diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Models/Organization.cs b/src/Infrastructure.EntityFramework/AdminConsole/Models/Organization.cs
index 3da462a09b..d7f83d829d 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Models/Organization.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Models/Organization.cs
@@ -26,7 +26,20 @@ public class OrganizationMapperProfile : Profile
 {
     public OrganizationMapperProfile()
     {
-        CreateMap<Core.AdminConsole.Entities.Organization, Organization>().ReverseMap();
+        CreateMap<Core.AdminConsole.Entities.Organization, Organization>()
+            .ForMember(org => org.Ciphers, opt => opt.Ignore())
+            .ForMember(org => org.OrganizationUsers, opt => opt.Ignore())
+            .ForMember(org => org.Groups, opt => opt.Ignore())
+            .ForMember(org => org.Policies, opt => opt.Ignore())
+            .ForMember(org => org.Collections, opt => opt.Ignore())
+            .ForMember(org => org.SsoConfigs, opt => opt.Ignore())
+            .ForMember(org => org.SsoUsers, opt => opt.Ignore())
+            .ForMember(org => org.Transactions, opt => opt.Ignore())
+            .ForMember(org => org.ApiKeys, opt => opt.Ignore())
+            .ForMember(org => org.Connections, opt => opt.Ignore())
+            .ForMember(org => org.Domains, opt => opt.Ignore())
+            .ReverseMap();
+
         CreateProjection<Organization, SelfHostedOrganizationDetails>()
             .ForMember(sd => sd.CollectionCount, opt => opt.MapFrom(o => o.Collections.Count))
             .ForMember(sd => sd.GroupCount, opt => opt.MapFrom(o => o.Groups.Count))
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
index a27e2a66bc..9a4573e771 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
@@ -50,9 +50,10 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
         {
             var dbContext = GetDatabaseContext(scope);
             var organizations = await GetDbSet(dbContext)
-                .Select(e => e.OrganizationUsers
-                    .Where(ou => ou.UserId == userId)
-                    .Select(ou => ou.Organization))
+                .SelectMany(e => e.OrganizationUsers
+                    .Where(ou => ou.UserId == userId))
+                .Include(ou => ou.Organization)
+                .Select(ou => ou.Organization)
                 .ToListAsync();
             return Mapper.Map<List<Core.AdminConsole.Entities.Organization>>(organizations);
         }
diff --git a/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs b/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs
new file mode 100644
index 0000000000..c9e6825988
--- /dev/null
+++ b/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs
@@ -0,0 +1,141 @@
+using System.Text.Json;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Auth.Enums;
+using Bit.Core.Auth.Models.Api.Request.Accounts;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.IntegrationTestCommon.Factories;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Bit.Test.Common.Helpers;
+using Microsoft.AspNetCore.TestHost;
+using Xunit;
+
+namespace Bit.Identity.IntegrationTest.Endpoints;
+
+public class IdentityServerTwoFactorTests : IClassFixture<IdentityApplicationFactory>
+{
+    private readonly IdentityApplicationFactory _factory;
+    private readonly IUserRepository _userRepository;
+    private readonly IUserService _userService;
+
+    public IdentityServerTwoFactorTests(IdentityApplicationFactory factory)
+    {
+        _factory = factory;
+        _userRepository = _factory.GetService<IUserRepository>();
+        _userService = _factory.GetService<IUserService>();
+    }
+
+    [Theory, BitAutoData]
+    public async Task TokenEndpoint_UserTwoFactorRequired_NoTwoFactorProvided_Fails(string deviceId)
+    {
+        // Arrange
+        var username = "test+2farequired@email.com";
+        var twoFactor = """{"1": { "Enabled": true, "MetaData": { "Email": "test+2farequired@email.com"}}}""";
+
+        await CreateUserAsync(_factory.Server, username, deviceId, async () =>
+        {
+            var user = await _userRepository.GetByEmailAsync(username);
+            user.TwoFactorProviders = twoFactor;
+            await _userService.UpdateTwoFactorProviderAsync(user, TwoFactorProviderType.Email);
+        });
+
+        // Act
+        var context = await PostLoginAsync(_factory.Server, username, deviceId);
+
+        // Assert
+        var body = await AssertHelper.AssertResponseTypeIs<JsonDocument>(context);
+        var root = body.RootElement;
+
+        var error = AssertHelper.AssertJsonProperty(root, "error_description", JsonValueKind.String).GetString();
+        Assert.Equal("Two factor required.", error);
+    }
+
+    [Theory, BitAutoData]
+    public async Task TokenEndpoint_OrgTwoFactorRequired_NoTwoFactorProvided_Fails(string deviceId)
+    {
+        // Arrange
+        var username = "test+org2farequired@email.com";
+        // use valid length keys so DuoWeb.SignRequest doesn't throw
+        // ikey: 20, skey: 40, akey: 40
+        var orgTwoFactor =
+            """{"6":{"Enabled":true,"MetaData":{"IKey":"DIEFB13LB49IEB3459N2","SKey":"0ZnsZHav0KcNPBZTS6EOUwqLPoB0sfMd5aJeWExQ","Host":"api-example.duosecurity.com"}}}""";
+
+        var server = _factory.WithWebHostBuilder(builder =>
+        {
+            builder.UseSetting("globalSettings:Duo:AKey", "WJHB374KM3N5hglO9hniwbkibg$789EfbhNyLpNq1");
+        }).Server;
+
+
+        await CreateUserAsync(server, username, deviceId, async () =>
+        {
+            var user = await _userRepository.GetByEmailAsync(username);
+
+            var organizationRepository = _factory.Services.GetService<IOrganizationRepository>();
+            var organization = await organizationRepository.CreateAsync(new Organization
+            {
+                Name = "Test Org",
+                Use2fa = true,
+                TwoFactorProviders = orgTwoFactor,
+            });
+
+            await _factory.Services.GetService<IOrganizationUserRepository>()
+                .CreateAsync(new OrganizationUser
+                {
+                    UserId = user.Id,
+                    OrganizationId = organization.Id,
+                    Status = OrganizationUserStatusType.Confirmed,
+                    Type = OrganizationUserType.User,
+                });
+        });
+
+        // Act
+        var context = await PostLoginAsync(server, username, deviceId);
+
+        // Assert
+        var body = await AssertHelper.AssertResponseTypeIs<JsonDocument>(context);
+        var root = body.RootElement;
+
+        var error = AssertHelper.AssertJsonProperty(root, "error_description", JsonValueKind.String).GetString();
+        Assert.Equal("Two factor required.", error);
+    }
+
+    private async Task CreateUserAsync(TestServer server, string username, string deviceId,
+        Func<Task> twoFactorSetup)
+    {
+        // Register user
+        await _factory.RegisterAsync(new RegisterRequestModel
+        {
+            Email = username,
+            MasterPasswordHash = "master_password_hash"
+        });
+
+        // Add two factor
+        if (twoFactorSetup != null)
+        {
+            await twoFactorSetup();
+        }
+    }
+
+    private async Task<HttpContext> PostLoginAsync(TestServer server, string username, string deviceId,
+        Action<HttpContext> extraConfiguration = null)
+    {
+        return await server.PostAsync("/connect/token", new FormUrlEncodedContent(new Dictionary<string, string>
+        {
+            { "scope", "api offline_access" },
+            { "client_id", "web" },
+            { "deviceType", DeviceTypeAsString(DeviceType.FirefoxBrowser) },
+            { "deviceIdentifier", deviceId },
+            { "deviceName", "firefox" },
+            { "grant_type", "password" },
+            { "username", username },
+            { "password", "master_password_hash" },
+        }), context => context.SetAuthEmail(username));
+    }
+
+    private static string DeviceTypeAsString(DeviceType deviceType)
+    {
+        return ((int)deviceType).ToString();
+    }
+}
diff --git a/test/Infrastructure.EFIntegration.Test/AdminConsole/Repositories/OrganizationRepositoryTests.cs b/test/Infrastructure.EFIntegration.Test/AdminConsole/Repositories/OrganizationRepositoryTests.cs
index a62f7531d0..eb7c3d2753 100644
--- a/test/Infrastructure.EFIntegration.Test/AdminConsole/Repositories/OrganizationRepositoryTests.cs
+++ b/test/Infrastructure.EFIntegration.Test/AdminConsole/Repositories/OrganizationRepositoryTests.cs
@@ -1,9 +1,11 @@
-using Bit.Core.Entities;
+using AutoMapper;
+using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Test.AutoFixture.Attributes;
 using Bit.Infrastructure.EFIntegration.Test.AutoFixture;
 using Bit.Infrastructure.EFIntegration.Test.Repositories.EqualityComparers;
+using Bit.Infrastructure.EntityFramework.AdminConsole.Models;
 using Xunit;
 using EfRepo = Bit.Infrastructure.EntityFramework.Repositories;
 using Organization = Bit.Core.AdminConsole.Entities.Organization;
@@ -13,6 +15,13 @@ namespace Bit.Infrastructure.EFIntegration.Test.Repositories;
 
 public class OrganizationRepositoryTests
 {
+    [Fact]
+    public void ValidateOrganizationMappings_ReturnsSuccess()
+    {
+        var config = new MapperConfiguration(cfg => cfg.AddProfile<OrganizationMapperProfile>());
+        config.AssertConfigurationIsValid();
+    }
+
     [CiSkippedTheory, EfOrganizationAutoData]
     public async Task CreateAsync_Works_DataMatches(
         Organization organization,