website/docs: limiting permissions of AD service account

[dewi-tik]

Details

Adds info box about limiting AD sync service account permissions.

---

Checklist

If applicable

• The documentation has been updated
• The documentation has been formatted (make docs)

[netlify]

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	cd5d2d9
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/6968eac06e731100085d46ac
😎 Deploy Preview	https://deploy-preview-19483--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-integrations ready!

Name	Link
🔨 Latest commit	2f0cf58
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/696903010fc56a0008f3e0cb
😎 Deploy Preview	https://deploy-preview-19483--authentik-integrations.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	2f0cf58
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/69690301290b65000797be33
😎 Deploy Preview	https://deploy-preview-19483--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.27%. Comparing base (41e99b5) to head (2f0cf58).
⚠️ Report is 6 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #19483   +/-   ##
=======================================
  Coverage   93.27%   93.27%           
=======================================
  Files         949      949           
  Lines       52001    52015   +14     
=======================================
+ Hits        48505    48519   +14     
  Misses       3496     3496           

Flag	Coverage Δ
conformance	38.29% <ø> (-0.02%)	⬇️
e2e	44.28% <ø> (+0.05%)	⬆️
integration	23.06% <ø> (-0.01%)	⬇️
unit	91.50% <ø> (+<0.01%)	⬆️
unit-migrate	91.51% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[authentik-automation]

🍒 Cherry-pick to version-2025.10 created: #19488

[authentik-automation]

🍒 Cherry-pick to version-2025.12 created: #19489

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-2f0cf588401fc7a2959c5899a7d050b3dadbcf5c
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-2f0cf588401fc7a2959c5899a7d050b3dadbcf5c

Afterwards, run the upgrade commands from the latest release notes.