verified automatically
+3. Make sure the action name matches the function in the action itself e.g: "setEmailVerified"
+
+```js reference
+https://github.com/zitadel/actions/blob/main/examples/verify_email.js
+```
+
+![img.png](../../../static/img/guides/action_email_verify.png)
+
+3. Add the action "email verify" to the flow "external authentication" and to the trigger "pre creation"
+
+![img.png](../../../static/img/guides/action_pre_creation_email_verify.png)
+
+#### Automatically redirect to Azure AD
+
+If you like to get automatically redirected to your Azure AD login instead of showing the ZITADEL login with the Username/Password and a button "Login with AzureAD" you have to do the following steps:
+
+1. Go to the login behaviour settings of your instance or organization
+2. Disable login with username and password
+3. Make sure you have only configured AzureAD as external identity provider
+4. If you did all your settings on the organization level make sure to send the organization scope in your authorization request: [scope](../../apis/openidoauth/scopes#reserved-scopes)
+
 ### Test the setup
 
-To test the setup use a incognito mode and browse to your login page. 
+To test the setup use incognito mode and browse to your login page.
 If you succeeded you should see a new button which should redirect you to your AzureAD Tenant.
 
 ![AzureAD Button](/img/guides/azure_zitadel_button.png)

docs/docs/guides/manage/customize/behavior.md

@@ -29,13 +29,9 @@ Before you start, make sure you have everything set up correctly.
 1. Paste this snippet into the multiline textfield.
 1. Replace the snippets placeholders and select **Save**.
 
-```js
-function addGrant(ctx, api) {
-  api.userGrants.push({
-    ProjectID: '<the projects resource ID you copied above>',
-    Roles: ['<the role key you copied above>']
-  });
-}
+
+```js reference
+https://github.com/zitadel/actions/blob/main/examples/add_user_grant.js
 ```
 
 ## Run the action when a user registers