From 0244cc9201e994cf36fc3ca29c2c731892101de8 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:28:12 -0500
Subject: [PATCH 001/184] Switch Dockerfile to multi-arch build

---
 .github/workflows/build.yml | 117 ++++++++++++++++--------------------
 src/Admin/Dockerfile        |  52 ++++++++++++++--
 2 files changed, 100 insertions(+), 69 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e5f1d1c57d..fa0af7bbe3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -94,6 +94,7 @@ jobs:
           fail-on-error: true
 
   build-artifacts:
+    if: false
     name: Build artifacts
     runs-on: ubuntu-22.04
     needs:
@@ -194,59 +195,48 @@ jobs:
   build-docker:
     name: Build Docker images
     runs-on: ubuntu-22.04
-    needs: build-artifacts
+    needs:
+      - lint
+      - testing
     strategy:
       fail-fast: false
       matrix:
         include:
           - project_name: Admin
             base_path: ./src
-            dotnet: true
-          - project_name: Api
-            base_path: ./src
-            dotnet: true
-          - project_name: Attachments
-            base_path: ./util
-          - project_name: Billing
-            base_path: ./src
-            dotnet: true
-          - project_name: Events
-            base_path: ./src
-            dotnet: true
-          - project_name: EventsProcessor
-            base_path: ./src
-            dotnet: true
-          - project_name: Icons
-            base_path: ./src
-            dotnet: true
-          - project_name: Identity
-            base_path: ./src
-            dotnet: true
-          - project_name: MsSql
-            base_path: ./util
-          - project_name: MsSqlMigratorUtility
-            base_path: ./util
-            dotnet: true
-          - project_name: Nginx
-            base_path: ./util
-          - project_name: Notifications
-            base_path: ./src
-            dotnet: true
-          - project_name: Scim
-            base_path: ./bitwarden_license/src
-            dotnet: true
-          - project_name: Server
-            base_path: ./util
-            dotnet: true
-          - project_name: Setup
-            base_path: ./util
-            dotnet: true
-          - project_name: Sso
-            base_path: ./bitwarden_license/src
-            dotnet: true
+          # - project_name: Api
+          #   base_path: ./src
+          # - project_name: Attachments
+          #   base_path: ./util
+          # - project_name: Billing
+          #   base_path: ./src
+          # - project_name: Events
+          #   base_path: ./src
+          # - project_name: EventsProcessor
+          #   base_path: ./src
+          # - project_name: Icons
+          #   base_path: ./src
+          # - project_name: Identity
+          #   base_path: ./src
+          # - project_name: MsSql
+          #   base_path: ./util
+          # - project_name: MsSqlMigratorUtility
+          #   base_path: ./util
+          # - project_name: Nginx
+          #   base_path: ./util
+          # - project_name: Notifications
+          #   base_path: ./src
+          # - project_name: Scim
+          #   base_path: ./bitwarden_license/src
+          # - project_name: Server
+          #   base_path: ./util
+          # - project_name: Setup
+          #   base_path: ./util
+          # - project_name: Sso
+          #   base_path: ./bitwarden_license/src
     steps:
       - name: Checkout repo
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Check Branch to Publish
         env:
@@ -261,6 +251,13 @@ jobs:
             echo "is_publish_branch=false" >> $GITHUB_ENV
           fi
 
+      ########## Set up Docker ##########
+      - name: Set up QEMU emulators
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
       ########## ACRs ##########
       - name: Login to Azure - PROD Subscription
         uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
@@ -268,7 +265,7 @@ jobs:
           creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
 
       - name: Login to PROD ACR
-        run: az acr login -n bitwardenprod
+        run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
 
       - name: Login to Azure - CI Subscription
         uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
@@ -307,37 +304,30 @@ jobs:
           PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
         run: echo "name=${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
 
-      - name: Get build artifact
-        if: ${{ matrix.dotnet }}
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
-        with:
-          name: ${{ matrix.project_name }}.zip
-
-      - name: Setup build artifact
-        if: ${{ matrix.dotnet }}
-        run: |
-          mkdir -p ${{ matrix.base_path}}/${{ matrix.project_name }}/obj/build-output/publish
-          unzip ${{ matrix.project_name }}.zip \
-            -d ${{ matrix.base_path }}/${{ matrix.project_name }}/obj/build-output/publish
-
       - name: Build Docker image
         uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
         with:
           context: ${{ matrix.base_path }}/${{ matrix.project_name }}
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
-          platforms: linux/amd64
+          platforms: |
+            linux/amd64,
+            linux/arm/v7,
+            linux/arm64/v8
           push: true
           tags: ${{ steps.image-name.outputs.name }}
           secrets: |
             "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
 
+      - name: Log out of Docker
+        run: docker logout
+
   upload:
     name: Upload
     runs-on: ubuntu-22.04
     needs: build-docker
     steps:
       - name: Checkout repo
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Set up dotnet
         uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
@@ -348,7 +338,7 @@ jobs:
           creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
 
       - name: Login to PROD ACR
-        run: az acr login -n $_AZ_REGISTRY --only-show-errors
+        run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
 
       - name: Restore
         run: dotnet tool restore
@@ -518,8 +508,7 @@ jobs:
   self-host-build:
     name: Trigger self-host build
     runs-on: ubuntu-22.04
-    needs:
-      - build-docker
+    needs: build-docker
     steps:
       - name: Login to Azure - CI Subscription
         uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 1c2264bf20..11303d7a63 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -1,17 +1,59 @@
-FROM mcr.microsoft.com/dotnet/aspnet:6.0
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/aspnet:6.0 AS dotnet-build
 
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+ENV NODE_VERSION=16
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+      RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+      RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+      RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Add packages
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash
+RUN npm install -g gulp
+
+WORKDIR /source
+COPY *.csproj .
+COPY ../../Directory.Build.props .
+
+# Restore Admin project dependencies and tools
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+COPY . .
+#COPY ../../.git/. ./.git/
+
+# Build Admin app
+RUN npm install
+RUN gulp --gulpfile "gulpfile.js" build
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Admin --no-restore --no-self-contained -r $RID
+
+###############################################
+#                  App stage                  #
+###############################################
+FROM mcr.microsoft.com/dotnet/aspnet:6.0
+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
+ENV ASPNETCORE_ENVIRONMENT=Production
+ENV ASPNETCORE_URLS http://+:5000
+EXPOSE 5000
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
-        gosu \
         curl \
+        gosu \
     && rm -rf /var/lib/apt/lists/*
 
-ENV ASPNETCORE_URLS http://+:5000
+# Copy all apps from dotnet-build stage
 WORKDIR /app
-EXPOSE 5000
-COPY obj/build-output/publish .
+COPY --from=dotnet-build /app ./
+
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 

From e78369e70d4e4e711087e1d1f995f570f5aba035 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:35:55 -0500
Subject: [PATCH 002/184] Change logic for testing

---
 .github/workflows/build.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index fa0af7bbe3..e0b212347a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -43,6 +43,7 @@ jobs:
         run: dotnet format --verify-no-changes
 
   testing:
+    if: false
     name: Testing
     runs-on: ubuntu-22.04
     env:
@@ -195,9 +196,9 @@ jobs:
   build-docker:
     name: Build Docker images
     runs-on: ubuntu-22.04
-    needs:
-      - lint
-      - testing
+    # needs:
+    #   - lint
+    #   - testing
     strategy:
       fail-fast: false
       matrix:

From 0a016b48e382a6cb57ee3f672c7bce08d5ba8c89 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:39:00 -0500
Subject: [PATCH 003/184] Change Docker context

---
 .github/workflows/build.yml | 2 +-
 src/Admin/Dockerfile        | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e0b212347a..7755566e27 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -308,7 +308,7 @@ jobs:
       - name: Build Docker image
         uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
         with:
-          context: ${{ matrix.base_path }}/${{ matrix.project_name }}
+          context: .
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
           platforms: |
             linux/amd64,
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 11303d7a63..25b7fd104e 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -20,13 +20,13 @@ RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | b
 RUN npm install -g gulp
 
 WORKDIR /source
-COPY *.csproj .
-COPY ../../Directory.Build.props .
+COPY src/Admin/*.csproj .
+COPY Directory.Build.props .
 
 # Restore Admin project dependencies and tools
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
-COPY . .
+COPY src/Admin/. .
 #COPY ../../.git/. ./.git/
 
 # Build Admin app

From f7507b306f80d629b06558e451edaa13c900ac37 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:40:55 -0500
Subject: [PATCH 004/184] Fix copy source

---
 src/Admin/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 25b7fd104e..4cfbf03448 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -54,7 +54,7 @@ RUN apt-get update \
 WORKDIR /app
 COPY --from=dotnet-build /app ./
 
-COPY entrypoint.sh /
+COPY src/Admin/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000 || exit 1

From cbb339c2f33ec934b1b1c55e01fdebbdd0c3bddc Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:43:21 -0500
Subject: [PATCH 005/184] Add curl to Dockerfile

---
 .github/workflows/build.yml | 2 ++
 src/Admin/Dockerfile        | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7755566e27..503c5045c5 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -15,6 +15,7 @@ env:
 
 jobs:
   cloc:
+    if: false
     name: CLOC
     runs-on: ubuntu-22.04
     steps:
@@ -30,6 +31,7 @@ jobs:
         run: cloc --include-lang C#,SQL,Razor,"Bourne Shell",PowerShell,HTML,CSS,Sass,JavaScript,TypeScript --vcs git
 
   lint:
+    if: false
     name: Lint
     runs-on: ubuntu-22.04
     steps:
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 4cfbf03448..fd1f15c971 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -15,6 +15,11 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
     fi \
     && echo "RID=$RID" > /tmp/rid.txt
 
+# Add packages
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
 # Add packages
 RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash
 RUN npm install -g gulp

From b415414e5a2a4dfcadc433f64be1b19d198dd542 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:47:48 -0500
Subject: [PATCH 006/184] NVM not picked up by bash

---
 src/Admin/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index fd1f15c971..2efb3d4742 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -22,6 +22,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 # Add packages
 RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash
+RUN . ~/.bash_profile
 RUN npm install -g gulp
 
 WORKDIR /source

From 9bd152dc5df3473ba8a77661f5e0d4979bd369e9 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:51:16 -0500
Subject: [PATCH 007/184] Try .bash_rc

---
 src/Admin/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 2efb3d4742..5b9b66defe 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -22,7 +22,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 # Add packages
 RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash
-RUN . ~/.bash_profile
+RUN . ~/.bash_rc
 RUN npm install -g gulp
 
 WORKDIR /source

From 92179aca6bec24d71a6b5eb40a5a7a48955dda1a Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:56:19 -0500
Subject: [PATCH 008/184] Fix nvm

---
 src/Admin/Dockerfile | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 5b9b66defe..d333589b52 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -3,6 +3,7 @@ FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/aspnet:6.0 AS dotnet-bui
 # Docker buildx supplies the value for this arg
 ARG TARGETPLATFORM
 ENV NODE_VERSION=16
+ENV NVM_DIR /usr/local/nvm
 
 # Determine proper runtime value for .NET
 # We put the value in a file to be read by later layers.
@@ -21,8 +22,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 
 # Add packages
-RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash
-RUN . ~/.bash_rc
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash \
+    && . $NVM_DIR/nvm.sh \
+    && nvm install $NODE_VERSION \
+    && nvm alias default $NODE_VERSION \
+    && nvm use default
 RUN npm install -g gulp
 
 WORKDIR /source

From 9582503dbc38e5e4cfc0674237625ea5b4c6aaee Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:59:39 -0500
Subject: [PATCH 009/184] Fix nvm

---
 src/Admin/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index d333589b52..ed90325e1a 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -22,6 +22,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 
 # Add packages
+RUN mkdir -p $NVM_DIR
 RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash \
     && . $NVM_DIR/nvm.sh \
     && nvm install $NODE_VERSION \

From 2d66c3bbc63619f85d7eb5dca47a392dd6bd8e9e Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 13:03:48 -0500
Subject: [PATCH 010/184] Fix nvm

---
 src/Admin/Dockerfile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index ed90325e1a..fcd47f2326 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -2,7 +2,7 @@ FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/aspnet:6.0 AS dotnet-bui
 
 # Docker buildx supplies the value for this arg
 ARG TARGETPLATFORM
-ENV NODE_VERSION=16
+ENV NODE_VERSION=16.20.2
 ENV NVM_DIR /usr/local/nvm
 
 # Determine proper runtime value for .NET
@@ -28,6 +28,9 @@ RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | b
     && nvm install $NODE_VERSION \
     && nvm alias default $NODE_VERSION \
     && nvm use default
+ENV NODE_PATH $NVM_DIR/versions/node/v$NODE_VERSION/lib/node_modules
+ENV PATH      $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
+
 RUN npm install -g gulp
 
 WORKDIR /source

From e55a205e29c14379751e4e12caa3aff3125a068f Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 13:08:21 -0500
Subject: [PATCH 011/184] Change build image to SDK

---
 src/Admin/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index fcd47f2326..6e994d8702 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/aspnet:6.0 AS dotnet-build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS dotnet-build
 
 # Docker buildx supplies the value for this arg
 ARG TARGETPLATFORM

From e5765289012147c3a7cf875d21c41ae7d31e98df Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 13:32:03 -0500
Subject: [PATCH 012/184] Change logic for building

---
 .github/workflows/build.yml |  38 ++++++++-
 build.Dockerfile            | 151 ++++++++++++++++++++++++++++++++++++
 src/Admin/Dockerfile        |  63 +++------------
 3 files changed, 196 insertions(+), 56 deletions(-)
 create mode 100644 build.Dockerfile

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 503c5045c5..4343afd31d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -195,12 +195,41 @@ jobs:
           path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip
           if-no-files-found: error
 
-  build-docker:
-    name: Build Docker images
+  build:
+    name: Build artifacts
     runs-on: ubuntu-22.04
     # needs:
     #   - lint
     #   - testing
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Set up QEMU emulators
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+      
+      - name: Build Docker image
+        uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
+        with:
+          context: .
+          file: build.Dockerfile
+          platforms: |
+            linux/amd64,
+            linux/arm/v7,
+            linux/arm64/v8
+          push: false
+          tags: bitwarden-build
+          # secrets: |
+          #   "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
+
+  build-docker:
+    name: Build Docker images
+    runs-on: ubuntu-22.04
+    needs:
+      - build
     strategy:
       fail-fast: false
       matrix:
@@ -254,6 +283,11 @@ jobs:
             echo "is_publish_branch=false" >> $GITHUB_ENV
           fi
 
+      - name: Docker Test Step
+        run: |
+          docker image ls
+          exit 1
+
       ########## Set up Docker ##########
       - name: Set up QEMU emulators
         uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
diff --git a/build.Dockerfile b/build.Dockerfile
new file mode 100644
index 0000000000..a04449c372
--- /dev/null
+++ b/build.Dockerfile
@@ -0,0 +1,151 @@
+###############################################
+#                 Build stage                 #
+###############################################
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+ENV NODE_VERSION=16.20.2
+ENV NVM_DIR /usr/local/nvm
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+      RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+      RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+      RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Add packages
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Set up Node
+RUN mkdir -p $NVM_DIR
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash \
+    && . $NVM_DIR/nvm.sh \
+    && nvm install $NODE_VERSION \
+    && nvm alias default $NODE_VERSION \
+    && nvm use default
+ENV NODE_PATH $NVM_DIR/versions/node/v$NODE_VERSION/lib/node_modules
+ENV PATH      $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
+
+# Install gulp
+RUN npm install -g gulp
+
+# Copy csproj files as distinct layers
+WORKDIR /source
+COPY src/Admin/*.csproj ./src/Admin/
+COPY src/Api/*.csproj ./src/Api/
+COPY src/Events/*.csproj ./src/Events/
+COPY src/Icons/*.csproj ./src/Icons/
+COPY src/Identity/*.csproj ./src/Identity/
+COPY src/Notifications/*.csproj ./src/Notifications/
+COPY bitwarden_license/src/Sso/*.csproj ./bitwarden_license/src/Sso/
+COPY bitwarden_license/src/Scim/*.csproj ./bitwarden_license/src/Scim/
+COPY src/Core/*.csproj ./src/Core/
+COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
+COPY src/SharedWeb/*.csproj ./src/SharedWeb/
+COPY util/Migrator/*.csproj ./util/Migrator/
+COPY util/MySqlMigrations/*.csproj ./util/MySqlMigrations/
+COPY util/PostgresMigrations/*.csproj ./util/PostgresMigrations/
+COPY util/SqliteMigrations/*.csproj ./util/SqliteMigrations/
+COPY bitwarden_license/src/Commercial.Core/*.csproj ./bitwarden_license/src/Commercial.Core/
+COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/*.csproj ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
+COPY Directory.Build.props .
+
+# Restore Admin project dependencies and tools
+WORKDIR /source/src/Admin
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Restore Api project dependencies and tools
+WORKDIR /source/src/Api
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Restore Events project dependencies and tools
+WORKDIR /source/src/Events
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Restore Icons project dependencies and tools
+WORKDIR /source/src/Icons
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Restore Identity project dependencies and tools
+WORKDIR /source/src/Identity
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Restore Notifications project dependencies and tools
+WORKDIR /source/src/Notifications
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Restore Sso project dependencies and tools
+WORKDIR /source/bitwarden_license/src/Sso
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Restore Scim project dependencies and tools
+WORKDIR /source/bitwarden_license/src/Scim
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Copy required project files
+WORKDIR /source
+COPY src/Admin/. ./src/Admin/
+COPY src/Api/. ./src/Api/
+COPY src/Events/. ./src/Events/
+COPY src/Icons/. ./src/Icons/
+COPY src/Identity/. ./src/Identity/
+COPY src/Notifications/. ./src/Notifications/
+COPY bitwarden_license/src/Sso/. ./bitwarden_license/src/Sso/
+COPY bitwarden_license/src/Scim/. ./bitwarden_license/src/Scim/
+COPY src/Core/. ./src/Core/
+COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
+COPY src/SharedWeb/. ./src/SharedWeb/
+COPY util/Migrator/. ./util/Migrator/
+COPY util/MySqlMigrations/. ./util/MySqlMigrations/
+COPY util/PostgresMigrations/. ./util/PostgresMigrations/
+COPY util/SqliteMigrations/. ./util/SqliteMigrations/
+COPY util/EfShared/. ./util/EfShared/
+COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
+COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
+COPY .git/. ./.git/
+
+# Build Admin app
+WORKDIR /source/src/Admin
+RUN npm install
+RUN gulp --gulpfile "gulpfile.js" build
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Admin --no-restore --no-self-contained -r $RID
+
+# Build Api app
+WORKDIR /source/src/Api
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Api --no-restore --no-self-contained -r $RID
+
+# Build Events app
+WORKDIR /source/src/Events
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Events --no-restore --no-self-contained -r $RID
+
+# Build Icons app
+WORKDIR /source/src/Icons
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Icons --no-restore --no-self-contained -r $RID
+
+# Build Identity app
+WORKDIR /source/src/Identity
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Identity --no-restore --no-self-contained -r $RID
+
+# Build Notifications app
+WORKDIR /source/src/Notifications
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Notifications --no-restore --no-self-contained -r $RID
+
+# Build Sso app
+WORKDIR /source/bitwarden_license/src/Sso
+RUN npm install
+RUN gulp --gulpfile "gulpfile.js" build
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Sso --no-restore --no-self-contained -r $RID
+
+# Build Scim app
+WORKDIR /source/bitwarden_license/src/Scim
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Scim --no-restore --no-self-contained -r $RID
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 6e994d8702..f6c1a50439 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -1,57 +1,13 @@
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS dotnet-build
-
-# Docker buildx supplies the value for this arg
-ARG TARGETPLATFORM
-ENV NODE_VERSION=16.20.2
-ENV NVM_DIR /usr/local/nvm
-
-# Determine proper runtime value for .NET
-# We put the value in a file to be read by later layers.
-RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
-      RID=linux-x64 ; \
-    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
-      RID=linux-arm64 ; \
-    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
-      RID=linux-arm ; \
-    fi \
-    && echo "RID=$RID" > /tmp/rid.txt
-
-# Add packages
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    curl \
-    && rm -rf /var/lib/apt/lists/*
-
-# Add packages
-RUN mkdir -p $NVM_DIR
-RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash \
-    && . $NVM_DIR/nvm.sh \
-    && nvm install $NODE_VERSION \
-    && nvm alias default $NODE_VERSION \
-    && nvm use default
-ENV NODE_PATH $NVM_DIR/versions/node/v$NODE_VERSION/lib/node_modules
-ENV PATH      $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
-
-RUN npm install -g gulp
-
-WORKDIR /source
-COPY src/Admin/*.csproj .
-COPY Directory.Build.props .
-
-# Restore Admin project dependencies and tools
-RUN . /tmp/rid.txt && dotnet restore -r $RID
-
-COPY src/Admin/. .
-#COPY ../../.git/. ./.git/
-
-# Build Admin app
-RUN npm install
-RUN gulp --gulpfile "gulpfile.js" build
-RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Admin --no-restore --no-self-contained -r $RID
+###############################################
+#                 Build stage                 #
+###############################################
+FROM --platform=$BUILDPLATFORM bitwarden-build AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
 ###############################################
 FROM mcr.microsoft.com/dotnet/aspnet:6.0
+
 ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
 ENV ASPNETCORE_ENVIRONMENT=Production
@@ -60,15 +16,14 @@ EXPOSE 5000
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
-        curl \
         gosu \
+        curl \
     && rm -rf /var/lib/apt/lists/*
 
-# Copy all apps from dotnet-build stage
+# Copy all apps from the build stage
 WORKDIR /app
-COPY --from=dotnet-build /app ./
-
-COPY src/Admin/entrypoint.sh /
+COPY --from=bitwarden-build /app/Admin ./
+COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000 || exit 1

From 93a9f4c9d7e1ff8a27f666af16e6b7f503c5bf47 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 13:39:30 -0500
Subject: [PATCH 013/184] Try again for Docker build

---
 .github/workflows/build.yml | 9 +++++----
 src/Admin/Dockerfile        | 2 +-
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 4343afd31d..c90f9279eb 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -212,16 +212,17 @@ jobs:
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
       
       - name: Build Docker image
-        uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
           context: .
           file: build.Dockerfile
+          load: true
           platforms: |
             linux/amd64,
             linux/arm/v7,
             linux/arm64/v8
-          push: false
-          tags: bitwarden-build
+          # push: false
+          tags: bitwarden-build:latest
           # secrets: |
           #   "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
 
@@ -342,7 +343,7 @@ jobs:
         run: echo "name=${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
 
       - name: Build Docker image
-        uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
           context: .
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index f6c1a50439..5b35da5870 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -1,7 +1,7 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-FROM --platform=$BUILDPLATFORM bitwarden-build AS bitwarden-build
+FROM --platform=$BUILDPLATFORM bitwarden-build:latest AS bitwarden-build
 
 ###############################################
 #                  App stage                  #

From 8abe00db65a2e3e0352c25969c773943a761dd97 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 13:46:40 -0500
Subject: [PATCH 014/184] Fix logic

---
 .github/workflows/build.yml | 41 ++++++++++++++++++++++++++++---------
 1 file changed, 31 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c90f9279eb..0cd8f4f238 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -210,21 +210,41 @@ jobs:
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+      ########## ACRs ##########
+      - name: Login to Azure - PROD Subscription
+        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
+        with:
+          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+
+      - name: Login to PROD ACR
+        run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
+
+      - name: Login to Azure - CI Subscription
+        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Retrieve github PAT secrets
+        id: retrieve-secret-pat
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
       
       - name: Build Docker image
         uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
           context: .
           file: build.Dockerfile
-          load: true
           platforms: |
             linux/amd64,
             linux/arm/v7,
             linux/arm64/v8
-          # push: false
-          tags: bitwarden-build:latest
-          # secrets: |
-          #   "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
+          push: false
+          tags: ${{ env._AZ_REGISTRY }}/build:latest
+          secrets: |
+            "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
 
   build-docker:
     name: Build Docker images
@@ -284,11 +304,6 @@ jobs:
             echo "is_publish_branch=false" >> $GITHUB_ENV
           fi
 
-      - name: Docker Test Step
-        run: |
-          docker image ls
-          exit 1
-
       ########## Set up Docker ##########
       - name: Set up QEMU emulators
         uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
@@ -318,6 +333,12 @@ jobs:
           secrets: "github-pat-bitwarden-devops-bot-repo-scope"
 
       ########## Generate image tag and build Docker image ##########
+      - name: Docker Test Step
+        run: |
+          docker image pull $_AZ_REGISTRY/build:latest
+          docker image ls
+          exit 1
+
       - name: Generate Docker image tag
         id: tag
         run: |

From cd8c16f4a2758b18b72da86f567ad13d8b48cf22 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 13:53:55 -0500
Subject: [PATCH 015/184] Actually use push flag

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0cd8f4f238..02f5c7cfe6 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -241,7 +241,7 @@ jobs:
             linux/amd64,
             linux/arm/v7,
             linux/arm64/v8
-          push: false
+          push: true
           tags: ${{ env._AZ_REGISTRY }}/build:latest
           secrets: |
             "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"

From 8da8388678323bfd816f86bf4013ccd72ea9bbdd Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 14:10:35 -0500
Subject: [PATCH 016/184] Full test

---
 .github/workflows/build.yml | 19 ++++++++++++-------
 src/Admin/Dockerfile        |  3 ++-
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 02f5c7cfe6..eb89786f97 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -232,6 +232,15 @@ jobs:
           keyvault: "bitwarden-ci"
           secrets: "github-pat-bitwarden-devops-bot-repo-scope"
       
+      - name: Generate image full name
+        id: image-name
+        run: |
+          IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")  # slash safe branch name
+          if [[ "$IMAGE_TAG" == "master" ]]; then
+            IMAGE_TAG=dev
+          fi
+          echo "name=${_AZ_REGISTRY}/build:${IMAGE_TAG}" >> $GITHUB_OUTPUT
+      
       - name: Build Docker image
         uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
@@ -242,7 +251,7 @@ jobs:
             linux/arm/v7,
             linux/arm64/v8
           push: true
-          tags: ${{ env._AZ_REGISTRY }}/build:latest
+          tags: ${{ steps.image-name.outputs.name }}
           secrets: |
             "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
 
@@ -333,12 +342,6 @@ jobs:
           secrets: "github-pat-bitwarden-devops-bot-repo-scope"
 
       ########## Generate image tag and build Docker image ##########
-      - name: Docker Test Step
-        run: |
-          docker image pull $_AZ_REGISTRY/build:latest
-          docker image ls
-          exit 1
-
       - name: Generate Docker image tag
         id: tag
         run: |
@@ -366,6 +369,8 @@ jobs:
       - name: Build Docker image
         uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
+          build-args: |
+            BUILD_TAG=${{ steps.tag.outputs.image_tag }}
           context: .
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
           platforms: |
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 5b35da5870..72be2334f3 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -1,7 +1,8 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-FROM --platform=$BUILDPLATFORM bitwarden-build:latest AS bitwarden-build
+ARG BUILD_TAG=latest
+FROM --platform=$BUILDPLATFORM bitwarden-build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #

From a7fa6c943f9c79ec523360c9539989d326d13edb Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 14:20:48 -0500
Subject: [PATCH 017/184] Fix image name

---
 src/Admin/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 72be2334f3..dd12d2bd7b 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM bitwarden-build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #

From 2e2ec50f1048d99ea20699df07e6122d31984919 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 15:18:36 -0500
Subject: [PATCH 018/184] Fix build context

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index eb89786f97..dbddba304d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -371,7 +371,7 @@ jobs:
         with:
           build-args: |
             BUILD_TAG=${{ steps.tag.outputs.image_tag }}
-          context: .
+          context: ${{ matrix.base_path }}/${{ matrix.project_name }}
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
           platforms: |
             linux/amd64,

From 0f2ebde2c5d6b96a621e068d24ab817c304660d4 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 17:07:47 -0500
Subject: [PATCH 019/184] Test all projects

---
 .github/workflows/build.yml           | 60 +++++++++++++--------------
 bitwarden_license/src/Scim/Dockerfile | 18 ++++++--
 bitwarden_license/src/Sso/Dockerfile  | 18 ++++++--
 build.Dockerfile                      | 40 ++++++++++++++++++
 src/Admin/Dockerfile                  |  2 +-
 src/Api/Dockerfile                    | 18 ++++++--
 src/Billing/Dockerfile                | 19 +++++++--
 src/Events/Dockerfile                 | 18 ++++++--
 src/EventsProcessor/Dockerfile        | 20 +++++++--
 src/Icons/Dockerfile                  | 18 ++++++--
 src/Identity/Dockerfile               | 18 ++++++--
 src/Notifications/Dockerfile          | 18 ++++++--
 util/Attachments/Dockerfile           | 20 +++++++--
 util/Nginx/Dockerfile                 |  3 +-
 util/Server/Dockerfile                | 13 +++++-
 util/Setup/Dockerfile                 | 13 +++++-
 16 files changed, 250 insertions(+), 66 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index dbddba304d..146be04514 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -266,36 +266,36 @@ jobs:
         include:
           - project_name: Admin
             base_path: ./src
-          # - project_name: Api
-          #   base_path: ./src
-          # - project_name: Attachments
-          #   base_path: ./util
-          # - project_name: Billing
-          #   base_path: ./src
-          # - project_name: Events
-          #   base_path: ./src
-          # - project_name: EventsProcessor
-          #   base_path: ./src
-          # - project_name: Icons
-          #   base_path: ./src
-          # - project_name: Identity
-          #   base_path: ./src
-          # - project_name: MsSql
-          #   base_path: ./util
-          # - project_name: MsSqlMigratorUtility
-          #   base_path: ./util
-          # - project_name: Nginx
-          #   base_path: ./util
-          # - project_name: Notifications
-          #   base_path: ./src
-          # - project_name: Scim
-          #   base_path: ./bitwarden_license/src
-          # - project_name: Server
-          #   base_path: ./util
-          # - project_name: Setup
-          #   base_path: ./util
-          # - project_name: Sso
-          #   base_path: ./bitwarden_license/src
+          - project_name: Api
+            base_path: ./src
+          - project_name: Attachments
+            base_path: ./util
+          - project_name: Billing
+            base_path: ./src
+          - project_name: Events
+            base_path: ./src
+          - project_name: EventsProcessor
+            base_path: ./src
+          - project_name: Icons
+            base_path: ./src
+          - project_name: Identity
+            base_path: ./src
+          - project_name: MsSql
+            base_path: ./util
+          - project_name: MsSqlMigratorUtility
+            base_path: ./util
+          - project_name: Nginx
+            base_path: ./util
+          - project_name: Notifications
+            base_path: ./src
+          - project_name: Scim
+            base_path: ./bitwarden_license/src
+          - project_name: Server
+            base_path: ./util
+          - project_name: Setup
+            base_path: ./util
+          - project_name: Sso
+            base_path: ./bitwarden_license/src
     steps:
       - name: Checkout repo
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
diff --git a/bitwarden_license/src/Scim/Dockerfile b/bitwarden_license/src/Scim/Dockerfile
index f63cb82ce3..e96e000666 100644
--- a/bitwarden_license/src/Scim/Dockerfile
+++ b/bitwarden_license/src/Scim/Dockerfile
@@ -1,6 +1,19 @@
+###############################################
+#                 Build stage                 #
+###############################################
+ARG BUILD_TAG=latest
+FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+
+###############################################
+#                  App stage                  #
+###############################################
 FROM mcr.microsoft.com/dotnet/aspnet:6.0
 
+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
+ENV ASPNETCORE_ENVIRONMENT=Production
+ENV ASPNETCORE_URLS http://+:5000
+EXPOSE 5000
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
@@ -8,10 +21,9 @@ RUN apt-get update \
         curl \
     && rm -rf /var/lib/apt/lists/*
 
-ENV ASPNETCORE_URLS http://+:5000
+# Copy app from the build stage
 WORKDIR /app
-EXPOSE 5000
-COPY obj/build-output/publish .
+COPY --from=bitwarden-build /app/Scim ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/bitwarden_license/src/Sso/Dockerfile b/bitwarden_license/src/Sso/Dockerfile
index f63cb82ce3..e3927e2f12 100644
--- a/bitwarden_license/src/Sso/Dockerfile
+++ b/bitwarden_license/src/Sso/Dockerfile
@@ -1,6 +1,19 @@
+###############################################
+#                 Build stage                 #
+###############################################
+ARG BUILD_TAG=latest
+FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+
+###############################################
+#                  App stage                  #
+###############################################
 FROM mcr.microsoft.com/dotnet/aspnet:6.0
 
+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
+ENV ASPNETCORE_ENVIRONMENT=Production
+ENV ASPNETCORE_URLS http://+:5000
+EXPOSE 5000
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
@@ -8,10 +21,9 @@ RUN apt-get update \
         curl \
     && rm -rf /var/lib/apt/lists/*
 
-ENV ASPNETCORE_URLS http://+:5000
+# Copy app from the build stage
 WORKDIR /app
-EXPOSE 5000
-COPY obj/build-output/publish .
+COPY --from=bitwarden-build /app/Sso ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/build.Dockerfile b/build.Dockerfile
index a04449c372..2984e5a622 100644
--- a/build.Dockerfile
+++ b/build.Dockerfile
@@ -41,7 +41,9 @@ RUN npm install -g gulp
 WORKDIR /source
 COPY src/Admin/*.csproj ./src/Admin/
 COPY src/Api/*.csproj ./src/Api/
+COPY src/Billing/*.csproj ./src/Billing/
 COPY src/Events/*.csproj ./src/Events/
+COPY src/EventsProcessor/*.csproj ./src/EventsProcessor/
 COPY src/Icons/*.csproj ./src/Icons/
 COPY src/Identity/*.csproj ./src/Identity/
 COPY src/Notifications/*.csproj ./src/Notifications/
@@ -54,6 +56,8 @@ COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY util/Migrator/*.csproj ./util/Migrator/
 COPY util/MySqlMigrations/*.csproj ./util/MySqlMigrations/
 COPY util/PostgresMigrations/*.csproj ./util/PostgresMigrations/
+COPY util/Server/*.csproj ./util/Server/
+COPY util/Setup/*.csproj ./util/Setup/
 COPY util/SqliteMigrations/*.csproj ./util/SqliteMigrations/
 COPY bitwarden_license/src/Commercial.Core/*.csproj ./bitwarden_license/src/Commercial.Core/
 COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/*.csproj ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
@@ -67,10 +71,18 @@ RUN . /tmp/rid.txt && dotnet restore -r $RID
 WORKDIR /source/src/Api
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
+# Restore Billing project dependencies and tools
+WORKDIR /source/src/Billing
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
 # Restore Events project dependencies and tools
 WORKDIR /source/src/Events
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
+# Restore Events project dependencies and tools
+WORKDIR /source/src/EventsProcessor
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
 # Restore Icons project dependencies and tools
 WORKDIR /source/src/Icons
 RUN . /tmp/rid.txt && dotnet restore -r $RID
@@ -91,11 +103,21 @@ RUN . /tmp/rid.txt && dotnet restore -r $RID
 WORKDIR /source/bitwarden_license/src/Scim
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
+# Restore Server project dependencies and tools
+WORKDIR /source/util/Server
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Restore Setup project dependencies and tools
+WORKDIR /source/util/Setup
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
 # Copy required project files
 WORKDIR /source
 COPY src/Admin/. ./src/Admin/
 COPY src/Api/. ./src/Api/
+COPY src/Billing/. ./src/Billing/
 COPY src/Events/. ./src/Events/
+COPY src/EventsProcessor/. ./src/EventsProcessor/
 COPY src/Icons/. ./src/Icons/
 COPY src/Identity/. ./src/Identity/
 COPY src/Notifications/. ./src/Notifications/
@@ -108,6 +130,8 @@ COPY src/SharedWeb/. ./src/SharedWeb/
 COPY util/Migrator/. ./util/Migrator/
 COPY util/MySqlMigrations/. ./util/MySqlMigrations/
 COPY util/PostgresMigrations/. ./util/PostgresMigrations/
+COPY util/Server/. ./util/Server/
+COPY util/Setup/. ./util/Setup/
 COPY util/SqliteMigrations/. ./util/SqliteMigrations/
 COPY util/EfShared/. ./util/EfShared/
 COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
@@ -124,10 +148,18 @@ RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Admin --no-restore --no-
 WORKDIR /source/src/Api
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Api --no-restore --no-self-contained -r $RID
 
+# Build Billing app
+WORKDIR /source/src/Billing
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Billing --no-restore --no-self-contained -r $RID
+
 # Build Events app
 WORKDIR /source/src/Events
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Events --no-restore --no-self-contained -r $RID
 
+# Build EventsProcessor app
+WORKDIR /source/src/EventsProcessor
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/EventsProcessor --no-restore --no-self-contained -r $RID
+
 # Build Icons app
 WORKDIR /source/src/Icons
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Icons --no-restore --no-self-contained -r $RID
@@ -149,3 +181,11 @@ RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Sso --no-restore --no-se
 # Build Scim app
 WORKDIR /source/bitwarden_license/src/Scim
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Scim --no-restore --no-self-contained -r $RID
+
+# Build Server app
+WORKDIR /source/util/Server
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Server --no-restore --no-self-contained -r $RID
+
+# Build Setup app
+WORKDIR /source/util/Setup
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Setup --no-restore --no-self-contained -r $RID
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index dd12d2bd7b..0d3b9578ba 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -21,7 +21,7 @@ RUN apt-get update \
         curl \
     && rm -rf /var/lib/apt/lists/*
 
-# Copy all apps from the build stage
+# Copy app from the build stage
 WORKDIR /app
 COPY --from=bitwarden-build /app/Admin ./
 COPY entrypoint.sh /
diff --git a/src/Api/Dockerfile b/src/Api/Dockerfile
index f63cb82ce3..7e5b68df7e 100644
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@@ -1,6 +1,19 @@
+###############################################
+#                 Build stage                 #
+###############################################
+ARG BUILD_TAG=latest
+FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+
+###############################################
+#                  App stage                  #
+###############################################
 FROM mcr.microsoft.com/dotnet/aspnet:6.0
 
+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
+ENV ASPNETCORE_ENVIRONMENT=Production
+ENV ASPNETCORE_URLS http://+:5000
+EXPOSE 5000
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
@@ -8,10 +21,9 @@ RUN apt-get update \
         curl \
     && rm -rf /var/lib/apt/lists/*
 
-ENV ASPNETCORE_URLS http://+:5000
+# Copy app from the build stage
 WORKDIR /app
-EXPOSE 5000
-COPY obj/build-output/publish .
+COPY --from=bitwarden-build /app/Api ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/src/Billing/Dockerfile b/src/Billing/Dockerfile
index cd00c068f7..b651ea59f2 100644
--- a/src/Billing/Dockerfile
+++ b/src/Billing/Dockerfile
@@ -1,6 +1,19 @@
+###############################################
+#                 Build stage                 #
+###############################################
+ARG BUILD_TAG=latest
+FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+
+###############################################
+#                  App stage                  #
+###############################################
 FROM mcr.microsoft.com/dotnet/aspnet:6.0
 
+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
+ENV ASPNETCORE_ENVIRONMENT=Production
+ENV ASPNETCORE_URLS http://+:5000
+EXPOSE 5000
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
@@ -8,14 +21,12 @@ RUN apt-get update \
         curl \
     && rm -rf /var/lib/apt/lists/*
 
-ENV ASPNETCORE_URLS http://+:5000
+# Copy app from the build stage
 WORKDIR /app
-EXPOSE 5000
+COPY --from=bitwarden-build /app/Billing ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
-COPY obj/build-output/publish .
-
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
 
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/src/Events/Dockerfile b/src/Events/Dockerfile
index f63cb82ce3..52f4f80390 100644
--- a/src/Events/Dockerfile
+++ b/src/Events/Dockerfile
@@ -1,6 +1,19 @@
+###############################################
+#                 Build stage                 #
+###############################################
+ARG BUILD_TAG=latest
+FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+
+###############################################
+#                  App stage                  #
+###############################################
 FROM mcr.microsoft.com/dotnet/aspnet:6.0
 
+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
+ENV ASPNETCORE_ENVIRONMENT=Production
+ENV ASPNETCORE_URLS http://+:5000
+EXPOSE 5000
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
@@ -8,10 +21,9 @@ RUN apt-get update \
         curl \
     && rm -rf /var/lib/apt/lists/*
 
-ENV ASPNETCORE_URLS http://+:5000
+# Copy app from the build stage
 WORKDIR /app
-EXPOSE 5000
-COPY obj/build-output/publish .
+COPY --from=bitwarden-build /app/Admin ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/src/EventsProcessor/Dockerfile b/src/EventsProcessor/Dockerfile
index 3d505d28ef..15388a9ea9 100644
--- a/src/EventsProcessor/Dockerfile
+++ b/src/EventsProcessor/Dockerfile
@@ -1,6 +1,19 @@
+###############################################
+#                 Build stage                 #
+###############################################
+ARG BUILD_TAG=latest
+FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+
+###############################################
+#                  App stage                  #
+###############################################
 FROM mcr.microsoft.com/dotnet/aspnet:6.0
 
+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
+ENV ASPNETCORE_ENVIRONMENT=Production
+ENV ASPNETCORE_URLS http://+:5000
+EXPOSE 5000
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
@@ -8,13 +21,12 @@ RUN apt-get update \
         curl \
     && rm -rf /var/lib/apt/lists/*
 
-ENV ASPNETCORE_URLS http://+:5000
+# Copy app from the build stage
 WORKDIR /app
-EXPOSE 5000
-COPY obj/build-output/publish .
+COPY --from=bitwarden-build /app/EventsProcessor ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
 
-CMD ["./../entrypoint.sh"]
+CMD ["/entrypoint.sh"]
diff --git a/src/Icons/Dockerfile b/src/Icons/Dockerfile
index 42514c613e..3cf662b55a 100644
--- a/src/Icons/Dockerfile
+++ b/src/Icons/Dockerfile
@@ -1,6 +1,19 @@
+###############################################
+#                 Build stage                 #
+###############################################
+ARG BUILD_TAG=latest
+FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+
+###############################################
+#                  App stage                  #
+###############################################
 FROM mcr.microsoft.com/dotnet/aspnet:6.0
 
+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
+ENV ASPNETCORE_ENVIRONMENT=Production
+ENV ASPNETCORE_URLS http://+:5000
+EXPOSE 5000
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
@@ -8,10 +21,9 @@ RUN apt-get update \
         curl \
     && rm -rf /var/lib/apt/lists/*
 
-ENV ASPNETCORE_URLS http://+:5000
+# Copy app from the build stage
 WORKDIR /app
-EXPOSE 5000
-COPY obj/build-output/publish .
+COPY --from=bitwarden-build /app/Icons ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile
index 6d1adfd484..83c822d2b2 100644
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@@ -1,6 +1,19 @@
+###############################################
+#                 Build stage                 #
+###############################################
+ARG BUILD_TAG=latest
+FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+
+###############################################
+#                  App stage                  #
+###############################################
 FROM mcr.microsoft.com/dotnet/aspnet:6.0
 
+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
+ENV ASPNETCORE_ENVIRONMENT=Production
+ENV ASPNETCORE_URLS http://+:5000
+EXPOSE 5000
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
@@ -8,10 +21,9 @@ RUN apt-get update \
         curl \
     && rm -rf /var/lib/apt/lists/*
 
-ENV ASPNETCORE_URLS http://+:5000
+# Copy app from the build stage
 WORKDIR /app
-EXPOSE 5000
-COPY obj/build-output/publish .
+COPY --from=bitwarden-build /app/Identity ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/src/Notifications/Dockerfile b/src/Notifications/Dockerfile
index f63cb82ce3..633bc23802 100644
--- a/src/Notifications/Dockerfile
+++ b/src/Notifications/Dockerfile
@@ -1,6 +1,19 @@
+###############################################
+#                 Build stage                 #
+###############################################
+ARG BUILD_TAG=latest
+FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+
+###############################################
+#                  App stage                  #
+###############################################
 FROM mcr.microsoft.com/dotnet/aspnet:6.0
 
+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
+ENV ASPNETCORE_ENVIRONMENT=Production
+ENV ASPNETCORE_URLS http://+:5000
+EXPOSE 5000
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
@@ -8,10 +21,9 @@ RUN apt-get update \
         curl \
     && rm -rf /var/lib/apt/lists/*
 
-ENV ASPNETCORE_URLS http://+:5000
+# Copy app from the build stage
 WORKDIR /app
-EXPOSE 5000
-COPY obj/build-output/publish .
+COPY --from=bitwarden-build /app/Notifications ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/util/Attachments/Dockerfile b/util/Attachments/Dockerfile
index 2d99aa5911..4c620e994b 100644
--- a/util/Attachments/Dockerfile
+++ b/util/Attachments/Dockerfile
@@ -1,6 +1,19 @@
-FROM bitwarden/server:latest
+###############################################
+#                 Build stage                 #
+###############################################
+ARG BUILD_TAG=latest
+FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
 
+###############################################
+#                  App stage                  #
+###############################################
+FROM mcr.microsoft.com/dotnet/aspnet:6.0
+
+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
+ENV ASPNETCORE_ENVIRONMENT=Production
+ENV ASPNETCORE_URLS http://+:5000
+EXPOSE 5000
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
@@ -8,8 +21,9 @@ RUN apt-get update \
         curl \
     && rm -rf /var/lib/apt/lists/*
 
-ENV ASPNETCORE_URLS http://+:5000
-EXPOSE 5000
+# Copy app from the build stage
+WORKDIR /bitwarden_server
+COPY --from=bitwarden-build /app/Server ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/util/Nginx/Dockerfile b/util/Nginx/Dockerfile
index e868e9b81f..973b616efb 100644
--- a/util/Nginx/Dockerfile
+++ b/util/Nginx/Dockerfile
@@ -1,5 +1,6 @@
-FROM nginx:stable
+FROM --platform=$BUILDPLATFORM nginx:stable
 
+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
 
 RUN apt-get update \
diff --git a/util/Server/Dockerfile b/util/Server/Dockerfile
index e26c9b42dc..b052a82ff0 100644
--- a/util/Server/Dockerfile
+++ b/util/Server/Dockerfile
@@ -1,5 +1,16 @@
+###############################################
+#                 Build stage                 #
+###############################################
+ARG BUILD_TAG=latest
+FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+
+###############################################
+#                  App stage                  #
+###############################################
 FROM mcr.microsoft.com/dotnet/aspnet:6.0
 
 LABEL com.bitwarden.product="bitwarden"
 
-COPY obj/build-output/publish /bitwarden_server
+# Copy app from the build stage
+WORKDIR /bitwarden_server
+COPY --from=bitwarden-build /app/Server ./
\ No newline at end of file
diff --git a/util/Setup/Dockerfile b/util/Setup/Dockerfile
index 6aee1ca315..99182f6d6a 100644
--- a/util/Setup/Dockerfile
+++ b/util/Setup/Dockerfile
@@ -1,5 +1,15 @@
+###############################################
+#                 Build stage                 #
+###############################################
+ARG BUILD_TAG=latest
+FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+
+###############################################
+#                  App stage                  #
+###############################################
 FROM mcr.microsoft.com/dotnet/aspnet:6.0
 
+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden" com.bitwarden.project="setup"
 
 RUN apt-get update \
@@ -8,8 +18,9 @@ RUN apt-get update \
         gosu \
 && rm -rf /var/lib/apt/lists/*
 
+# Copy app from the build stage
 WORKDIR /app
-COPY obj/build-output/publish .
+COPY --from=bitwarden-build /app/Setup ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 

From 414272b6861d4cc861f5f51e92c661acb69d5ea9 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 18:16:36 -0500
Subject: [PATCH 020/184] Update platform strings

---
 .github/workflows/build.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 146be04514..e8547b8244 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -196,7 +196,7 @@ jobs:
           if-no-files-found: error
 
   build:
-    name: Build artifacts
+    name: Build projects
     runs-on: ubuntu-22.04
     # needs:
     #   - lint
@@ -249,7 +249,7 @@ jobs:
           platforms: |
             linux/amd64,
             linux/arm/v7,
-            linux/arm64/v8
+            linux/arm64
           push: true
           tags: ${{ steps.image-name.outputs.name }}
           secrets: |
@@ -376,7 +376,7 @@ jobs:
           platforms: |
             linux/amd64,
             linux/arm/v7,
-            linux/arm64/v8
+            linux/arm64
           push: true
           tags: ${{ steps.image-name.outputs.name }}
           secrets: |

From e7925f63e41e006cd13bd0ac474953a7cc2b5cde Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 9 Nov 2023 18:23:07 -0500
Subject: [PATCH 021/184] Fix MsSqlMigratorUtility project

---
 build.Dockerfile                     |  2 ++
 util/MsSqlMigratorUtility/Dockerfile | 17 ++++++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/build.Dockerfile b/build.Dockerfile
index 2984e5a622..849531b83c 100644
--- a/build.Dockerfile
+++ b/build.Dockerfile
@@ -189,3 +189,5 @@ RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Server --no-restore --no
 # Build Setup app
 WORKDIR /source/util/Setup
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Setup --no-restore --no-self-contained -r $RID
+
+WORKDIR /app
diff --git a/util/MsSqlMigratorUtility/Dockerfile b/util/MsSqlMigratorUtility/Dockerfile
index 1a33ff12d2..11fab9a198 100644
--- a/util/MsSqlMigratorUtility/Dockerfile
+++ b/util/MsSqlMigratorUtility/Dockerfile
@@ -2,7 +2,22 @@ FROM mcr.microsoft.com/dotnet/aspnet:6.0
 
 LABEL com.bitwarden.product="bitwarden"
 
+# Copy csproj files as distinct layers
+WORKDIR /source
+COPY util/MsSqlMigratorUtility/*.csproj ./util/MsSqlMigratorUtility/
+
+# Restore MsSqlMigratorUtility project dependencies and tools
+WORKDIR /source/util/MsSqlMigratorUtility
+RUN dotnet restore
+
+# Copy required project files
+WORKDIR /source
+COPY util/MsSqlMigratorUtility/. ./util/MsSqlMigratorUtility/
+
+# Build Setup app
+WORKDIR /source/util/MsSqlMigratorUtility
+RUN dotnet publish -c release -o /app/MsSqlMigratorUtility --no-restore --no-self-contained
+
 WORKDIR /app
-COPY obj/build-output/publish .
 
 ENTRYPOINT ["sh", "-c", "dotnet /app/MsSqlMigratorUtility.dll \"${MSSQL_CONN_STRING}\" -v ${@}", "--" ]

From 7e083e1173529cb16af7a716c0c9070a2b0d502d Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Mon, 13 Nov 2023 13:43:22 -0500
Subject: [PATCH 022/184] Fix copy command

---
 util/MsSqlMigratorUtility/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/MsSqlMigratorUtility/Dockerfile b/util/MsSqlMigratorUtility/Dockerfile
index 11fab9a198..50aa1ba736 100644
--- a/util/MsSqlMigratorUtility/Dockerfile
+++ b/util/MsSqlMigratorUtility/Dockerfile
@@ -12,7 +12,7 @@ RUN dotnet restore
 
 # Copy required project files
 WORKDIR /source
-COPY util/MsSqlMigratorUtility/. ./util/MsSqlMigratorUtility/
+COPY . ./util/MsSqlMigratorUtility/
 
 # Build Setup app
 WORKDIR /source/util/MsSqlMigratorUtility

From 0444e9351b8c0fd0cd013c549ae8b9593434e01e Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Mon, 13 Nov 2023 16:08:10 -0500
Subject: [PATCH 023/184] Fix copy command

---
 util/MsSqlMigratorUtility/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/MsSqlMigratorUtility/Dockerfile b/util/MsSqlMigratorUtility/Dockerfile
index 50aa1ba736..561d334088 100644
--- a/util/MsSqlMigratorUtility/Dockerfile
+++ b/util/MsSqlMigratorUtility/Dockerfile
@@ -4,7 +4,7 @@ LABEL com.bitwarden.product="bitwarden"
 
 # Copy csproj files as distinct layers
 WORKDIR /source
-COPY util/MsSqlMigratorUtility/*.csproj ./util/MsSqlMigratorUtility/
+COPY *.csproj ./util/MsSqlMigratorUtility/
 
 # Restore MsSqlMigratorUtility project dependencies and tools
 WORKDIR /source/util/MsSqlMigratorUtility

From 36e8341bc452030805fb0fb7585740dfc07fc29c Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 11:46:40 -0500
Subject: [PATCH 024/184] Update MsSqlMigratorUtility Docker file

---
 util/MsSqlMigratorUtility/Dockerfile | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/util/MsSqlMigratorUtility/Dockerfile b/util/MsSqlMigratorUtility/Dockerfile
index 561d334088..133beb6fe7 100644
--- a/util/MsSqlMigratorUtility/Dockerfile
+++ b/util/MsSqlMigratorUtility/Dockerfile
@@ -1,6 +1,8 @@
-FROM mcr.microsoft.com/dotnet/aspnet:6.0
+###############################################
+#                 Build stage                 #
+###############################################
 
-LABEL com.bitwarden.product="bitwarden"
+FROM mcr.microsoft.com/dotnet/sdk:6.0 AS bitwarden-build
 
 # Copy csproj files as distinct layers
 WORKDIR /source
@@ -20,4 +22,15 @@ RUN dotnet publish -c release -o /app/MsSqlMigratorUtility --no-restore --no-sel
 
 WORKDIR /app
 
+###############################################
+#                  App stage                  #
+###############################################
+FROM mcr.microsoft.com/dotnet/aspnet:6.0
+
+LABEL com.bitwarden.product="bitwarden"
+
+# Copy app from the build stage
+WORKDIR /app
+COPY --from=bitwarden-build /app/MsSqlMigratorUtility ./
+
 ENTRYPOINT ["sh", "-c", "dotnet /app/MsSqlMigratorUtility.dll \"${MSSQL_CONN_STRING}\" -v ${@}", "--" ]

From 87c0c9742eac04c819fa3c91cdbe0efd5bc580a7 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 12:02:27 -0500
Subject: [PATCH 025/184] Add pull flag

---
 .github/workflows/build.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e8547b8244..befb3ca69f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -377,6 +377,7 @@ jobs:
             linux/amd64,
             linux/arm/v7,
             linux/arm64
+          pull: true
           push: true
           tags: ${{ steps.image-name.outputs.name }}
           secrets: |

From 9dbac7975321be9a8f82335f0b6450034b9983dc Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 12:40:01 -0500
Subject: [PATCH 026/184] Change build to not use prod ACR for temp image
 storage

---
 .github/workflows/build.yml           | 80 ++++++++++++++++-----------
 bitwarden_license/src/Scim/Dockerfile |  2 +-
 bitwarden_license/src/Sso/Dockerfile  |  2 +-
 src/Admin/Dockerfile                  |  2 +-
 src/Api/Dockerfile                    |  2 +-
 src/Billing/Dockerfile                |  2 +-
 src/Events/Dockerfile                 |  2 +-
 src/EventsProcessor/Dockerfile        |  2 +-
 src/Icons/Dockerfile                  |  2 +-
 src/Identity/Dockerfile               |  2 +-
 src/Notifications/Dockerfile          |  2 +-
 util/Attachments/Dockerfile           |  2 +-
 util/Server/Dockerfile                |  2 +-
 util/Setup/Dockerfile                 |  2 +-
 14 files changed, 62 insertions(+), 44 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index befb3ca69f..1400dd9435 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -212,34 +212,34 @@ jobs:
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
 
       ########## ACRs ##########
-      - name: Login to Azure - PROD Subscription
-        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
-        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+      # - name: Login to Azure - PROD Subscription
+      #   uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
+      #   with:
+      #     creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
 
-      - name: Login to PROD ACR
-        run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
+      # - name: Login to PROD ACR
+      #   run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
 
-      - name: Login to Azure - CI Subscription
-        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
-        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+      # - name: Login to Azure - CI Subscription
+      #   uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
+      #   with:
+      #     creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
-      - name: Retrieve github PAT secrets
-        id: retrieve-secret-pat
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+      # - name: Retrieve github PAT secrets
+      #   id: retrieve-secret-pat
+      #   uses: bitwarden/gh-actions/get-keyvault-secrets@main
+      #   with:
+      #     keyvault: "bitwarden-ci"
+      #     secrets: "github-pat-bitwarden-devops-bot-repo-scope"
       
-      - name: Generate image full name
-        id: image-name
-        run: |
-          IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")  # slash safe branch name
-          if [[ "$IMAGE_TAG" == "master" ]]; then
-            IMAGE_TAG=dev
-          fi
-          echo "name=${_AZ_REGISTRY}/build:${IMAGE_TAG}" >> $GITHUB_OUTPUT
+      # - name: Generate image full name
+      #   id: image-name
+      #   run: |
+      #     IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")  # slash safe branch name
+      #     if [[ "$IMAGE_TAG" == "master" ]]; then
+      #       IMAGE_TAG=dev
+      #     fi
+      #     echo "name=${_AZ_REGISTRY}/build:${IMAGE_TAG}" >> $GITHUB_OUTPUT
       
       - name: Build Docker image
         uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
@@ -250,10 +250,18 @@ jobs:
             linux/amd64,
             linux/arm/v7,
             linux/arm64
-          push: true
-          tags: ${{ steps.image-name.outputs.name }}
-          secrets: |
-            "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
+          # push: true
+          outputs: type=docker,dest=/tmp/build.tar
+          # tags: ${{ steps.image-name.outputs.name }}
+          tags: build:latest
+          # secrets: |
+          #   "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: build
+          path: /tmp/build.tar
 
   build-docker:
     name: Build Docker images
@@ -366,18 +374,28 @@ jobs:
           PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
         run: echo "name=${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
 
+      - name: Download build image artifact
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: build
+          path: /tmp
+
+      - name: Load build image
+        run: |
+          docker load --input /tmp/build.tar
+          docker image ls -a
+
       - name: Build Docker image
         uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
-          build-args: |
-            BUILD_TAG=${{ steps.tag.outputs.image_tag }}
+          # build-args: |
+          #   BUILD_TAG=${{ steps.tag.outputs.image_tag }}
           context: ${{ matrix.base_path }}/${{ matrix.project_name }}
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
           platforms: |
             linux/amd64,
             linux/arm/v7,
             linux/arm64
-          pull: true
           push: true
           tags: ${{ steps.image-name.outputs.name }}
           secrets: |
diff --git a/bitwarden_license/src/Scim/Dockerfile b/bitwarden_license/src/Scim/Dockerfile
index e96e000666..0d85d8a284 100644
--- a/bitwarden_license/src/Scim/Dockerfile
+++ b/bitwarden_license/src/Scim/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/bitwarden_license/src/Sso/Dockerfile b/bitwarden_license/src/Sso/Dockerfile
index e3927e2f12..0aad4442c0 100644
--- a/bitwarden_license/src/Sso/Dockerfile
+++ b/bitwarden_license/src/Sso/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 0d3b9578ba..07830a30b4 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/src/Api/Dockerfile b/src/Api/Dockerfile
index 7e5b68df7e..1a558c8e5d 100644
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/src/Billing/Dockerfile b/src/Billing/Dockerfile
index b651ea59f2..a0d9b16367 100644
--- a/src/Billing/Dockerfile
+++ b/src/Billing/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/src/Events/Dockerfile b/src/Events/Dockerfile
index 52f4f80390..b4f5bc3a03 100644
--- a/src/Events/Dockerfile
+++ b/src/Events/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/src/EventsProcessor/Dockerfile b/src/EventsProcessor/Dockerfile
index 15388a9ea9..ede264a2be 100644
--- a/src/EventsProcessor/Dockerfile
+++ b/src/EventsProcessor/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/src/Icons/Dockerfile b/src/Icons/Dockerfile
index 3cf662b55a..f5e578f532 100644
--- a/src/Icons/Dockerfile
+++ b/src/Icons/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile
index 83c822d2b2..8c52c8420a 100644
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/src/Notifications/Dockerfile b/src/Notifications/Dockerfile
index 633bc23802..3ca5c3ae53 100644
--- a/src/Notifications/Dockerfile
+++ b/src/Notifications/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/util/Attachments/Dockerfile b/util/Attachments/Dockerfile
index 4c620e994b..5c2b48c1f6 100644
--- a/util/Attachments/Dockerfile
+++ b/util/Attachments/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/util/Server/Dockerfile b/util/Server/Dockerfile
index b052a82ff0..e6380d5f00 100644
--- a/util/Server/Dockerfile
+++ b/util/Server/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/util/Setup/Dockerfile b/util/Setup/Dockerfile
index 99182f6d6a..2045d52de9 100644
--- a/util/Setup/Dockerfile
+++ b/util/Setup/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM bitwardenprod.azurecr.io/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #

From 62248a90c2cfe76f5fb336bf37275b09033ae8b0 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 12:41:42 -0500
Subject: [PATCH 027/184] Change output type to oci

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1400dd9435..fd54b415cb 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -251,7 +251,7 @@ jobs:
             linux/arm/v7,
             linux/arm64
           # push: true
-          outputs: type=docker,dest=/tmp/build.tar
+          outputs: type=oci,dest=/tmp/build.tar
           # tags: ${{ steps.image-name.outputs.name }}
           tags: build:latest
           # secrets: |

From 7601822fd4639c9d97f0a2be1260450fbebd83e2 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 13:10:14 -0500
Subject: [PATCH 028/184] Change version of upload-artifact action to v3.1.2

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index fd54b415cb..bf181d1d72 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -258,7 +258,7 @@ jobs:
           #   "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
 
       - name: Upload artifact
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: build
           path: /tmp/build.tar

From 8a606c600c65057a1f2c299ea2104e684897453f Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 13:52:20 -0500
Subject: [PATCH 029/184] Change to Azure storage account

---
 .github/workflows/build.yml | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index bf181d1d72..ebd92c220e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -220,10 +220,10 @@ jobs:
       # - name: Login to PROD ACR
       #   run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
 
-      # - name: Login to Azure - CI Subscription
-      #   uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
-      #   with:
-      #     creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+      - name: Login to Azure - CI Subscription
+        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
       # - name: Retrieve github PAT secrets
       #   id: retrieve-secret-pat
@@ -258,10 +258,12 @@ jobs:
           #   "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
 
       - name: Upload artifact
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
-        with:
-          name: build
-          path: /tmp/build.tar
+        run: |
+          az storage blob upload \
+            --file /tmp/build.tar \
+            --container-name builds \
+            --name build \
+            --account-name dockerimagetest
 
   build-docker:
     name: Build Docker images
@@ -380,6 +382,15 @@ jobs:
           name: build
           path: /tmp
 
+      - name: Download build image artifact
+        run: |
+          az storage blob download \
+            --file /tmp/build.tar \
+            --container-name builds \
+            --name build \
+            --account-name dockerimagetest
+          ls -alh /tmp
+
       - name: Load build image
         run: |
           docker load --input /tmp/build.tar

From d1bcdf22833ab7fc18da0e4a0f21a0bdf5c97af1 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 14:07:59 -0500
Subject: [PATCH 030/184] Add storage account upload test

---
 .github/workflows/build.yml | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ebd92c220e..0d8eb20aa5 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -225,12 +225,23 @@ jobs:
         with:
           creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
-      # - name: Retrieve github PAT secrets
-      #   id: retrieve-secret-pat
-      #   uses: bitwarden/gh-actions/get-keyvault-secrets@main
-      #   with:
-      #     keyvault: "bitwarden-ci"
-      #     secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+      - name: Retrieve Storage Account secret
+        id: retrieve-secret
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "storage-account-dockerimagetest-conn-string"
+
+      - name: TEST - Upload artifact
+        run: |
+          echo "Test file" > /tmp/test.txt
+          az storage blob upload \
+            --file /tmp/test.txt \
+            --container-name builds \
+            --name build \
+            --connection-string ${{ steps.retrieve-secret.outputs.storage-account-dockerimagetest-conn-string}}
+
+      
       
       # - name: Generate image full name
       #   id: image-name

From 5f6d443fe84199ee7339c547b7930591cdd03638 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 14:15:30 -0500
Subject: [PATCH 031/184] Test

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0d8eb20aa5..abd62ec6e9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -239,7 +239,7 @@ jobs:
             --file /tmp/test.txt \
             --container-name builds \
             --name build \
-            --connection-string ${{ steps.retrieve-secret.outputs.storage-account-dockerimagetest-conn-string}}
+            --connection-string ${{ env.storage-account-dockerimagetest-conn-string }}
 
       
       

From 2740dbc4941ff530917dd51c136fc95579eb603d Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 14:17:23 -0500
Subject: [PATCH 032/184] Test

---
 .github/workflows/build.yml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index abd62ec6e9..7bbe66643a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -235,11 +235,7 @@ jobs:
       - name: TEST - Upload artifact
         run: |
           echo "Test file" > /tmp/test.txt
-          az storage blob upload \
-            --file /tmp/test.txt \
-            --container-name builds \
-            --name build \
-            --connection-string ${{ env.storage-account-dockerimagetest-conn-string }}
+          az storage blob upload --file /tmp/test.txt --container-name builds --name build --connection-string ${{ env.storage-account-dockerimagetest-conn-string }}
 
       
       

From f853411e191873f404024f123ad76dbcabef3ca7 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 14:20:19 -0500
Subject: [PATCH 033/184] Test

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7bbe66643a..cd907d2875 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -235,7 +235,7 @@ jobs:
       - name: TEST - Upload artifact
         run: |
           echo "Test file" > /tmp/test.txt
-          az storage blob upload --file /tmp/test.txt --container-name builds --name build --connection-string ${{ env.storage-account-dockerimagetest-conn-string }}
+          az storage blob upload --file /tmp/test.txt --container-name builds --name build --connection-string "${{ env.storage-account-dockerimagetest-conn-string }}"
 
       
       

From c595a2cf6e3c10de9977e49ba672c2e796d4d1a5 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 14:21:41 -0500
Subject: [PATCH 034/184] Test

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index cd907d2875..58613d042c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -235,7 +235,7 @@ jobs:
       - name: TEST - Upload artifact
         run: |
           echo "Test file" > /tmp/test.txt
-          az storage blob upload --file /tmp/test.txt --container-name builds --name build --connection-string "${{ env.storage-account-dockerimagetest-conn-string }}"
+          az storage blob upload --file /tmp/test.txt --container-name builds --name build --connection-string '${{ env.storage-account-dockerimagetest-conn-string }}'
 
       
       

From 5e0c7fdf46d41ef26bd2d8d6085de4faea51fe6f Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 14:24:46 -0500
Subject: [PATCH 035/184] Test

---
 .github/workflows/build.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 58613d042c..abd62ec6e9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -235,7 +235,11 @@ jobs:
       - name: TEST - Upload artifact
         run: |
           echo "Test file" > /tmp/test.txt
-          az storage blob upload --file /tmp/test.txt --container-name builds --name build --connection-string '${{ env.storage-account-dockerimagetest-conn-string }}'
+          az storage blob upload \
+            --file /tmp/test.txt \
+            --container-name builds \
+            --name build \
+            --connection-string ${{ env.storage-account-dockerimagetest-conn-string }}
 
       
       

From bccdccba003bba69485eb865b4ecf6fc356257ca Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 14:25:58 -0500
Subject: [PATCH 036/184] Test

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index abd62ec6e9..6d0e5aa1f1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -239,7 +239,7 @@ jobs:
             --file /tmp/test.txt \
             --container-name builds \
             --name build \
-            --connection-string ${{ env.storage-account-dockerimagetest-conn-string }}
+            --connection-string '${{ env.storage-account-dockerimagetest-conn-string }}'
 
       
       

From 44edd6ed5f60bbf83b91a0f5d090543c508976cc Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 14:29:34 -0500
Subject: [PATCH 037/184] Fix upload

---
 .github/workflows/build.yml | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6d0e5aa1f1..3747e1e121 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -231,17 +231,6 @@ jobs:
         with:
           keyvault: "bitwarden-ci"
           secrets: "storage-account-dockerimagetest-conn-string"
-
-      - name: TEST - Upload artifact
-        run: |
-          echo "Test file" > /tmp/test.txt
-          az storage blob upload \
-            --file /tmp/test.txt \
-            --container-name builds \
-            --name build \
-            --connection-string '${{ env.storage-account-dockerimagetest-conn-string }}'
-
-      
       
       # - name: Generate image full name
       #   id: image-name
@@ -270,11 +259,12 @@ jobs:
 
       - name: Upload artifact
         run: |
+          ls -alh /tmp
           az storage blob upload \
             --file /tmp/build.tar \
             --container-name builds \
             --name build \
-            --account-name dockerimagetest
+            --connection-string '${{ env.storage-account-dockerimagetest-conn-string }}'
 
   build-docker:
     name: Build Docker images

From 942b516ebfb0a7c6fa9c0cd893591663f848ea33 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 14:42:48 -0500
Subject: [PATCH 038/184] Test download

---
 .github/workflows/build.yml | 21 +++++++--------------
 1 file changed, 7 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3747e1e121..9b937d5d25 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -196,6 +196,7 @@ jobs:
           if-no-files-found: error
 
   build:
+    if: false
     name: Build projects
     runs-on: ubuntu-22.04
     # needs:
@@ -269,8 +270,8 @@ jobs:
   build-docker:
     name: Build Docker images
     runs-on: ubuntu-22.04
-    needs:
-      - build
+    # needs:
+    #   - build
     strategy:
       fail-fast: false
       matrix:
@@ -345,12 +346,12 @@ jobs:
         with:
           creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
-      - name: Retrieve github PAT secrets
-        id: retrieve-secret-pat
+      - name: Retrieve Storage Account secret
+        id: retrieve-secret
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
           keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+          secrets: "storage-account-dockerimagetest-conn-string"
 
       ########## Generate image tag and build Docker image ##########
       - name: Generate Docker image tag
@@ -377,19 +378,13 @@ jobs:
           PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
         run: echo "name=${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
 
-      - name: Download build image artifact
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
-        with:
-          name: build
-          path: /tmp
-
       - name: Download build image artifact
         run: |
           az storage blob download \
             --file /tmp/build.tar \
             --container-name builds \
             --name build \
-            --account-name dockerimagetest
+            --connection-string '${{ env.storage-account-dockerimagetest-conn-string }}'
           ls -alh /tmp
 
       - name: Load build image
@@ -410,8 +405,6 @@ jobs:
             linux/arm64
           push: true
           tags: ${{ steps.image-name.outputs.name }}
-          secrets: |
-            "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
 
       - name: Log out of Docker
         run: docker logout

From 5143e411b548d63bc15eafc61526ca789505d8cb Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 14:51:49 -0500
Subject: [PATCH 039/184] Test other method

---
 .github/workflows/build.yml           | 39 +++++++++++++--------------
 bitwarden_license/src/Scim/Dockerfile |  2 +-
 bitwarden_license/src/Sso/Dockerfile  |  2 +-
 src/Admin/Dockerfile                  |  2 +-
 src/Api/Dockerfile                    |  2 +-
 src/Billing/Dockerfile                |  2 +-
 src/Events/Dockerfile                 |  2 +-
 src/EventsProcessor/Dockerfile        |  2 +-
 src/Icons/Dockerfile                  |  2 +-
 src/Identity/Dockerfile               |  2 +-
 src/Notifications/Dockerfile          |  2 +-
 util/Attachments/Dockerfile           |  2 +-
 util/Server/Dockerfile                |  2 +-
 util/Setup/Dockerfile                 |  2 +-
 14 files changed, 31 insertions(+), 34 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9b937d5d25..7ace23d7c9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -272,6 +272,11 @@ jobs:
     runs-on: ubuntu-22.04
     # needs:
     #   - build
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
     strategy:
       fail-fast: false
       matrix:
@@ -346,14 +351,20 @@ jobs:
         with:
           creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
-      - name: Retrieve Storage Account secret
-        id: retrieve-secret
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "storage-account-dockerimagetest-conn-string"
-
       ########## Generate image tag and build Docker image ##########
+      - name: Build Docker image
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: .
+          file: build.Dockerfile
+          platforms: |
+            linux/amd64,
+            linux/arm/v7,
+            linux/arm64
+          push: true
+          outputs: type=oci,dest=/tmp/build.tar
+          tags: localhost:5000/build:latest
+
       - name: Generate Docker image tag
         id: tag
         run: |
@@ -378,20 +389,6 @@ jobs:
           PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
         run: echo "name=${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
 
-      - name: Download build image artifact
-        run: |
-          az storage blob download \
-            --file /tmp/build.tar \
-            --container-name builds \
-            --name build \
-            --connection-string '${{ env.storage-account-dockerimagetest-conn-string }}'
-          ls -alh /tmp
-
-      - name: Load build image
-        run: |
-          docker load --input /tmp/build.tar
-          docker image ls -a
-
       - name: Build Docker image
         uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
diff --git a/bitwarden_license/src/Scim/Dockerfile b/bitwarden_license/src/Scim/Dockerfile
index 0d85d8a284..969c4855c7 100644
--- a/bitwarden_license/src/Scim/Dockerfile
+++ b/bitwarden_license/src/Scim/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/bitwarden_license/src/Sso/Dockerfile b/bitwarden_license/src/Sso/Dockerfile
index 0aad4442c0..31241acb11 100644
--- a/bitwarden_license/src/Sso/Dockerfile
+++ b/bitwarden_license/src/Sso/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 07830a30b4..537b615156 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/src/Api/Dockerfile b/src/Api/Dockerfile
index 1a558c8e5d..496db58cd8 100644
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/src/Billing/Dockerfile b/src/Billing/Dockerfile
index a0d9b16367..ebed93b8dd 100644
--- a/src/Billing/Dockerfile
+++ b/src/Billing/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/src/Events/Dockerfile b/src/Events/Dockerfile
index b4f5bc3a03..7b1df8467d 100644
--- a/src/Events/Dockerfile
+++ b/src/Events/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/src/EventsProcessor/Dockerfile b/src/EventsProcessor/Dockerfile
index ede264a2be..1ab3c727e2 100644
--- a/src/EventsProcessor/Dockerfile
+++ b/src/EventsProcessor/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/src/Icons/Dockerfile b/src/Icons/Dockerfile
index f5e578f532..6bc21ffd4b 100644
--- a/src/Icons/Dockerfile
+++ b/src/Icons/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile
index 8c52c8420a..7821c32a04 100644
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/src/Notifications/Dockerfile b/src/Notifications/Dockerfile
index 3ca5c3ae53..0a02a14dee 100644
--- a/src/Notifications/Dockerfile
+++ b/src/Notifications/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/util/Attachments/Dockerfile b/util/Attachments/Dockerfile
index 5c2b48c1f6..51837dc455 100644
--- a/util/Attachments/Dockerfile
+++ b/util/Attachments/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/util/Server/Dockerfile b/util/Server/Dockerfile
index e6380d5f00..4e425d2111 100644
--- a/util/Server/Dockerfile
+++ b/util/Server/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #
diff --git a/util/Setup/Dockerfile b/util/Setup/Dockerfile
index 2045d52de9..4901b59f15 100644
--- a/util/Setup/Dockerfile
+++ b/util/Setup/Dockerfile
@@ -2,7 +2,7 @@
 #                 Build stage                 #
 ###############################################
 ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
 
 ###############################################
 #                  App stage                  #

From 82cd28e6c057875bcaa4b965382aca50cf794767 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 14:53:37 -0500
Subject: [PATCH 040/184] Remove output

---
 .github/workflows/build.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7ace23d7c9..dbb0210388 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -362,7 +362,6 @@ jobs:
             linux/arm/v7,
             linux/arm64
           push: true
-          outputs: type=oci,dest=/tmp/build.tar
           tags: localhost:5000/build:latest
 
       - name: Generate Docker image tag

From d21717e1d5e2fb3a091266c96371a68914f7ce60 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 15:40:15 -0500
Subject: [PATCH 041/184] Move all build steps to project Dockerfiles

---
 .github/workflows/build.yml           | 102 +-------------------------
 bitwarden_license/src/Scim/Dockerfile |  43 ++++++++++-
 bitwarden_license/src/Sso/Dockerfile  |  43 ++++++++++-
 src/Admin/Dockerfile                  |  55 +++++++++++++-
 src/Api/Dockerfile                    |  47 +++++++++++-
 src/Billing/Dockerfile                |  43 ++++++++++-
 src/Events/Dockerfile                 |  43 ++++++++++-
 src/EventsProcessor/Dockerfile        |  43 ++++++++++-
 src/Icons/Dockerfile                  |  43 ++++++++++-
 src/Identity/Dockerfile               |  55 +++++++++++++-
 src/Notifications/Dockerfile          |  43 ++++++++++-
 util/Attachments/Dockerfile           |  39 +++++++++-
 util/Server/Dockerfile                |  39 +++++++++-
 util/Setup/Dockerfile                 |  40 +++++++++-
 14 files changed, 540 insertions(+), 138 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index dbb0210388..aad4b44d19 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -195,88 +195,9 @@ jobs:
           path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip
           if-no-files-found: error
 
-  build:
-    if: false
-    name: Build projects
-    runs-on: ubuntu-22.04
-    # needs:
-    #   - lint
-    #   - testing
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - name: Set up QEMU emulators
-        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
-
-      ########## ACRs ##########
-      # - name: Login to Azure - PROD Subscription
-      #   uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
-      #   with:
-      #     creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
-
-      # - name: Login to PROD ACR
-      #   run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
-
-      - name: Login to Azure - CI Subscription
-        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
-        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-
-      - name: Retrieve Storage Account secret
-        id: retrieve-secret
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "storage-account-dockerimagetest-conn-string"
-      
-      # - name: Generate image full name
-      #   id: image-name
-      #   run: |
-      #     IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")  # slash safe branch name
-      #     if [[ "$IMAGE_TAG" == "master" ]]; then
-      #       IMAGE_TAG=dev
-      #     fi
-      #     echo "name=${_AZ_REGISTRY}/build:${IMAGE_TAG}" >> $GITHUB_OUTPUT
-      
-      - name: Build Docker image
-        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
-        with:
-          context: .
-          file: build.Dockerfile
-          platforms: |
-            linux/amd64,
-            linux/arm/v7,
-            linux/arm64
-          # push: true
-          outputs: type=oci,dest=/tmp/build.tar
-          # tags: ${{ steps.image-name.outputs.name }}
-          tags: build:latest
-          # secrets: |
-          #   "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
-
-      - name: Upload artifact
-        run: |
-          ls -alh /tmp
-          az storage blob upload \
-            --file /tmp/build.tar \
-            --container-name builds \
-            --name build \
-            --connection-string '${{ env.storage-account-dockerimagetest-conn-string }}'
-
   build-docker:
     name: Build Docker images
     runs-on: ubuntu-22.04
-    # needs:
-    #   - build
-    services:
-      registry:
-        image: registry:2
-        ports:
-          - 5000:5000
     strategy:
       fail-fast: false
       matrix:
@@ -346,24 +267,7 @@ jobs:
       - name: Login to PROD ACR
         run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
 
-      - name: Login to Azure - CI Subscription
-        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
-        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-
       ########## Generate image tag and build Docker image ##########
-      - name: Build Docker image
-        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
-        with:
-          context: .
-          file: build.Dockerfile
-          platforms: |
-            linux/amd64,
-            linux/arm/v7,
-            linux/arm64
-          push: true
-          tags: localhost:5000/build:latest
-
       - name: Generate Docker image tag
         id: tag
         run: |
@@ -391,9 +295,9 @@ jobs:
       - name: Build Docker image
         uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
-          # build-args: |
-          #   BUILD_TAG=${{ steps.tag.outputs.image_tag }}
-          context: ${{ matrix.base_path }}/${{ matrix.project_name }}
+          build-args: |
+            BUILD_TAG=${{ steps.tag.outputs.image_tag }}
+          context: .
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
           platforms: |
             linux/amd64,
diff --git a/bitwarden_license/src/Scim/Dockerfile b/bitwarden_license/src/Scim/Dockerfile
index 969c4855c7..d3d8cf53e7 100644
--- a/bitwarden_license/src/Scim/Dockerfile
+++ b/bitwarden_license/src/Scim/Dockerfile
@@ -1,8 +1,45 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+      RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+      RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+      RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Copy csproj files as distinct layers
+WORKDIR /source
+COPY bitwarden_license/src/Scim/*.csproj ./bitwarden_license/src/Scim/
+COPY src/Core/*.csproj ./src/Core/
+COPY src/SharedWeb/*.csproj ./src/SharedWeb/
+COPY Directory.Build.props .
+
+# Restore Scim project dependencies and tools
+WORKDIR /source/bitwarden_license/src/Scim
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Copy required project files
+WORKDIR /source
+COPY bitwarden_license/src/Scim/. ./bitwarden_license/src/Scim/
+COPY src/Core/. ./src/Core/
+COPY src/SharedWeb/. ./src/SharedWeb/
+# COPY .git/. ./.git/
+
+# Build Scim app
+WORKDIR /source/bitwarden_license/src/Scim
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Scim --no-restore --no-self-contained -r $RID
+
+WORKDIR /app
 
 ###############################################
 #                  App stage                  #
@@ -23,7 +60,7 @@ RUN apt-get update \
 
 # Copy app from the build stage
 WORKDIR /app
-COPY --from=bitwarden-build /app/Scim ./
+COPY --from=build /app/Scim ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/bitwarden_license/src/Sso/Dockerfile b/bitwarden_license/src/Sso/Dockerfile
index 31241acb11..a505f045cb 100644
--- a/bitwarden_license/src/Sso/Dockerfile
+++ b/bitwarden_license/src/Sso/Dockerfile
@@ -1,8 +1,45 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+      RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+      RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+      RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Copy csproj files as distinct layers
+WORKDIR /source
+COPY bitwarden_license/src/Sso/*.csproj ./bitwarden_license/src/Sso/
+COPY src/Core/*.csproj ./src/Core/
+COPY src/SharedWeb/*.csproj ./src/SharedWeb/
+COPY Directory.Build.props .
+
+# Restore Sso project dependencies and tools
+WORKDIR /source/bitwarden_license/src/Sso
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Copy required project files
+WORKDIR /source
+COPY bitwarden_license/src/Sso/. ./bitwarden_license/src/Sso/
+COPY src/Core/. ./src/Core/
+COPY src/SharedWeb/. ./src/SharedWeb/
+# COPY .git/. ./.git/
+
+# Build Sso app
+WORKDIR /source/bitwarden_license/src/Sso
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Sso --no-restore --no-self-contained -r $RID
+
+WORKDIR /app
 
 ###############################################
 #                  App stage                  #
@@ -23,7 +60,7 @@ RUN apt-get update \
 
 # Copy app from the build stage
 WORKDIR /app
-COPY --from=bitwarden-build /app/Sso ./
+COPY --from=build /app/Sso ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 537b615156..e9732cdd9c 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -1,8 +1,57 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+      RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+      RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+      RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Copy csproj files as distinct layers
+WORKDIR /source
+COPY src/Admin/*.csproj ./src/Admin/
+COPY src/Core/*.csproj ./src/Core/
+COPY src/SharedWeb/*.csproj ./src/SharedWeb/
+COPY util/Migrator/*.csproj ./util/Migrator/
+COPY util/MySqlMigrations/*.csproj ./util/MySqlMigrations/
+COPY util/PostgresMigrations/*.csproj ./util/PostgresMigrations/
+COPY util/SqliteMigrations/*.csproj ./util/SqliteMigrations/
+COPY bitwarden_license/src/Commercial.Core/*.csproj ./bitwarden_license/src/Commercial.Core/
+COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/*.csproj ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
+COPY Directory.Build.props .
+
+# Restore Admin project dependencies and tools
+WORKDIR /source/src/Admin
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Copy required project files
+WORKDIR /source
+COPY src/Admin/. ./src/Admin/
+COPY src/Core/. ./src/Core/
+COPY src/SharedWeb/. ./src/SharedWeb/
+COPY util/Migrator/. ./util/Migrator/
+COPY util/MySqlMigrations/. ./util/MySqlMigrations/
+COPY util/PostgresMigrations/. ./util/PostgresMigrations/
+COPY util/SqliteMigrations/. ./util/SqliteMigrations/
+COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
+COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
+# COPY .git/. ./.git/
+
+# Build Admin app
+WORKDIR /source/src/Admin
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Admin --no-restore --no-self-contained -r $RID
+
+WORKDIR /app
 
 ###############################################
 #                  App stage                  #
@@ -23,7 +72,7 @@ RUN apt-get update \
 
 # Copy app from the build stage
 WORKDIR /app
-COPY --from=bitwarden-build /app/Admin ./
+COPY --from=build /app/Admin ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/src/Api/Dockerfile b/src/Api/Dockerfile
index 496db58cd8..c93a24a0af 100644
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@@ -1,8 +1,49 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+      RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+      RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+      RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Copy csproj files as distinct layers
+WORKDIR /source
+COPY src/Api/*.csproj ./src/Api/
+COPY src/Core/*.csproj ./src/Core/
+COPY src/SharedWeb/*.csproj ./src/SharedWeb/
+COPY bitwarden_license/src/Commercial.Core/*.csproj ./bitwarden_license/src/Commercial.Core/
+COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/*.csproj ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
+COPY Directory.Build.props .
+
+# Restore Api project dependencies and tools
+WORKDIR /source/src/Api
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Copy required project files
+WORKDIR /source
+COPY src/Api/. ./src/Api/
+COPY src/Core/. ./src/Core/
+COPY src/SharedWeb/. ./src/SharedWeb/
+COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
+COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
+# COPY .git/. ./.git/
+
+# Build Api app
+WORKDIR /source/src/Api
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Api --no-restore --no-self-contained -r $RID
+
+WORKDIR /app
 
 ###############################################
 #                  App stage                  #
@@ -23,7 +64,7 @@ RUN apt-get update \
 
 # Copy app from the build stage
 WORKDIR /app
-COPY --from=bitwarden-build /app/Api ./
+COPY --from=build /app/Api ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/src/Billing/Dockerfile b/src/Billing/Dockerfile
index ebed93b8dd..c94514d89b 100644
--- a/src/Billing/Dockerfile
+++ b/src/Billing/Dockerfile
@@ -1,8 +1,45 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+      RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+      RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+      RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Copy csproj files as distinct layers
+WORKDIR /source
+COPY src/Billing/*.csproj ./src/Billing/
+COPY src/Core/*.csproj ./src/Core/
+COPY src/SharedWeb/*.csproj ./src/SharedWeb/
+COPY Directory.Build.props .
+
+# Restore Billing project dependencies and tools
+WORKDIR /source/src/Billing
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Copy required project files
+WORKDIR /source
+COPY src/Billing/. ./src/Billing/
+COPY src/Core/. ./src/Core/
+COPY src/SharedWeb/. ./src/SharedWeb/
+# COPY .git/. ./.git/
+
+# Build Billing app
+WORKDIR /source/src/Billing
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Billing --no-restore --no-self-contained -r $RID
+
+WORKDIR /app
 
 ###############################################
 #                  App stage                  #
@@ -23,7 +60,7 @@ RUN apt-get update \
 
 # Copy app from the build stage
 WORKDIR /app
-COPY --from=bitwarden-build /app/Billing ./
+COPY --from=build /app/Billing ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/src/Events/Dockerfile b/src/Events/Dockerfile
index 7b1df8467d..d6f81f759a 100644
--- a/src/Events/Dockerfile
+++ b/src/Events/Dockerfile
@@ -1,8 +1,45 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+      RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+      RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+      RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Copy csproj files as distinct layers
+WORKDIR /source
+COPY src/Events/*.csproj ./src/Events/
+COPY src/Core/*.csproj ./src/Core/
+COPY src/SharedWeb/*.csproj ./src/SharedWeb/
+COPY Directory.Build.props .
+
+# Restore Events project dependencies and tools
+WORKDIR /source/src/Events
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Copy required project files
+WORKDIR /source
+COPY src/Events/. ./src/Events/
+COPY src/Core/. ./src/Core/
+COPY src/SharedWeb/. ./src/SharedWeb/
+# COPY .git/. ./.git/
+
+# Build Events app
+WORKDIR /source/src/Events
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Events --no-restore --no-self-contained -r $RID
+
+WORKDIR /app
 
 ###############################################
 #                  App stage                  #
@@ -23,7 +60,7 @@ RUN apt-get update \
 
 # Copy app from the build stage
 WORKDIR /app
-COPY --from=bitwarden-build /app/Admin ./
+COPY --from=build /app/Admin ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/src/EventsProcessor/Dockerfile b/src/EventsProcessor/Dockerfile
index 1ab3c727e2..292109b87b 100644
--- a/src/EventsProcessor/Dockerfile
+++ b/src/EventsProcessor/Dockerfile
@@ -1,8 +1,45 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+      RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+      RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+      RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Copy csproj files as distinct layers
+WORKDIR /source
+COPY src/EventsProcessor/*.csproj ./src/EventsProcessor/
+COPY src/Core/*.csproj ./src/Core/
+COPY src/SharedWeb/*.csproj ./src/SharedWeb/
+COPY Directory.Build.props .
+
+# Restore EventsProcessor project dependencies and tools
+WORKDIR /source/src/EventsProcessor
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Copy required project files
+WORKDIR /source
+COPY src/EventsProcessor/. ./src/EventsProcessor/
+COPY src/Core/. ./src/Core/
+COPY src/SharedWeb/. ./src/SharedWeb/
+# COPY .git/. ./.git/
+
+# Build EventsProcessor app
+WORKDIR /source/src/EventsProcessor
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/EventsProcessor --no-restore --no-self-contained -r $RID
+
+WORKDIR /app
 
 ###############################################
 #                  App stage                  #
@@ -23,7 +60,7 @@ RUN apt-get update \
 
 # Copy app from the build stage
 WORKDIR /app
-COPY --from=bitwarden-build /app/EventsProcessor ./
+COPY --from=build /app/EventsProcessor ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/src/Icons/Dockerfile b/src/Icons/Dockerfile
index 6bc21ffd4b..aaca787180 100644
--- a/src/Icons/Dockerfile
+++ b/src/Icons/Dockerfile
@@ -1,8 +1,45 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+      RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+      RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+      RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Copy csproj files as distinct layers
+WORKDIR /source
+COPY src/Icons/*.csproj ./src/Icons/
+COPY src/Core/*.csproj ./src/Core/
+COPY src/SharedWeb/*.csproj ./src/SharedWeb/
+COPY Directory.Build.props .
+
+# Restore Icons project dependencies and tools
+WORKDIR /source/src/Icons
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Copy required project files
+WORKDIR /source
+COPY src/Icons/. ./src/Icons/
+COPY src/Core/. ./src/Core/
+COPY src/SharedWeb/. ./src/SharedWeb/
+# COPY .git/. ./.git/
+
+# Build Icons app
+WORKDIR /source/src/Icons
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Icons --no-restore --no-self-contained -r $RID
+
+WORKDIR /app
 
 ###############################################
 #                  App stage                  #
@@ -23,7 +60,7 @@ RUN apt-get update \
 
 # Copy app from the build stage
 WORKDIR /app
-COPY --from=bitwarden-build /app/Icons ./
+COPY --from=build /app/Icons ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile
index 7821c32a04..27adc2cdf2 100644
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@@ -1,8 +1,57 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+      RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+      RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+      RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Copy csproj files as distinct layers
+WORKDIR /source
+COPY src/Admin/*.csproj ./src/Admin/
+COPY src/Core/*.csproj ./src/Core/
+COPY src/SharedWeb/*.csproj ./src/SharedWeb/
+COPY util/Migrator/*.csproj ./util/Migrator/
+COPY util/MySqlMigrations/*.csproj ./util/MySqlMigrations/
+COPY util/PostgresMigrations/*.csproj ./util/PostgresMigrations/
+COPY util/SqliteMigrations/*.csproj ./util/SqliteMigrations/
+COPY bitwarden_license/src/Commercial.Core/*.csproj ./bitwarden_license/src/Commercial.Core/
+COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/*.csproj ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
+COPY Directory.Build.props .
+
+# Restore Admin project dependencies and tools
+WORKDIR /source/src/Admin
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Copy required project files
+WORKDIR /source
+COPY src/Admin/. ./src/Admin/
+COPY src/Core/. ./src/Core/
+COPY src/SharedWeb/. ./src/SharedWeb/
+COPY util/Migrator/. ./util/Migrator/
+COPY util/MySqlMigrations/. ./util/MySqlMigrations/
+COPY util/PostgresMigrations/. ./util/PostgresMigrations/
+COPY util/SqliteMigrations/. ./util/SqliteMigrations/
+COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
+COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
+# COPY .git/. ./.git/
+
+# Build Admin app
+WORKDIR /source/src/Admin
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Admin --no-restore --no-self-contained -r $RID
+
+WORKDIR /app
 
 ###############################################
 #                  App stage                  #
@@ -23,7 +72,7 @@ RUN apt-get update \
 
 # Copy app from the build stage
 WORKDIR /app
-COPY --from=bitwarden-build /app/Identity ./
+COPY --from=build /app/Identity ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/src/Notifications/Dockerfile b/src/Notifications/Dockerfile
index 0a02a14dee..bd8fcbd840 100644
--- a/src/Notifications/Dockerfile
+++ b/src/Notifications/Dockerfile
@@ -1,8 +1,45 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+      RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+      RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+      RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Copy csproj files as distinct layers
+WORKDIR /source
+COPY src/Core/*.csproj ./src/Core/
+COPY src/Notifications/*.csproj ./src/Notifications/
+COPY src/SharedWeb/*.csproj ./src/SharedWeb/
+COPY Directory.Build.props .
+
+# Restore Notifications project dependencies and tools
+WORKDIR /source/src/Notifications
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Copy required project files
+WORKDIR /source
+COPY src/Core/. ./src/Core/
+COPY src/Notifications/. ./src/Notifications/
+COPY src/SharedWeb/. ./src/SharedWeb/
+# COPY .git/. ./.git/
+
+# Build Notifications app
+WORKDIR /source/src/Notifications
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Notifications --no-restore --no-self-contained -r $RID
+
+WORKDIR /app
 
 ###############################################
 #                  App stage                  #
@@ -23,7 +60,7 @@ RUN apt-get update \
 
 # Copy app from the build stage
 WORKDIR /app
-COPY --from=bitwarden-build /app/Notifications ./
+COPY --from=build /app/Notifications ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/util/Attachments/Dockerfile b/util/Attachments/Dockerfile
index 51837dc455..a67028a08c 100644
--- a/util/Attachments/Dockerfile
+++ b/util/Attachments/Dockerfile
@@ -1,8 +1,41 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+      RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+      RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+      RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Copy csproj files as distinct layers
+WORKDIR /source
+COPY util/Server/*.csproj ./util/Server/
+COPY Directory.Build.props .
+
+# Restore Server project dependencies and tools
+WORKDIR /source/util/Server
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Copy required project files
+WORKDIR /source
+COPY util/Server/. ./util/Server/
+# COPY .git/. ./.git/
+
+# Build Server app
+WORKDIR /source/util/Server
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Server --no-restore --no-self-contained -r $RID
+
+WORKDIR /app
 
 ###############################################
 #                  App stage                  #
@@ -23,7 +56,7 @@ RUN apt-get update \
 
 # Copy app from the build stage
 WORKDIR /bitwarden_server
-COPY --from=bitwarden-build /app/Server ./
+COPY --from=build /app/Server ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/util/Server/Dockerfile b/util/Server/Dockerfile
index 4e425d2111..052b298785 100644
--- a/util/Server/Dockerfile
+++ b/util/Server/Dockerfile
@@ -1,8 +1,41 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+      RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+      RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+      RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Copy csproj files as distinct layers
+WORKDIR /source
+COPY util/Server/*.csproj ./util/Server/
+COPY Directory.Build.props .
+
+# Restore Server project dependencies and tools
+WORKDIR /source/util/Server
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Copy required project files
+WORKDIR /source
+COPY util/Server/. ./util/Server/
+# COPY .git/. ./.git/
+
+# Build Server app
+WORKDIR /source/util/Server
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Server --no-restore --no-self-contained -r $RID
+
+WORKDIR /app
 
 ###############################################
 #                  App stage                  #
@@ -13,4 +46,4 @@ LABEL com.bitwarden.product="bitwarden"
 
 # Copy app from the build stage
 WORKDIR /bitwarden_server
-COPY --from=bitwarden-build /app/Server ./
\ No newline at end of file
+COPY --from=build /app/Server ./
\ No newline at end of file
diff --git a/util/Setup/Dockerfile b/util/Setup/Dockerfile
index 4901b59f15..e385706208 100644
--- a/util/Setup/Dockerfile
+++ b/util/Setup/Dockerfile
@@ -1,8 +1,42 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-ARG BUILD_TAG=latest
-FROM --platform=$BUILDPLATFORM localhost:5000/build:${BUILD_TAG} AS bitwarden-build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+      RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+      RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+      RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Copy csproj files as distinct layers
+WORKDIR /source
+COPY util/Migrator/*.csproj ./util/Migrator/
+COPY util/Setup/*.csproj ./util/Setup/
+COPY Directory.Build.props .
+
+# Restore Setup project dependencies and tools
+WORKDIR /source/util/Setup
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Copy required project files
+WORKDIR /source
+COPY util/Setup/. ./util/Setup/
+# COPY .git/. ./.git/
+
+# Build Setup app
+WORKDIR /source/util/Setup
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Setup --no-restore --no-self-contained -r $RID
+
+WORKDIR /app
 
 ###############################################
 #                  App stage                  #
@@ -20,7 +54,7 @@ RUN apt-get update \
 
 # Copy app from the build stage
 WORKDIR /app
-COPY --from=bitwarden-build /app/Setup ./
+COPY --from=build /app/Setup ./
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 

From edad0e1edf62a88d742d45f74e75f71e31c14072 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 15:44:20 -0500
Subject: [PATCH 042/184] Fix copy commands in Dockerfiles

---
 bitwarden_license/src/Scim/Dockerfile | 2 +-
 bitwarden_license/src/Sso/Dockerfile  | 2 +-
 src/Admin/Dockerfile                  | 2 +-
 src/Api/Dockerfile                    | 2 +-
 src/Billing/Dockerfile                | 2 +-
 src/Events/Dockerfile                 | 2 +-
 src/EventsProcessor/Dockerfile        | 2 +-
 src/Icons/Dockerfile                  | 2 +-
 src/Identity/Dockerfile               | 2 +-
 src/Notifications/Dockerfile          | 2 +-
 util/Attachments/Dockerfile           | 2 +-
 util/Setup/Dockerfile                 | 2 +-
 12 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/bitwarden_license/src/Scim/Dockerfile b/bitwarden_license/src/Scim/Dockerfile
index d3d8cf53e7..d3ca2f2c26 100644
--- a/bitwarden_license/src/Scim/Dockerfile
+++ b/bitwarden_license/src/Scim/Dockerfile
@@ -61,7 +61,7 @@ RUN apt-get update \
 # Copy app from the build stage
 WORKDIR /app
 COPY --from=build /app/Scim ./
-COPY entrypoint.sh /
+COPY bitwarden_license/src/Scim/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
diff --git a/bitwarden_license/src/Sso/Dockerfile b/bitwarden_license/src/Sso/Dockerfile
index a505f045cb..d79c7abe15 100644
--- a/bitwarden_license/src/Sso/Dockerfile
+++ b/bitwarden_license/src/Sso/Dockerfile
@@ -61,7 +61,7 @@ RUN apt-get update \
 # Copy app from the build stage
 WORKDIR /app
 COPY --from=build /app/Sso ./
-COPY entrypoint.sh /
+COPY bitwarden_license/src/Sso/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index e9732cdd9c..a5015dc8b3 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -73,7 +73,7 @@ RUN apt-get update \
 # Copy app from the build stage
 WORKDIR /app
 COPY --from=build /app/Admin ./
-COPY entrypoint.sh /
+COPY src/Admin/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000 || exit 1
diff --git a/src/Api/Dockerfile b/src/Api/Dockerfile
index c93a24a0af..ab5f9ccb31 100644
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@@ -65,7 +65,7 @@ RUN apt-get update \
 # Copy app from the build stage
 WORKDIR /app
 COPY --from=build /app/Api ./
-COPY entrypoint.sh /
+COPY src/Api/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
diff --git a/src/Billing/Dockerfile b/src/Billing/Dockerfile
index c94514d89b..8c2fbbabaf 100644
--- a/src/Billing/Dockerfile
+++ b/src/Billing/Dockerfile
@@ -61,7 +61,7 @@ RUN apt-get update \
 # Copy app from the build stage
 WORKDIR /app
 COPY --from=build /app/Billing ./
-COPY entrypoint.sh /
+COPY src/Billing/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
diff --git a/src/Events/Dockerfile b/src/Events/Dockerfile
index d6f81f759a..18ba2a334d 100644
--- a/src/Events/Dockerfile
+++ b/src/Events/Dockerfile
@@ -61,7 +61,7 @@ RUN apt-get update \
 # Copy app from the build stage
 WORKDIR /app
 COPY --from=build /app/Admin ./
-COPY entrypoint.sh /
+COPY src/Events/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
diff --git a/src/EventsProcessor/Dockerfile b/src/EventsProcessor/Dockerfile
index 292109b87b..b6a02073b4 100644
--- a/src/EventsProcessor/Dockerfile
+++ b/src/EventsProcessor/Dockerfile
@@ -61,7 +61,7 @@ RUN apt-get update \
 # Copy app from the build stage
 WORKDIR /app
 COPY --from=build /app/EventsProcessor ./
-COPY entrypoint.sh /
+COPY src/EventsProcessor/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
diff --git a/src/Icons/Dockerfile b/src/Icons/Dockerfile
index aaca787180..ddc19ff14c 100644
--- a/src/Icons/Dockerfile
+++ b/src/Icons/Dockerfile
@@ -61,7 +61,7 @@ RUN apt-get update \
 # Copy app from the build stage
 WORKDIR /app
 COPY --from=build /app/Icons ./
-COPY entrypoint.sh /
+COPY src/Icons/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000/google.com/icon.png || exit 1
diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile
index 27adc2cdf2..99d9910e4d 100644
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@@ -73,7 +73,7 @@ RUN apt-get update \
 # Copy app from the build stage
 WORKDIR /app
 COPY --from=build /app/Identity ./
-COPY entrypoint.sh /
+COPY src/Identity/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000/.well-known/openid-configuration || exit 1
diff --git a/src/Notifications/Dockerfile b/src/Notifications/Dockerfile
index bd8fcbd840..136fc9be36 100644
--- a/src/Notifications/Dockerfile
+++ b/src/Notifications/Dockerfile
@@ -61,7 +61,7 @@ RUN apt-get update \
 # Copy app from the build stage
 WORKDIR /app
 COPY --from=build /app/Notifications ./
-COPY entrypoint.sh /
+COPY src/Notifications/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
diff --git a/util/Attachments/Dockerfile b/util/Attachments/Dockerfile
index a67028a08c..0f8c19013a 100644
--- a/util/Attachments/Dockerfile
+++ b/util/Attachments/Dockerfile
@@ -57,7 +57,7 @@ RUN apt-get update \
 # Copy app from the build stage
 WORKDIR /bitwarden_server
 COPY --from=build /app/Server ./
-COPY entrypoint.sh /
+COPY util/Attachments/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
diff --git a/util/Setup/Dockerfile b/util/Setup/Dockerfile
index e385706208..61db604339 100644
--- a/util/Setup/Dockerfile
+++ b/util/Setup/Dockerfile
@@ -55,7 +55,7 @@ RUN apt-get update \
 # Copy app from the build stage
 WORKDIR /app
 COPY --from=build /app/Setup ./
-COPY entrypoint.sh /
+COPY util/Setup/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
 ENTRYPOINT ["/entrypoint.sh"]

From 41050091f639ecd07ddbb1d9b680b80e261af2d7 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 15:47:03 -0500
Subject: [PATCH 043/184] Uncomment .git copy

---
 bitwarden_license/src/Scim/Dockerfile | 2 +-
 bitwarden_license/src/Sso/Dockerfile  | 2 +-
 src/Admin/Dockerfile                  | 2 +-
 src/Api/Dockerfile                    | 2 +-
 src/Billing/Dockerfile                | 2 +-
 src/Events/Dockerfile                 | 2 +-
 src/EventsProcessor/Dockerfile        | 2 +-
 src/Icons/Dockerfile                  | 2 +-
 src/Identity/Dockerfile               | 2 +-
 src/Notifications/Dockerfile          | 2 +-
 util/Attachments/Dockerfile           | 2 +-
 util/Server/Dockerfile                | 2 +-
 util/Setup/Dockerfile                 | 2 +-
 13 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/bitwarden_license/src/Scim/Dockerfile b/bitwarden_license/src/Scim/Dockerfile
index d3ca2f2c26..1c666403a1 100644
--- a/bitwarden_license/src/Scim/Dockerfile
+++ b/bitwarden_license/src/Scim/Dockerfile
@@ -33,7 +33,7 @@ WORKDIR /source
 COPY bitwarden_license/src/Scim/. ./bitwarden_license/src/Scim/
 COPY src/Core/. ./src/Core/
 COPY src/SharedWeb/. ./src/SharedWeb/
-# COPY .git/. ./.git/
+COPY .git/. ./.git/
 
 # Build Scim app
 WORKDIR /source/bitwarden_license/src/Scim
diff --git a/bitwarden_license/src/Sso/Dockerfile b/bitwarden_license/src/Sso/Dockerfile
index d79c7abe15..da4270b22e 100644
--- a/bitwarden_license/src/Sso/Dockerfile
+++ b/bitwarden_license/src/Sso/Dockerfile
@@ -33,7 +33,7 @@ WORKDIR /source
 COPY bitwarden_license/src/Sso/. ./bitwarden_license/src/Sso/
 COPY src/Core/. ./src/Core/
 COPY src/SharedWeb/. ./src/SharedWeb/
-# COPY .git/. ./.git/
+COPY .git/. ./.git/
 
 # Build Sso app
 WORKDIR /source/bitwarden_license/src/Sso
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index a5015dc8b3..ec10df9c47 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -45,7 +45,7 @@ COPY util/PostgresMigrations/. ./util/PostgresMigrations/
 COPY util/SqliteMigrations/. ./util/SqliteMigrations/
 COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
 COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
-# COPY .git/. ./.git/
+COPY .git/. ./.git/
 
 # Build Admin app
 WORKDIR /source/src/Admin
diff --git a/src/Api/Dockerfile b/src/Api/Dockerfile
index ab5f9ccb31..d7342debdd 100644
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@@ -37,7 +37,7 @@ COPY src/Core/. ./src/Core/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
 COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
-# COPY .git/. ./.git/
+COPY .git/. ./.git/
 
 # Build Api app
 WORKDIR /source/src/Api
diff --git a/src/Billing/Dockerfile b/src/Billing/Dockerfile
index 8c2fbbabaf..e2d9f9fd7c 100644
--- a/src/Billing/Dockerfile
+++ b/src/Billing/Dockerfile
@@ -33,7 +33,7 @@ WORKDIR /source
 COPY src/Billing/. ./src/Billing/
 COPY src/Core/. ./src/Core/
 COPY src/SharedWeb/. ./src/SharedWeb/
-# COPY .git/. ./.git/
+COPY .git/. ./.git/
 
 # Build Billing app
 WORKDIR /source/src/Billing
diff --git a/src/Events/Dockerfile b/src/Events/Dockerfile
index 18ba2a334d..74b38a1797 100644
--- a/src/Events/Dockerfile
+++ b/src/Events/Dockerfile
@@ -33,7 +33,7 @@ WORKDIR /source
 COPY src/Events/. ./src/Events/
 COPY src/Core/. ./src/Core/
 COPY src/SharedWeb/. ./src/SharedWeb/
-# COPY .git/. ./.git/
+COPY .git/. ./.git/
 
 # Build Events app
 WORKDIR /source/src/Events
diff --git a/src/EventsProcessor/Dockerfile b/src/EventsProcessor/Dockerfile
index b6a02073b4..a6b7cf62bc 100644
--- a/src/EventsProcessor/Dockerfile
+++ b/src/EventsProcessor/Dockerfile
@@ -33,7 +33,7 @@ WORKDIR /source
 COPY src/EventsProcessor/. ./src/EventsProcessor/
 COPY src/Core/. ./src/Core/
 COPY src/SharedWeb/. ./src/SharedWeb/
-# COPY .git/. ./.git/
+COPY .git/. ./.git/
 
 # Build EventsProcessor app
 WORKDIR /source/src/EventsProcessor
diff --git a/src/Icons/Dockerfile b/src/Icons/Dockerfile
index ddc19ff14c..a3f76e62f7 100644
--- a/src/Icons/Dockerfile
+++ b/src/Icons/Dockerfile
@@ -33,7 +33,7 @@ WORKDIR /source
 COPY src/Icons/. ./src/Icons/
 COPY src/Core/. ./src/Core/
 COPY src/SharedWeb/. ./src/SharedWeb/
-# COPY .git/. ./.git/
+COPY .git/. ./.git/
 
 # Build Icons app
 WORKDIR /source/src/Icons
diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile
index 99d9910e4d..c0daab573a 100644
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@@ -45,7 +45,7 @@ COPY util/PostgresMigrations/. ./util/PostgresMigrations/
 COPY util/SqliteMigrations/. ./util/SqliteMigrations/
 COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
 COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
-# COPY .git/. ./.git/
+COPY .git/. ./.git/
 
 # Build Admin app
 WORKDIR /source/src/Admin
diff --git a/src/Notifications/Dockerfile b/src/Notifications/Dockerfile
index 136fc9be36..46ab2a89e1 100644
--- a/src/Notifications/Dockerfile
+++ b/src/Notifications/Dockerfile
@@ -33,7 +33,7 @@ WORKDIR /source
 COPY src/Core/. ./src/Core/
 COPY src/Notifications/. ./src/Notifications/
 COPY src/SharedWeb/. ./src/SharedWeb/
-# COPY .git/. ./.git/
+COPY .git/. ./.git/
 
 # Build Notifications app
 WORKDIR /source/src/Notifications
diff --git a/util/Attachments/Dockerfile b/util/Attachments/Dockerfile
index 0f8c19013a..4270972f71 100644
--- a/util/Attachments/Dockerfile
+++ b/util/Attachments/Dockerfile
@@ -29,7 +29,7 @@ RUN . /tmp/rid.txt && dotnet restore -r $RID
 # Copy required project files
 WORKDIR /source
 COPY util/Server/. ./util/Server/
-# COPY .git/. ./.git/
+COPY .git/. ./.git/
 
 # Build Server app
 WORKDIR /source/util/Server
diff --git a/util/Server/Dockerfile b/util/Server/Dockerfile
index 052b298785..8b78751ca1 100644
--- a/util/Server/Dockerfile
+++ b/util/Server/Dockerfile
@@ -29,7 +29,7 @@ RUN . /tmp/rid.txt && dotnet restore -r $RID
 # Copy required project files
 WORKDIR /source
 COPY util/Server/. ./util/Server/
-# COPY .git/. ./.git/
+COPY .git/. ./.git/
 
 # Build Server app
 WORKDIR /source/util/Server
diff --git a/util/Setup/Dockerfile b/util/Setup/Dockerfile
index 61db604339..2c5a85eea0 100644
--- a/util/Setup/Dockerfile
+++ b/util/Setup/Dockerfile
@@ -30,7 +30,7 @@ RUN . /tmp/rid.txt && dotnet restore -r $RID
 # Copy required project files
 WORKDIR /source
 COPY util/Setup/. ./util/Setup/
-# COPY .git/. ./.git/
+COPY .git/. ./.git/
 
 # Build Setup app
 WORKDIR /source/util/Setup

From bd13dd64acfea44c8b699fe7b5ca9b24b48aff37 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 15:54:24 -0500
Subject: [PATCH 044/184] Fix project imports

---
 bitwarden_license/src/Scim/Dockerfile | 4 ++++
 bitwarden_license/src/Sso/Dockerfile  | 4 ++++
 src/Admin/Dockerfile                  | 4 ++++
 src/Api/Dockerfile                    | 4 ++++
 src/Billing/Dockerfile                | 4 ++++
 src/Events/Dockerfile                 | 4 ++++
 src/EventsProcessor/Dockerfile        | 4 ++++
 src/Icons/Dockerfile                  | 4 ++++
 src/Identity/Dockerfile               | 4 ++++
 src/Notifications/Dockerfile          | 4 ++++
 10 files changed, 40 insertions(+)

diff --git a/bitwarden_license/src/Scim/Dockerfile b/bitwarden_license/src/Scim/Dockerfile
index 1c666403a1..0c97fdcf49 100644
--- a/bitwarden_license/src/Scim/Dockerfile
+++ b/bitwarden_license/src/Scim/Dockerfile
@@ -21,6 +21,8 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
 WORKDIR /source
 COPY bitwarden_license/src/Scim/*.csproj ./bitwarden_license/src/Scim/
 COPY src/Core/*.csproj ./src/Core/
+COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
 
@@ -32,6 +34,8 @@ RUN . /tmp/rid.txt && dotnet restore -r $RID
 WORKDIR /source
 COPY bitwarden_license/src/Scim/. ./bitwarden_license/src/Scim/
 COPY src/Core/. ./src/Core/
+COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
diff --git a/bitwarden_license/src/Sso/Dockerfile b/bitwarden_license/src/Sso/Dockerfile
index da4270b22e..439ffd4f04 100644
--- a/bitwarden_license/src/Sso/Dockerfile
+++ b/bitwarden_license/src/Sso/Dockerfile
@@ -21,6 +21,8 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
 WORKDIR /source
 COPY bitwarden_license/src/Sso/*.csproj ./bitwarden_license/src/Sso/
 COPY src/Core/*.csproj ./src/Core/
+COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
 
@@ -32,6 +34,8 @@ RUN . /tmp/rid.txt && dotnet restore -r $RID
 WORKDIR /source
 COPY bitwarden_license/src/Sso/. ./bitwarden_license/src/Sso/
 COPY src/Core/. ./src/Core/
+COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index ec10df9c47..644f10f0ce 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -21,6 +21,8 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
 WORKDIR /source
 COPY src/Admin/*.csproj ./src/Admin/
 COPY src/Core/*.csproj ./src/Core/
+COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY util/Migrator/*.csproj ./util/Migrator/
 COPY util/MySqlMigrations/*.csproj ./util/MySqlMigrations/
@@ -38,6 +40,8 @@ RUN . /tmp/rid.txt && dotnet restore -r $RID
 WORKDIR /source
 COPY src/Admin/. ./src/Admin/
 COPY src/Core/. ./src/Core/
+COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY util/Migrator/. ./util/Migrator/
 COPY util/MySqlMigrations/. ./util/MySqlMigrations/
diff --git a/src/Api/Dockerfile b/src/Api/Dockerfile
index d7342debdd..0f6e70ff86 100644
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@@ -21,6 +21,8 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
 WORKDIR /source
 COPY src/Api/*.csproj ./src/Api/
 COPY src/Core/*.csproj ./src/Core/
+COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY bitwarden_license/src/Commercial.Core/*.csproj ./bitwarden_license/src/Commercial.Core/
 COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/*.csproj ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
@@ -34,6 +36,8 @@ RUN . /tmp/rid.txt && dotnet restore -r $RID
 WORKDIR /source
 COPY src/Api/. ./src/Api/
 COPY src/Core/. ./src/Core/
+COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
 COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
diff --git a/src/Billing/Dockerfile b/src/Billing/Dockerfile
index e2d9f9fd7c..58258f5730 100644
--- a/src/Billing/Dockerfile
+++ b/src/Billing/Dockerfile
@@ -21,6 +21,8 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
 WORKDIR /source
 COPY src/Billing/*.csproj ./src/Billing/
 COPY src/Core/*.csproj ./src/Core/
+COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
 
@@ -32,6 +34,8 @@ RUN . /tmp/rid.txt && dotnet restore -r $RID
 WORKDIR /source
 COPY src/Billing/. ./src/Billing/
 COPY src/Core/. ./src/Core/
+COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
diff --git a/src/Events/Dockerfile b/src/Events/Dockerfile
index 74b38a1797..0cdc099f2c 100644
--- a/src/Events/Dockerfile
+++ b/src/Events/Dockerfile
@@ -21,6 +21,8 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
 WORKDIR /source
 COPY src/Events/*.csproj ./src/Events/
 COPY src/Core/*.csproj ./src/Core/
+COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
 
@@ -32,6 +34,8 @@ RUN . /tmp/rid.txt && dotnet restore -r $RID
 WORKDIR /source
 COPY src/Events/. ./src/Events/
 COPY src/Core/. ./src/Core/
+COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
diff --git a/src/EventsProcessor/Dockerfile b/src/EventsProcessor/Dockerfile
index a6b7cf62bc..7b67dffb7f 100644
--- a/src/EventsProcessor/Dockerfile
+++ b/src/EventsProcessor/Dockerfile
@@ -21,6 +21,8 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
 WORKDIR /source
 COPY src/EventsProcessor/*.csproj ./src/EventsProcessor/
 COPY src/Core/*.csproj ./src/Core/
+COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
 
@@ -32,6 +34,8 @@ RUN . /tmp/rid.txt && dotnet restore -r $RID
 WORKDIR /source
 COPY src/EventsProcessor/. ./src/EventsProcessor/
 COPY src/Core/. ./src/Core/
+COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
diff --git a/src/Icons/Dockerfile b/src/Icons/Dockerfile
index a3f76e62f7..384f75410d 100644
--- a/src/Icons/Dockerfile
+++ b/src/Icons/Dockerfile
@@ -21,6 +21,8 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
 WORKDIR /source
 COPY src/Icons/*.csproj ./src/Icons/
 COPY src/Core/*.csproj ./src/Core/
+COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
 
@@ -32,6 +34,8 @@ RUN . /tmp/rid.txt && dotnet restore -r $RID
 WORKDIR /source
 COPY src/Icons/. ./src/Icons/
 COPY src/Core/. ./src/Core/
+COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile
index c0daab573a..dec0b6d0a0 100644
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@@ -21,6 +21,8 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
 WORKDIR /source
 COPY src/Admin/*.csproj ./src/Admin/
 COPY src/Core/*.csproj ./src/Core/
+COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY util/Migrator/*.csproj ./util/Migrator/
 COPY util/MySqlMigrations/*.csproj ./util/MySqlMigrations/
@@ -38,6 +40,8 @@ RUN . /tmp/rid.txt && dotnet restore -r $RID
 WORKDIR /source
 COPY src/Admin/. ./src/Admin/
 COPY src/Core/. ./src/Core/
+COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY util/Migrator/. ./util/Migrator/
 COPY util/MySqlMigrations/. ./util/MySqlMigrations/
diff --git a/src/Notifications/Dockerfile b/src/Notifications/Dockerfile
index 46ab2a89e1..b257fcb367 100644
--- a/src/Notifications/Dockerfile
+++ b/src/Notifications/Dockerfile
@@ -21,6 +21,8 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
 WORKDIR /source
 COPY src/Core/*.csproj ./src/Core/
 COPY src/Notifications/*.csproj ./src/Notifications/
+COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
 
@@ -32,6 +34,8 @@ RUN . /tmp/rid.txt && dotnet restore -r $RID
 WORKDIR /source
 COPY src/Core/. ./src/Core/
 COPY src/Notifications/. ./src/Notifications/
+COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
+COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 

From 9381577f6647481a594ca36e2055b5e513f09ae8 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 16:05:05 -0500
Subject: [PATCH 045/184] Fix Dockerfiles

---
 src/Admin/Dockerfile                 |  1 +
 src/Events/Dockerfile                |  2 +-
 src/Identity/Dockerfile              |  1 +
 util/MsSql/Dockerfile                |  6 +++---
 util/MsSqlMigratorUtility/Dockerfile |  4 ++--
 util/Nginx/Dockerfile                | 14 +++++++-------
 util/Setup/Dockerfile                |  1 +
 7 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 644f10f0ce..37e523a4fe 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -47,6 +47,7 @@ COPY util/Migrator/. ./util/Migrator/
 COPY util/MySqlMigrations/. ./util/MySqlMigrations/
 COPY util/PostgresMigrations/. ./util/PostgresMigrations/
 COPY util/SqliteMigrations/. ./util/SqliteMigrations/
+COPY util/EfShared/. ./util/EfShared/
 COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
 COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
 COPY .git/. ./.git/
diff --git a/src/Events/Dockerfile b/src/Events/Dockerfile
index 0cdc099f2c..2833c860f9 100644
--- a/src/Events/Dockerfile
+++ b/src/Events/Dockerfile
@@ -64,7 +64,7 @@ RUN apt-get update \
 
 # Copy app from the build stage
 WORKDIR /app
-COPY --from=build /app/Admin ./
+COPY --from=build /app/Events ./
 COPY src/Events/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile
index dec0b6d0a0..3e9fb769aa 100644
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@@ -47,6 +47,7 @@ COPY util/Migrator/. ./util/Migrator/
 COPY util/MySqlMigrations/. ./util/MySqlMigrations/
 COPY util/PostgresMigrations/. ./util/PostgresMigrations/
 COPY util/SqliteMigrations/. ./util/SqliteMigrations/
+COPY util/EfShared/. ./util/EfShared/
 COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
 COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
 COPY .git/. ./.git/
diff --git a/util/MsSql/Dockerfile b/util/MsSql/Dockerfile
index 330f78208f..572a2b8007 100644
--- a/util/MsSql/Dockerfile
+++ b/util/MsSql/Dockerfile
@@ -10,9 +10,9 @@ RUN apt-get update \
         tzdata \
     && rm -rf /var/lib/apt/lists/*
 
-COPY backup-db.sql /
-COPY backup-db.sh /
-COPY entrypoint.sh /
+COPY util/MsSql/backup-db.sql /
+COPY util/MsSql/backup-db.sh /
+COPY util/MsSql/entrypoint.sh /
 
 RUN chmod +x /entrypoint.sh \
     && chmod +x /backup-db.sh
diff --git a/util/MsSqlMigratorUtility/Dockerfile b/util/MsSqlMigratorUtility/Dockerfile
index 133beb6fe7..815a53011d 100644
--- a/util/MsSqlMigratorUtility/Dockerfile
+++ b/util/MsSqlMigratorUtility/Dockerfile
@@ -6,7 +6,7 @@ FROM mcr.microsoft.com/dotnet/sdk:6.0 AS bitwarden-build
 
 # Copy csproj files as distinct layers
 WORKDIR /source
-COPY *.csproj ./util/MsSqlMigratorUtility/
+COPY util/MsSqlMigratorUtility/*.csproj ./util/MsSqlMigratorUtility/
 
 # Restore MsSqlMigratorUtility project dependencies and tools
 WORKDIR /source/util/MsSqlMigratorUtility
@@ -14,7 +14,7 @@ RUN dotnet restore
 
 # Copy required project files
 WORKDIR /source
-COPY . ./util/MsSqlMigratorUtility/
+COPY util/MsSqlMigratorUtility/. ./util/MsSqlMigratorUtility/
 
 # Build Setup app
 WORKDIR /source/util/MsSqlMigratorUtility
diff --git a/util/Nginx/Dockerfile b/util/Nginx/Dockerfile
index 973b616efb..7f85b77ea6 100644
--- a/util/Nginx/Dockerfile
+++ b/util/Nginx/Dockerfile
@@ -9,13 +9,13 @@ RUN apt-get update \
         curl \
     && rm -rf /var/lib/apt/lists/*
 
-COPY nginx.conf /etc/nginx
-COPY proxy.conf /etc/nginx
-COPY mime.types /etc/nginx
-COPY security-headers.conf /etc/nginx
-COPY security-headers-ssl.conf /etc/nginx
-COPY logrotate.sh /
-COPY entrypoint.sh /
+COPY util/Nginx/nginx.conf /etc/nginx
+COPY util/Nginx/proxy.conf /etc/nginx
+COPY util/Nginx/mime.types /etc/nginx
+COPY util/Nginx/security-headers.conf /etc/nginx
+COPY util/Nginx/security-headers-ssl.conf /etc/nginx
+COPY util/Nginx/logrotate.sh /
+COPY util/Nginx/entrypoint.sh /
 
 EXPOSE 8080
 EXPOSE 8443
diff --git a/util/Setup/Dockerfile b/util/Setup/Dockerfile
index 2c5a85eea0..34570ecae8 100644
--- a/util/Setup/Dockerfile
+++ b/util/Setup/Dockerfile
@@ -29,6 +29,7 @@ RUN . /tmp/rid.txt && dotnet restore -r $RID
 
 # Copy required project files
 WORKDIR /source
+COPY util/Migrator/. ./util/Migrator/
 COPY util/Setup/. ./util/Setup/
 COPY .git/. ./.git/
 

From e8e7820ef6d0f473df3d0a77fd0653ccb4f988c1 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 16:13:49 -0500
Subject: [PATCH 046/184] Fix Dockerfiles

---
 src/Identity/Dockerfile | 27 +++++++--------------------
 util/Setup/Dockerfile   |  2 ++
 2 files changed, 9 insertions(+), 20 deletions(-)

diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile
index 3e9fb769aa..cbcc32413e 100644
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@@ -19,42 +19,29 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
 
 # Copy csproj files as distinct layers
 WORKDIR /source
-COPY src/Admin/*.csproj ./src/Admin/
+COPY src/Identity/*.csproj ./src/Identity/
 COPY src/Core/*.csproj ./src/Core/
 COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
 COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
-COPY util/Migrator/*.csproj ./util/Migrator/
-COPY util/MySqlMigrations/*.csproj ./util/MySqlMigrations/
-COPY util/PostgresMigrations/*.csproj ./util/PostgresMigrations/
-COPY util/SqliteMigrations/*.csproj ./util/SqliteMigrations/
-COPY bitwarden_license/src/Commercial.Core/*.csproj ./bitwarden_license/src/Commercial.Core/
-COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/*.csproj ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
 COPY Directory.Build.props .
 
-# Restore Admin project dependencies and tools
-WORKDIR /source/src/Admin
+# Restore Identity project dependencies and tools
+WORKDIR /source/src/Identity
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
 # Copy required project files
 WORKDIR /source
-COPY src/Admin/. ./src/Admin/
+COPY src/Identity/. ./src/Identity/
 COPY src/Core/. ./src/Core/
 COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
 COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
-COPY util/Migrator/. ./util/Migrator/
-COPY util/MySqlMigrations/. ./util/MySqlMigrations/
-COPY util/PostgresMigrations/. ./util/PostgresMigrations/
-COPY util/SqliteMigrations/. ./util/SqliteMigrations/
-COPY util/EfShared/. ./util/EfShared/
-COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
-COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
 COPY .git/. ./.git/
 
-# Build Admin app
-WORKDIR /source/src/Admin
-RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Admin --no-restore --no-self-contained -r $RID
+# Build Identity app
+WORKDIR /source/src/Identity
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Identity --no-restore --no-self-contained -r $RID
 
 WORKDIR /app
 
diff --git a/util/Setup/Dockerfile b/util/Setup/Dockerfile
index 34570ecae8..dce42a14bb 100644
--- a/util/Setup/Dockerfile
+++ b/util/Setup/Dockerfile
@@ -19,6 +19,7 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
 
 # Copy csproj files as distinct layers
 WORKDIR /source
+COPY src/Core/*.csproj ./src/Core/
 COPY util/Migrator/*.csproj ./util/Migrator/
 COPY util/Setup/*.csproj ./util/Setup/
 COPY Directory.Build.props .
@@ -29,6 +30,7 @@ RUN . /tmp/rid.txt && dotnet restore -r $RID
 
 # Copy required project files
 WORKDIR /source
+COPY src/Core/. ./src/Core/
 COPY util/Migrator/. ./util/Migrator/
 COPY util/Setup/. ./util/Setup/
 COPY .git/. ./.git/

From 586bac8018ee84aaea75532a8f5ccb6b0e242455 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 17:34:11 -0500
Subject: [PATCH 047/184] Fix gulp for Admin/Sso

---
 bitwarden_license/src/Sso/Dockerfile | 22 ++++++++++++++++++++++
 src/Admin/Dockerfile                 | 22 ++++++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/bitwarden_license/src/Sso/Dockerfile b/bitwarden_license/src/Sso/Dockerfile
index 439ffd4f04..784647dee2 100644
--- a/bitwarden_license/src/Sso/Dockerfile
+++ b/bitwarden_license/src/Sso/Dockerfile
@@ -5,6 +5,8 @@ FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS build
 
 # Docker buildx supplies the value for this arg
 ARG TARGETPLATFORM
+ENV NODE_VERSION=16.20.2
+ENV NVM_DIR /usr/local/nvm
 
 # Determine proper runtime value for .NET
 # We put the value in a file to be read by later layers.
@@ -17,6 +19,24 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
     fi \
     && echo "RID=$RID" > /tmp/rid.txt
 
+# Add packages
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Set up Node
+RUN mkdir -p $NVM_DIR
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash \
+    && . $NVM_DIR/nvm.sh \
+    && nvm install $NODE_VERSION \
+    && nvm alias default $NODE_VERSION \
+    && nvm use default
+ENV NODE_PATH $NVM_DIR/versions/node/v$NODE_VERSION/lib/node_modules
+ENV PATH      $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
+
+# Install gulp
+RUN npm install -g gulp
+
 # Copy csproj files as distinct layers
 WORKDIR /source
 COPY bitwarden_license/src/Sso/*.csproj ./bitwarden_license/src/Sso/
@@ -41,6 +61,8 @@ COPY .git/. ./.git/
 
 # Build Sso app
 WORKDIR /source/bitwarden_license/src/Sso
+RUN npm install
+RUN gulp --gulpfile "gulpfile.js" build
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Sso --no-restore --no-self-contained -r $RID
 
 WORKDIR /app
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 37e523a4fe..20930d774e 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -5,6 +5,8 @@ FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS build
 
 # Docker buildx supplies the value for this arg
 ARG TARGETPLATFORM
+ARG NODE_VERSION=16.20.2
+ENV NVM_DIR /usr/local/nvm
 
 # Determine proper runtime value for .NET
 # We put the value in a file to be read by later layers.
@@ -17,6 +19,24 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
     fi \
     && echo "RID=$RID" > /tmp/rid.txt
 
+# Add packages
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Set up Node
+RUN mkdir -p $NVM_DIR
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash \
+    && . $NVM_DIR/nvm.sh \
+    && nvm install $NODE_VERSION \
+    && nvm alias default $NODE_VERSION \
+    && nvm use default
+ENV NODE_PATH $NVM_DIR/versions/node/v$NODE_VERSION/lib/node_modules
+ENV PATH      $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
+
+# Install gulp
+RUN npm install -g gulp
+
 # Copy csproj files as distinct layers
 WORKDIR /source
 COPY src/Admin/*.csproj ./src/Admin/
@@ -54,6 +74,8 @@ COPY .git/. ./.git/
 
 # Build Admin app
 WORKDIR /source/src/Admin
+RUN npm install
+RUN gulp --gulpfile "gulpfile.js" build
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Admin --no-restore --no-self-contained -r $RID
 
 WORKDIR /app

From 1100ee58d70433b8e3ed83c6c1176351df571e02 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 18:08:24 -0500
Subject: [PATCH 048/184] Remove Dockerfile-k8s

---
 util/Nginx/Dockerfile-k8s | 40 ---------------------------------------
 1 file changed, 40 deletions(-)
 delete mode 100644 util/Nginx/Dockerfile-k8s

diff --git a/util/Nginx/Dockerfile-k8s b/util/Nginx/Dockerfile-k8s
deleted file mode 100644
index 9f0d89ee1d..0000000000
--- a/util/Nginx/Dockerfile-k8s
+++ /dev/null
@@ -1,40 +0,0 @@
-FROM nginx:stable
-
-LABEL com.bitwarden.product="bitwarden"
-
-ENV USERNAME="bitwarden"
-ENV GROUPNAME="bitwarden"
-
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-        gosu \
-        curl && \
-    rm -rf /var/lib/apt/lists/*
-
-COPY nginx.conf /etc/nginx/nginx.conf
-COPY proxy.conf /etc/nginx/proxy.conf
-COPY mime.types /etc/nginx/mime.types
-COPY security-headers.conf /etc/nginx/security-headers.conf
-COPY security-headers-ssl.conf /etc/nginx/security-headers.conf
-
-COPY setup-bwuser.sh /
-
-EXPOSE 8000
-
-EXPOSE 8080
-EXPOSE 8443
-
-RUN chmod +x /setup-bwuser.sh
-
-RUN ./setup-bwuser.sh $USERNAME $GROUPNAME
-
-RUN mkdir -p /var/run/nginx && \
-    touch /var/run/nginx/nginx.pid
-RUN chown -R $USERNAME:$GROUPNAME /var/run/nginx && \
-    chown -R $USERNAME:$GROUPNAME /var/cache/nginx && \
-    chown -R $USERNAME:$GROUPNAME /var/log/nginx
-    
-
-HEALTHCHECK CMD curl --insecure -Lfs https://localhost:8443/alive || curl -Lfs http://localhost:8080/alive || exit 1
-
-USER bitwarden

From 18d297e4e31e7c85f05f226a93923bcacf6108d3 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 18:11:41 -0500
Subject: [PATCH 049/184] Remove extra build.Dockerfile

---
 build.Dockerfile | 193 -----------------------------------------------
 1 file changed, 193 deletions(-)
 delete mode 100644 build.Dockerfile

diff --git a/build.Dockerfile b/build.Dockerfile
deleted file mode 100644
index 849531b83c..0000000000
--- a/build.Dockerfile
+++ /dev/null
@@ -1,193 +0,0 @@
-###############################################
-#                 Build stage                 #
-###############################################
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0
-
-# Docker buildx supplies the value for this arg
-ARG TARGETPLATFORM
-ENV NODE_VERSION=16.20.2
-ENV NVM_DIR /usr/local/nvm
-
-# Determine proper runtime value for .NET
-# We put the value in a file to be read by later layers.
-RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
-      RID=linux-x64 ; \
-    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
-      RID=linux-arm64 ; \
-    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
-      RID=linux-arm ; \
-    fi \
-    && echo "RID=$RID" > /tmp/rid.txt
-
-# Add packages
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    curl \
-    && rm -rf /var/lib/apt/lists/*
-
-# Set up Node
-RUN mkdir -p $NVM_DIR
-RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash \
-    && . $NVM_DIR/nvm.sh \
-    && nvm install $NODE_VERSION \
-    && nvm alias default $NODE_VERSION \
-    && nvm use default
-ENV NODE_PATH $NVM_DIR/versions/node/v$NODE_VERSION/lib/node_modules
-ENV PATH      $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
-
-# Install gulp
-RUN npm install -g gulp
-
-# Copy csproj files as distinct layers
-WORKDIR /source
-COPY src/Admin/*.csproj ./src/Admin/
-COPY src/Api/*.csproj ./src/Api/
-COPY src/Billing/*.csproj ./src/Billing/
-COPY src/Events/*.csproj ./src/Events/
-COPY src/EventsProcessor/*.csproj ./src/EventsProcessor/
-COPY src/Icons/*.csproj ./src/Icons/
-COPY src/Identity/*.csproj ./src/Identity/
-COPY src/Notifications/*.csproj ./src/Notifications/
-COPY bitwarden_license/src/Sso/*.csproj ./bitwarden_license/src/Sso/
-COPY bitwarden_license/src/Scim/*.csproj ./bitwarden_license/src/Scim/
-COPY src/Core/*.csproj ./src/Core/
-COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
-COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
-COPY src/SharedWeb/*.csproj ./src/SharedWeb/
-COPY util/Migrator/*.csproj ./util/Migrator/
-COPY util/MySqlMigrations/*.csproj ./util/MySqlMigrations/
-COPY util/PostgresMigrations/*.csproj ./util/PostgresMigrations/
-COPY util/Server/*.csproj ./util/Server/
-COPY util/Setup/*.csproj ./util/Setup/
-COPY util/SqliteMigrations/*.csproj ./util/SqliteMigrations/
-COPY bitwarden_license/src/Commercial.Core/*.csproj ./bitwarden_license/src/Commercial.Core/
-COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/*.csproj ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
-COPY Directory.Build.props .
-
-# Restore Admin project dependencies and tools
-WORKDIR /source/src/Admin
-RUN . /tmp/rid.txt && dotnet restore -r $RID
-
-# Restore Api project dependencies and tools
-WORKDIR /source/src/Api
-RUN . /tmp/rid.txt && dotnet restore -r $RID
-
-# Restore Billing project dependencies and tools
-WORKDIR /source/src/Billing
-RUN . /tmp/rid.txt && dotnet restore -r $RID
-
-# Restore Events project dependencies and tools
-WORKDIR /source/src/Events
-RUN . /tmp/rid.txt && dotnet restore -r $RID
-
-# Restore Events project dependencies and tools
-WORKDIR /source/src/EventsProcessor
-RUN . /tmp/rid.txt && dotnet restore -r $RID
-
-# Restore Icons project dependencies and tools
-WORKDIR /source/src/Icons
-RUN . /tmp/rid.txt && dotnet restore -r $RID
-
-# Restore Identity project dependencies and tools
-WORKDIR /source/src/Identity
-RUN . /tmp/rid.txt && dotnet restore -r $RID
-
-# Restore Notifications project dependencies and tools
-WORKDIR /source/src/Notifications
-RUN . /tmp/rid.txt && dotnet restore -r $RID
-
-# Restore Sso project dependencies and tools
-WORKDIR /source/bitwarden_license/src/Sso
-RUN . /tmp/rid.txt && dotnet restore -r $RID
-
-# Restore Scim project dependencies and tools
-WORKDIR /source/bitwarden_license/src/Scim
-RUN . /tmp/rid.txt && dotnet restore -r $RID
-
-# Restore Server project dependencies and tools
-WORKDIR /source/util/Server
-RUN . /tmp/rid.txt && dotnet restore -r $RID
-
-# Restore Setup project dependencies and tools
-WORKDIR /source/util/Setup
-RUN . /tmp/rid.txt && dotnet restore -r $RID
-
-# Copy required project files
-WORKDIR /source
-COPY src/Admin/. ./src/Admin/
-COPY src/Api/. ./src/Api/
-COPY src/Billing/. ./src/Billing/
-COPY src/Events/. ./src/Events/
-COPY src/EventsProcessor/. ./src/EventsProcessor/
-COPY src/Icons/. ./src/Icons/
-COPY src/Identity/. ./src/Identity/
-COPY src/Notifications/. ./src/Notifications/
-COPY bitwarden_license/src/Sso/. ./bitwarden_license/src/Sso/
-COPY bitwarden_license/src/Scim/. ./bitwarden_license/src/Scim/
-COPY src/Core/. ./src/Core/
-COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
-COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
-COPY src/SharedWeb/. ./src/SharedWeb/
-COPY util/Migrator/. ./util/Migrator/
-COPY util/MySqlMigrations/. ./util/MySqlMigrations/
-COPY util/PostgresMigrations/. ./util/PostgresMigrations/
-COPY util/Server/. ./util/Server/
-COPY util/Setup/. ./util/Setup/
-COPY util/SqliteMigrations/. ./util/SqliteMigrations/
-COPY util/EfShared/. ./util/EfShared/
-COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
-COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
-COPY .git/. ./.git/
-
-# Build Admin app
-WORKDIR /source/src/Admin
-RUN npm install
-RUN gulp --gulpfile "gulpfile.js" build
-RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Admin --no-restore --no-self-contained -r $RID
-
-# Build Api app
-WORKDIR /source/src/Api
-RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Api --no-restore --no-self-contained -r $RID
-
-# Build Billing app
-WORKDIR /source/src/Billing
-RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Billing --no-restore --no-self-contained -r $RID
-
-# Build Events app
-WORKDIR /source/src/Events
-RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Events --no-restore --no-self-contained -r $RID
-
-# Build EventsProcessor app
-WORKDIR /source/src/EventsProcessor
-RUN . /tmp/rid.txt && dotnet publish -c release -o /app/EventsProcessor --no-restore --no-self-contained -r $RID
-
-# Build Icons app
-WORKDIR /source/src/Icons
-RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Icons --no-restore --no-self-contained -r $RID
-
-# Build Identity app
-WORKDIR /source/src/Identity
-RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Identity --no-restore --no-self-contained -r $RID
-
-# Build Notifications app
-WORKDIR /source/src/Notifications
-RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Notifications --no-restore --no-self-contained -r $RID
-
-# Build Sso app
-WORKDIR /source/bitwarden_license/src/Sso
-RUN npm install
-RUN gulp --gulpfile "gulpfile.js" build
-RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Sso --no-restore --no-self-contained -r $RID
-
-# Build Scim app
-WORKDIR /source/bitwarden_license/src/Scim
-RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Scim --no-restore --no-self-contained -r $RID
-
-# Build Server app
-WORKDIR /source/util/Server
-RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Server --no-restore --no-self-contained -r $RID
-
-# Build Setup app
-WORKDIR /source/util/Setup
-RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Setup --no-restore --no-self-contained -r $RID
-
-WORKDIR /app

From dd80b2e99f185903f3d0eee89b9eeeb38f708c7f Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 23:35:43 -0500
Subject: [PATCH 050/184] Test

---
 .github/workflows/build.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index aad4b44d19..dc7227fe93 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -304,8 +304,18 @@ jobs:
             linux/arm/v7,
             linux/arm64
           push: true
+          outputs: type=tar,dest=${{ matrix.project_name }}.tar
           tags: ${{ steps.image-name.outputs.name }}
 
+      - name: TEST STEP
+        run: |
+          ls -alh
+          mkdir -p TEST
+          mv ${{ matrix.project_name }}.tar TEST/
+          cd TEST
+          tar -xvf admin.tar
+          ls -alh
+
       - name: Log out of Docker
         run: docker logout
 

From 285741784a2cda92e6db18f52cb52df15d7777e9 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 23:54:19 -0500
Subject: [PATCH 051/184] Test copying files from Docker images

---
 .github/workflows/build.yml | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index dc7227fe93..da7b3a94dc 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -304,17 +304,21 @@ jobs:
             linux/arm/v7,
             linux/arm64
           push: true
-          outputs: type=tar,dest=${{ matrix.project_name }}.tar
           tags: ${{ steps.image-name.outputs.name }}
 
       - name: TEST STEP
         run: |
-          ls -alh
-          mkdir -p TEST
-          mv ${{ matrix.project_name }}.tar TEST/
-          cd TEST
-          tar -xvf admin.tar
-          ls -alh
+          mkdir linux-amd64
+          docker run --rm -ti --platform linux/amd64 --volume $(pwd):/temp ${{ steps.image-name.outputs.name }} cp -r /app /temp/linux-amd64
+          file linux-amd64/app/${{ matrix.project_name }}.dll
+
+          mkdir linux-arm
+          docker run --rm -ti --platform linux/arm --volume $(pwd):/temp ${{ steps.image-name.outputs.name }} cp -r /app /temp/linux-arm
+          file linux-arm/app/${{ matrix.project_name }}.dll
+
+          mkdir linux-arm64
+          docker run --rm -ti --platform linux/arm64 --volume $(pwd):/temp ${{ steps.image-name.outputs.name }} cp -r /app /temp/linux-arm64
+          file linux-arm64/app/${{ matrix.project_name }}.dll
 
       - name: Log out of Docker
         run: docker logout

From f50508b0e1f202a2bf8f6f22c84935a5d908af6a Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 15 Nov 2023 23:57:02 -0500
Subject: [PATCH 052/184] Remove interactive flag

---
 .github/workflows/build.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index da7b3a94dc..1464b166f7 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -309,15 +309,15 @@ jobs:
       - name: TEST STEP
         run: |
           mkdir linux-amd64
-          docker run --rm -ti --platform linux/amd64 --volume $(pwd):/temp ${{ steps.image-name.outputs.name }} cp -r /app /temp/linux-amd64
+          docker run --rm --platform linux/amd64 --volume $(pwd):/temp ${{ steps.image-name.outputs.name }} cp -r /app /temp/linux-amd64
           file linux-amd64/app/${{ matrix.project_name }}.dll
 
           mkdir linux-arm
-          docker run --rm -ti --platform linux/arm --volume $(pwd):/temp ${{ steps.image-name.outputs.name }} cp -r /app /temp/linux-arm
+          docker run --rm --platform linux/arm --volume $(pwd):/temp ${{ steps.image-name.outputs.name }} cp -r /app /temp/linux-arm
           file linux-arm/app/${{ matrix.project_name }}.dll
 
           mkdir linux-arm64
-          docker run --rm -ti --platform linux/arm64 --volume $(pwd):/temp ${{ steps.image-name.outputs.name }} cp -r /app /temp/linux-arm64
+          docker run --rm --platform linux/arm64 --volume $(pwd):/temp ${{ steps.image-name.outputs.name }} cp -r /app /temp/linux-arm64
           file linux-arm64/app/${{ matrix.project_name }}.dll
 
       - name: Log out of Docker

From 420bcb7c434a2d00d739b7ad982607c1cd5b8c42 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 00:06:00 -0500
Subject: [PATCH 053/184] Test

---
 .github/workflows/build.yml | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1464b166f7..ce568cbf3f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -309,16 +309,19 @@ jobs:
       - name: TEST STEP
         run: |
           mkdir linux-amd64
-          docker run --rm --platform linux/amd64 --volume $(pwd):/temp ${{ steps.image-name.outputs.name }} cp -r /app /temp/linux-amd64
-          file linux-amd64/app/${{ matrix.project_name }}.dll
+          docker run --rm --platform linux/amd64 --volume $(pwd):/temp --entrypoint bash \
+          ${{ steps.image-name.outputs.name }} -c "cp -r ./ /temp/linux-amd64"
+          file linux-amd64/${{ matrix.project_name }}.dll
 
           mkdir linux-arm
-          docker run --rm --platform linux/arm --volume $(pwd):/temp ${{ steps.image-name.outputs.name }} cp -r /app /temp/linux-arm
-          file linux-arm/app/${{ matrix.project_name }}.dll
+          docker run --rm --platform linux/arm --volume $(pwd):/temp --entrypoint bash \
+          ${{ steps.image-name.outputs.name }} -c "cp -r ./ /temp/linux-arm"
+          file linux-arm/${{ matrix.project_name }}.dll
 
           mkdir linux-arm64
-          docker run --rm --platform linux/arm64 --volume $(pwd):/temp ${{ steps.image-name.outputs.name }} cp -r /app /temp/linux-arm64
-          file linux-arm64/app/${{ matrix.project_name }}.dll
+          docker run --rm --platform linux/arm64 --volume $(pwd):/temp --entrypoint bash \
+          ${{ steps.image-name.outputs.name }} -c "cp -r ./ /temp/linux-arm64"
+          file linux-arm64/${{ matrix.project_name }}.dll
 
       - name: Log out of Docker
         run: docker logout

From aa62e6f10d09b327e77ab7ffa51d269d75a2298b Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 00:09:27 -0500
Subject: [PATCH 054/184] Test

---
 .github/workflows/build.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ce568cbf3f..04fae1e41c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -311,6 +311,8 @@ jobs:
           mkdir linux-amd64
           docker run --rm --platform linux/amd64 --volume $(pwd):/temp --entrypoint bash \
           ${{ steps.image-name.outputs.name }} -c "cp -r ./ /temp/linux-amd64"
+          ls -alh
+          ls -alh linux-amd64
           file linux-amd64/${{ matrix.project_name }}.dll
 
           mkdir linux-arm

From 4a00dfc3ce8828ebe6bd9302385b88002a1e942e Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 00:16:59 -0500
Subject: [PATCH 055/184] Test

---
 .github/workflows/build.yml | 32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 04fae1e41c..8109fa8d3f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -306,24 +306,28 @@ jobs:
           push: true
           tags: ${{ steps.image-name.outputs.name }}
 
-      - name: TEST STEP
+      - name: Zip project
+        working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }}
         run: |
-          mkdir linux-amd64
-          docker run --rm --platform linux/amd64 --volume $(pwd):/temp --entrypoint bash \
-          ${{ steps.image-name.outputs.name }} -c "cp -r ./ /temp/linux-amd64"
+          mkdir build
+          docker run --rm --platform linux/amd64 --volume $(pwd)/build:/temp --entrypoint bash \
+          ${{ steps.image-name.outputs.name }} -c "cp -r ./ /temp"
           ls -alh
-          ls -alh linux-amd64
-          file linux-amd64/${{ matrix.project_name }}.dll
+          ls -alh build
 
-          mkdir linux-arm
-          docker run --rm --platform linux/arm --volume $(pwd):/temp --entrypoint bash \
-          ${{ steps.image-name.outputs.name }} -c "cp -r ./ /temp/linux-arm"
-          file linux-arm/${{ matrix.project_name }}.dll
+          cd build
+          zip -r ${{ matrix.project_name }}.zip .
+          mv ${{ matrix.project_name }}.zip ../../../
 
-          mkdir linux-arm64
-          docker run --rm --platform linux/arm64 --volume $(pwd):/temp --entrypoint bash \
-          ${{ steps.image-name.outputs.name }} -c "cp -r ./ /temp/linux-arm64"
-          file linux-arm64/${{ matrix.project_name }}.dll
+          pwd
+          ls -atlh ../../../
+
+      - name: Upload project artifact
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: ${{ matrix.project_name }}.zip
+          path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip
+          if-no-files-found: error
 
       - name: Log out of Docker
         run: docker logout

From e3c08a28b2e5718f2c54fdf6b7c6a1435c28f66d Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 00:20:05 -0500
Subject: [PATCH 056/184] Test

---
 .github/workflows/build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8109fa8d3f..5f6d6f9d02 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -317,10 +317,10 @@ jobs:
 
           cd build
           zip -r ${{ matrix.project_name }}.zip .
-          mv ${{ matrix.project_name }}.zip ../../../
+          mv ${{ matrix.project_name }}.zip ../
 
           pwd
-          ls -atlh ../../../
+          ls -atlh ../
 
       - name: Upload project artifact
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3

From cf6cfeb475848ab4a0db90cc390fac32c8f5c118 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 00:28:46 -0500
Subject: [PATCH 057/184] Test

---
 .github/workflows/build.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5f6d6f9d02..7e0606ad54 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -204,36 +204,49 @@ jobs:
         include:
           - project_name: Admin
             base_path: ./src
+            upload_artifact: true
           - project_name: Api
             base_path: ./src
+            upload_artifact: true
           - project_name: Attachments
             base_path: ./util
           - project_name: Billing
             base_path: ./src
+            upload_artifact: true
           - project_name: Events
             base_path: ./src
+            upload_artifact: true
           - project_name: EventsProcessor
             base_path: ./src
+            upload_artifact: true
           - project_name: Icons
             base_path: ./src
+            upload_artifact: true
           - project_name: Identity
             base_path: ./src
+            upload_artifact: true
           - project_name: MsSql
             base_path: ./util
           - project_name: MsSqlMigratorUtility
             base_path: ./util
+            upload_artifact: true
           - project_name: Nginx
             base_path: ./util
           - project_name: Notifications
             base_path: ./src
+            upload_artifact: true
           - project_name: Scim
             base_path: ./bitwarden_license/src
+            upload_artifact: true
           - project_name: Server
             base_path: ./util
+            upload_artifact: true
           - project_name: Setup
             base_path: ./util
+            upload_artifact: true
           - project_name: Sso
             base_path: ./bitwarden_license/src
+            upload_artifact: true
     steps:
       - name: Checkout repo
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -307,6 +320,7 @@ jobs:
           tags: ${{ steps.image-name.outputs.name }}
 
       - name: Zip project
+        if: ${{ matrix.upload_artifact }}
         working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }}
         run: |
           mkdir build
@@ -323,6 +337,7 @@ jobs:
           ls -atlh ../
 
       - name: Upload project artifact
+        if: ${{ matrix.upload_artifact }}
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: ${{ matrix.project_name }}.zip

From 96431771c25357f625f217b3be79015c91196504 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 00:32:19 -0500
Subject: [PATCH 058/184] Update workflow

---
 .github/workflows/build.yml | 122 +++---------------------------------
 1 file changed, 10 insertions(+), 112 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7e0606ad54..601aa2bf79 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -96,108 +96,12 @@ jobs:
           reporter: dotnet-trx
           fail-on-error: true
 
-  build-artifacts:
-    if: false
-    name: Build artifacts
-    runs-on: ubuntu-22.04
-    needs:
-      - testing
-      - lint
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - project_name: Admin
-            base_path: ./src
-            node: true
-          - project_name: Api
-            base_path: ./src
-          - project_name: Billing
-            base_path: ./src
-          - project_name: Events
-            base_path: ./src
-          - project_name: EventsProcessor
-            base_path: ./src
-          - project_name: Icons
-            base_path: ./src
-          - project_name: Identity
-            base_path: ./src
-          - project_name: MsSqlMigratorUtility
-            base_path: ./util
-            dotnet: true
-          - project_name: Notifications
-            base_path: ./src
-          - project_name: Scim
-            base_path: ./bitwarden_license/src
-            dotnet: true
-          - project_name: Server
-            base_path: ./util
-          - project_name: Setup
-            base_path: ./util
-          - project_name: Sso
-            base_path: ./bitwarden_license/src
-            node: true
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-
-      - name: Set up dotnet
-        uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
-
-      - name: Set up Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
-        with:
-          cache: "npm"
-          cache-dependency-path: "**/package-lock.json"
-          node-version: "16"
-
-      - name: Print environment
-        run: |
-          whoami
-          dotnet --info
-          node --version
-          npm --version
-          echo "GitHub ref: $GITHUB_REF"
-          echo "GitHub event: $GITHUB_EVENT"
-
-      - name: Restore/Clean project
-        working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }}
-        run: |
-          echo "Restore"
-          dotnet restore
-          echo "Clean"
-          dotnet clean -c "Release" -o obj/build-output/publish
-
-      - name: Build node
-        if: ${{ matrix.node }}
-        working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }}
-        run: |
-          npm ci
-          npm run build
-
-      - name: Publish project
-        working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }}
-        run: |
-          echo "Publish"
-          dotnet publish -c "Release" -o obj/build-output/publish
-
-          cd obj/build-output/publish
-          zip -r ${{ matrix.project_name }}.zip .
-          mv ${{ matrix.project_name }}.zip ../../../
-
-          pwd
-          ls -atlh ../../../
-
-      - name: Upload project artifact
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        with:
-          name: ${{ matrix.project_name }}.zip
-          path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip
-          if-no-files-found: error
-
-  build-docker:
-    name: Build Docker images
+  build:
+    name: Build artifacts and images
     runs-on: ubuntu-22.04
+    # needs:
+    #   - lint
+    #   - testing
     strategy:
       fail-fast: false
       matrix:
@@ -326,8 +230,6 @@ jobs:
           mkdir build
           docker run --rm --platform linux/amd64 --volume $(pwd)/build:/temp --entrypoint bash \
           ${{ steps.image-name.outputs.name }} -c "cp -r ./ /temp"
-          ls -alh
-          ls -alh build
 
           cd build
           zip -r ${{ matrix.project_name }}.zip .
@@ -350,7 +252,7 @@ jobs:
   upload:
     name: Upload
     runs-on: ubuntu-22.04
-    needs: build-docker
+    needs: build
     steps:
       - name: Checkout repo
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -534,7 +436,7 @@ jobs:
   self-host-build:
     name: Trigger self-host build
     runs-on: ubuntu-22.04
-    needs: build-docker
+    needs: build
     steps:
       - name: Login to Azure - CI Subscription
         uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
@@ -571,8 +473,7 @@ jobs:
       - cloc
       - lint
       - testing
-      - build-artifacts
-      - build-docker
+      - build
       - upload
       - build-mssqlmigratorutility
       - self-host-build
@@ -586,8 +487,7 @@ jobs:
           CLOC_STATUS: ${{ needs.cloc.result }}
           LINT_STATUS: ${{ needs.lint.result }}
           TESTING_STATUS: ${{ needs.testing.result }}
-          BUILD_ARTIFACTS_STATUS: ${{ needs.build-artifacts.result }}
-          BUILD_DOCKER_STATUS: ${{ needs.build-docker.result }}
+          BUILD_STATUS: ${{ needs.build.result }}
           UPLOAD_STATUS: ${{ needs.upload.result }}
           BUILD_MSSQLMIGRATORUTILITY_STATUS: ${{ needs.build-mssqlmigratorutility.result }}
           TRIGGER_SELF_HOST_BUILD_STATUS: ${{ needs.self-host-build.result }}
@@ -598,9 +498,7 @@ jobs:
               exit 1
           elif [ "$TESTING_STATUS" = "failure" ]; then
               exit 1
-          elif [ "$BUILD_ARTIFACTS_STATUS" = "failure" ]; then
-              exit 1
-          elif [ "$BUILD_DOCKER_STATUS" = "failure" ]; then
+          elif [ "$BUILD_STATUS" = "failure" ]; then
               exit 1
           elif [ "$UPLOAD_STATUS" = "failure" ]; then
               exit 1

From ff72a905748baf448042f11284fc62fc0d1bae4b Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 09:17:10 -0500
Subject: [PATCH 059/184] Add platforms

---
 .github/workflows/build.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 601aa2bf79..fd1f467eac 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -217,9 +217,12 @@ jobs:
           context: .
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
           platforms: |
+            linux/386,
             linux/amd64,
+            linux/arm/v6,
             linux/arm/v7,
-            linux/arm64
+            linux/arm64,
+            linux/riscv64
           push: true
           tags: ${{ steps.image-name.outputs.name }}
 

From 4b695f158b0c094b84d537cfba75d01087856a63 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 09:20:51 -0500
Subject: [PATCH 060/184] Remove platform

---
 .github/workflows/build.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index fd1f467eac..16cd3d2d8c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -221,8 +221,7 @@ jobs:
             linux/amd64,
             linux/arm/v6,
             linux/arm/v7,
-            linux/arm64,
-            linux/riscv64
+            linux/arm64
           push: true
           tags: ${{ steps.image-name.outputs.name }}
 

From 7bed9d18f2e8b94949eecf5f628631b8a1f7e711 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 09:24:31 -0500
Subject: [PATCH 061/184] Remove platform

---
 .github/workflows/build.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 16cd3d2d8c..b099cc002d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -217,7 +217,6 @@ jobs:
           context: .
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
           platforms: |
-            linux/386,
             linux/amd64,
             linux/arm/v6,
             linux/arm/v7,

From 5aa2b214154f67f9486eca42361668c8282e5532 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 09:30:29 -0500
Subject: [PATCH 062/184] Put platforms back to normal

---
 .github/workflows/build.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b099cc002d..601aa2bf79 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -218,7 +218,6 @@ jobs:
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
           platforms: |
             linux/amd64,
-            linux/arm/v6,
             linux/arm/v7,
             linux/arm64
           push: true

From 1b2e7a3ed7a47c1c55636f371386aa82a57c8223 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 09:40:51 -0500
Subject: [PATCH 063/184] Fix MsSqlMigratorUtility

---
 util/MsSqlMigratorUtility/Dockerfile | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/util/MsSqlMigratorUtility/Dockerfile b/util/MsSqlMigratorUtility/Dockerfile
index 815a53011d..ee4b6d2712 100644
--- a/util/MsSqlMigratorUtility/Dockerfile
+++ b/util/MsSqlMigratorUtility/Dockerfile
@@ -2,23 +2,41 @@
 #                 Build stage                 #
 ###############################################
 
-FROM mcr.microsoft.com/dotnet/sdk:6.0 AS bitwarden-build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS bitwarden-build
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+      RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+      RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+      RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
 
 # Copy csproj files as distinct layers
 WORKDIR /source
+COPY src/Core/*.csproj ./src/Core/
+COPY util/Migrator/*.csproj ./util/Migrator/
 COPY util/MsSqlMigratorUtility/*.csproj ./util/MsSqlMigratorUtility/
 
 # Restore MsSqlMigratorUtility project dependencies and tools
 WORKDIR /source/util/MsSqlMigratorUtility
-RUN dotnet restore
+RUN . /tmp/rid.txt && dotnet restore -r $RID
 
 # Copy required project files
 WORKDIR /source
+COPY src/Core/. ./src/Core/
+COPY util/Migrator/. ./util/Migrator/
 COPY util/MsSqlMigratorUtility/. ./util/MsSqlMigratorUtility/
 
-# Build Setup app
+# Build MsSqlMigratorUtility app
 WORKDIR /source/util/MsSqlMigratorUtility
-RUN dotnet publish -c release -o /app/MsSqlMigratorUtility --no-restore --no-self-contained
+RUN . /tmp/rid.txt && dotnet publish -c release -o /app/MsSqlMigratorUtility --no-restore --no-self-contained -r $RID
 
 WORKDIR /app
 
@@ -27,6 +45,7 @@ WORKDIR /app
 ###############################################
 FROM mcr.microsoft.com/dotnet/aspnet:6.0
 
+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
 
 # Copy app from the build stage

From 646c5c72103e880ceb381e802feb92546e9657ee Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 09:48:59 -0500
Subject: [PATCH 064/184] Add proper files to Dockerfile

---
 util/MsSqlMigratorUtility/Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/util/MsSqlMigratorUtility/Dockerfile b/util/MsSqlMigratorUtility/Dockerfile
index ee4b6d2712..69342ccfd2 100644
--- a/util/MsSqlMigratorUtility/Dockerfile
+++ b/util/MsSqlMigratorUtility/Dockerfile
@@ -23,6 +23,7 @@ WORKDIR /source
 COPY src/Core/*.csproj ./src/Core/
 COPY util/Migrator/*.csproj ./util/Migrator/
 COPY util/MsSqlMigratorUtility/*.csproj ./util/MsSqlMigratorUtility/
+COPY Directory.Build.props .
 
 # Restore MsSqlMigratorUtility project dependencies and tools
 WORKDIR /source/util/MsSqlMigratorUtility
@@ -33,6 +34,7 @@ WORKDIR /source
 COPY src/Core/. ./src/Core/
 COPY util/Migrator/. ./util/Migrator/
 COPY util/MsSqlMigratorUtility/. ./util/MsSqlMigratorUtility/
+COPY .git/. ./.git/
 
 # Build MsSqlMigratorUtility app
 WORKDIR /source/util/MsSqlMigratorUtility

From 4ed7907f33604dee33111b7b75ebe0a1e875f026 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 10:44:37 -0500
Subject: [PATCH 065/184] Re-enable jobs

---
 .github/workflows/build.yml | 29 ++++++++++++-----------------
 1 file changed, 12 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 601aa2bf79..7cbce5e6cf 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -15,12 +15,11 @@ env:
 
 jobs:
   cloc:
-    if: false
     name: CLOC
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout repo
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Install cloc
         run: |
@@ -31,12 +30,11 @@ jobs:
         run: cloc --include-lang C#,SQL,Razor,"Bourne Shell",PowerShell,HTML,CSS,Sass,JavaScript,TypeScript --vcs git
 
   lint:
-    if: false
     name: Lint
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout repo
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Set up dotnet
         uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
@@ -45,14 +43,13 @@ jobs:
         run: dotnet format --verify-no-changes
 
   testing:
-    if: false
     name: Testing
     runs-on: ubuntu-22.04
     env:
       NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
     steps:
       - name: Checkout repo
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Set up dotnet
         uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
@@ -99,9 +96,9 @@ jobs:
   build:
     name: Build artifacts and images
     runs-on: ubuntu-22.04
-    # needs:
-    #   - lint
-    #   - testing
+    needs:
+      - lint
+      - testing
     strategy:
       fail-fast: false
       matrix:
@@ -212,8 +209,6 @@ jobs:
       - name: Build Docker image
         uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
-          build-args: |
-            BUILD_TAG=${{ steps.tag.outputs.image_tag }}
           context: .
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
           platforms: |
@@ -249,8 +244,8 @@ jobs:
       - name: Log out of Docker
         run: docker logout
 
-  upload:
-    name: Upload
+  build-stub-swagger:
+    name: Build Docker-Stub/Swagger
     runs-on: ubuntu-22.04
     needs: build
     steps:
@@ -394,7 +389,7 @@ jobs:
           - win-x64
     steps:
       - name: Checkout repo
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Set up dotnet
         uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
@@ -474,7 +469,7 @@ jobs:
       - lint
       - testing
       - build
-      - upload
+      - build-stub-swagger
       - build-mssqlmigratorutility
       - self-host-build
     steps:
@@ -488,7 +483,7 @@ jobs:
           LINT_STATUS: ${{ needs.lint.result }}
           TESTING_STATUS: ${{ needs.testing.result }}
           BUILD_STATUS: ${{ needs.build.result }}
-          UPLOAD_STATUS: ${{ needs.upload.result }}
+          BUILD_STUB_SWAGGER_STATUS: ${{ needs.build-stub-swagger.result }}
           BUILD_MSSQLMIGRATORUTILITY_STATUS: ${{ needs.build-mssqlmigratorutility.result }}
           TRIGGER_SELF_HOST_BUILD_STATUS: ${{ needs.self-host-build.result }}
         run: |
@@ -500,7 +495,7 @@ jobs:
               exit 1
           elif [ "$BUILD_STATUS" = "failure" ]; then
               exit 1
-          elif [ "$UPLOAD_STATUS" = "failure" ]; then
+          elif [ "$BUILD_STUB_SWAGGER_STATUS" = "failure" ]; then
               exit 1
           elif [ "$BUILD_MSSQLMIGRATORUTILITY_STATUS" = "failure" ]; then
               exit 1

From 42638c4fc04c66fa533d0e2b73bd4674122c9cad Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 11:06:14 -0500
Subject: [PATCH 066/184] Try larger runner

---
 .github/workflows/build.yml | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7cbce5e6cf..42ff8d01ad 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -44,7 +44,7 @@ jobs:
 
   testing:
     name: Testing
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest-m
     env:
       NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
     steps:
@@ -95,10 +95,8 @@ jobs:
 
   build:
     name: Build artifacts and images
-    runs-on: ubuntu-22.04
-    needs:
-      - lint
-      - testing
+    runs-on: ubuntu-latest-m
+    needs: testing
     strategy:
       fail-fast: false
       matrix:
@@ -247,7 +245,7 @@ jobs:
   build-stub-swagger:
     name: Build Docker-Stub/Swagger
     runs-on: ubuntu-22.04
-    needs: build
+    needs: testing
     steps:
       - name: Checkout repo
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

From 8ddc7711a1971edd578bce604701a4924fdb46d4 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 11:08:00 -0500
Subject: [PATCH 067/184] Change back to regular runners

---
 .github/workflows/build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 42ff8d01ad..71865fa917 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -44,7 +44,7 @@ jobs:
 
   testing:
     name: Testing
-    runs-on: ubuntu-latest-m
+    runs-on: ubuntu-22.04
     env:
       NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
     steps:
@@ -95,7 +95,7 @@ jobs:
 
   build:
     name: Build artifacts and images
-    runs-on: ubuntu-latest-m
+    runs-on: ubuntu-22.04
     needs: testing
     strategy:
       fail-fast: false

From 7fc0c6805cc16ee66a155762c4c7e901d3551969 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 11:14:20 -0500
Subject: [PATCH 068/184] Enable locked mode for NuGet restore

---
 .github/workflows/build.yml           | 4 ++--
 bitwarden_license/src/Scim/Dockerfile | 2 +-
 src/Admin/Dockerfile                  | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 71865fa917..e477d57ce4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -348,7 +348,7 @@ jobs:
         run: |
           cd ./src/Api
           echo "Restore"
-          dotnet restore
+          dotnet restore --locked-mode
           echo "Clean"
           dotnet clean -c "Release" -o obj/build-output/publish
           echo "Publish"
@@ -402,7 +402,7 @@ jobs:
       - name: Restore project
         run: |
           echo "Restore"
-          dotnet restore
+          dotnet restore --locked-mode
 
       - name: Publish project
         run: |
diff --git a/bitwarden_license/src/Scim/Dockerfile b/bitwarden_license/src/Scim/Dockerfile
index 0c97fdcf49..abfbd22821 100644
--- a/bitwarden_license/src/Scim/Dockerfile
+++ b/bitwarden_license/src/Scim/Dockerfile
@@ -28,7 +28,7 @@ COPY Directory.Build.props .
 
 # Restore Scim project dependencies and tools
 WORKDIR /source/bitwarden_license/src/Scim
-RUN . /tmp/rid.txt && dotnet restore -r $RID
+RUN . /tmp/rid.txt && dotnet restore --locked-mode -r $RID
 
 # Copy required project files
 WORKDIR /source
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 20930d774e..1d046e921e 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -54,7 +54,7 @@ COPY Directory.Build.props .
 
 # Restore Admin project dependencies and tools
 WORKDIR /source/src/Admin
-RUN . /tmp/rid.txt && dotnet restore -r $RID
+RUN . /tmp/rid.txt && dotnet restore --locked-mode -r $RID
 
 # Copy required project files
 WORKDIR /source

From 3af9fe262dbd351f058eb91be70fa3a3ca54e7f1 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 11:40:17 -0500
Subject: [PATCH 069/184] Test Docker cache

---
 .github/workflows/build.yml           | 2 ++
 bitwarden_license/src/Scim/Dockerfile | 2 +-
 src/Admin/Dockerfile                  | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e477d57ce4..8d73e06379 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -207,6 +207,8 @@ jobs:
       - name: Build Docker image
         uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
+          cache-from: type=registry,ref=${{ steps.image-name.outputs.name }}
+          cache-to: type=inline
           context: .
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
           platforms: |
diff --git a/bitwarden_license/src/Scim/Dockerfile b/bitwarden_license/src/Scim/Dockerfile
index abfbd22821..0c97fdcf49 100644
--- a/bitwarden_license/src/Scim/Dockerfile
+++ b/bitwarden_license/src/Scim/Dockerfile
@@ -28,7 +28,7 @@ COPY Directory.Build.props .
 
 # Restore Scim project dependencies and tools
 WORKDIR /source/bitwarden_license/src/Scim
-RUN . /tmp/rid.txt && dotnet restore --locked-mode -r $RID
+RUN . /tmp/rid.txt && dotnet restore -r $RID
 
 # Copy required project files
 WORKDIR /source
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 1d046e921e..20930d774e 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -54,7 +54,7 @@ COPY Directory.Build.props .
 
 # Restore Admin project dependencies and tools
 WORKDIR /source/src/Admin
-RUN . /tmp/rid.txt && dotnet restore --locked-mode -r $RID
+RUN . /tmp/rid.txt && dotnet restore -r $RID
 
 # Copy required project files
 WORKDIR /source

From 0366f86a56b13b85d96da31f46ddf256af85b2b5 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 11:42:41 -0500
Subject: [PATCH 070/184] Update needs for MsSqlMigratorUtility job

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8d73e06379..9748cf5fdc 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -375,7 +375,7 @@ jobs:
   build-mssqlmigratorutility:
     name: Build MsSqlMigratorUtility
     runs-on: ubuntu-22.04
-    needs: lint
+    needs: testing
     defaults:
       run:
         shell: bash

From 0ecadedda9b3f1769e26e8a778e3d2c49263ab16 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 11:44:45 -0500
Subject: [PATCH 071/184] Change needs for self-host-build

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9748cf5fdc..44360c3dfd 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -431,7 +431,7 @@ jobs:
   self-host-build:
     name: Trigger self-host build
     runs-on: ubuntu-22.04
-    needs: build
+    needs: testing
     steps:
       - name: Login to Azure - CI Subscription
         uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7

From 75b8294a5c996a45c74bff5f1bf515a2cade1f99 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 12:11:43 -0500
Subject: [PATCH 072/184] Add buildcache

---
 .github/workflows/build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 44360c3dfd..70c88980ed 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -207,8 +207,8 @@ jobs:
       - name: Build Docker image
         uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
-          cache-from: type=registry,ref=${{ steps.image-name.outputs.name }}
-          cache-to: type=inline
+          cache-from: type=registry,ref=${{ steps.image-name.outputs.name }}-buildcache
+          cache-to: type=registry,ref=${{ steps.image-name.outputs.name }}-buildcache,mode=max
           context: .
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
           platforms: |

From f5dc7f4d530b046eca87362360177583fb1a598e Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 14:21:08 -0500
Subject: [PATCH 073/184] Modify cache

---
 .github/workflows/build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 70c88980ed..44360c3dfd 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -207,8 +207,8 @@ jobs:
       - name: Build Docker image
         uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
-          cache-from: type=registry,ref=${{ steps.image-name.outputs.name }}-buildcache
-          cache-to: type=registry,ref=${{ steps.image-name.outputs.name }}-buildcache,mode=max
+          cache-from: type=registry,ref=${{ steps.image-name.outputs.name }}
+          cache-to: type=inline
           context: .
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
           platforms: |

From ecf692e9b4c59ed1177f1f3133a1a6bc072b3f2e Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 14:58:05 -0500
Subject: [PATCH 074/184] Update workflow

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 44360c3dfd..bd4ce8c7dc 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -224,7 +224,7 @@ jobs:
         run: |
           mkdir build
           docker run --rm --platform linux/amd64 --volume $(pwd)/build:/temp --entrypoint bash \
-          ${{ steps.image-name.outputs.name }} -c "cp -r ./ /temp"
+            ${{ steps.image-name.outputs.name }} -c "cp -r ./ /temp"
 
           cd build
           zip -r ${{ matrix.project_name }}.zip .

From 70e9124b6b63050fb3ce37ac8ff69c8fbd78c3e4 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 15:00:47 -0500
Subject: [PATCH 075/184] Remove Server project Dockerfile

---
 .github/workflows/build.yml |  3 ---
 util/Server/.dockerignore   |  3 ---
 util/Server/Dockerfile      | 49 -------------------------------------
 3 files changed, 55 deletions(-)
 delete mode 100644 util/Server/.dockerignore
 delete mode 100644 util/Server/Dockerfile

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index bd4ce8c7dc..87655cdb58 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -137,9 +137,6 @@ jobs:
           - project_name: Scim
             base_path: ./bitwarden_license/src
             upload_artifact: true
-          - project_name: Server
-            base_path: ./util
-            upload_artifact: true
           - project_name: Setup
             base_path: ./util
             upload_artifact: true
diff --git a/util/Server/.dockerignore b/util/Server/.dockerignore
deleted file mode 100644
index 546b9afbef..0000000000
--- a/util/Server/.dockerignore
+++ /dev/null
@@ -1,3 +0,0 @@
-*
-!obj/build-output/publish/*
-!obj/Docker/empty/
diff --git a/util/Server/Dockerfile b/util/Server/Dockerfile
deleted file mode 100644
index 8b78751ca1..0000000000
--- a/util/Server/Dockerfile
+++ /dev/null
@@ -1,49 +0,0 @@
-###############################################
-#                 Build stage                 #
-###############################################
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS build
-
-# Docker buildx supplies the value for this arg
-ARG TARGETPLATFORM
-
-# Determine proper runtime value for .NET
-# We put the value in a file to be read by later layers.
-RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
-      RID=linux-x64 ; \
-    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
-      RID=linux-arm64 ; \
-    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
-      RID=linux-arm ; \
-    fi \
-    && echo "RID=$RID" > /tmp/rid.txt
-
-# Copy csproj files as distinct layers
-WORKDIR /source
-COPY util/Server/*.csproj ./util/Server/
-COPY Directory.Build.props .
-
-# Restore Server project dependencies and tools
-WORKDIR /source/util/Server
-RUN . /tmp/rid.txt && dotnet restore -r $RID
-
-# Copy required project files
-WORKDIR /source
-COPY util/Server/. ./util/Server/
-COPY .git/. ./.git/
-
-# Build Server app
-WORKDIR /source/util/Server
-RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Server --no-restore --no-self-contained -r $RID
-
-WORKDIR /app
-
-###############################################
-#                  App stage                  #
-###############################################
-FROM mcr.microsoft.com/dotnet/aspnet:6.0
-
-LABEL com.bitwarden.product="bitwarden"
-
-# Copy app from the build stage
-WORKDIR /bitwarden_server
-COPY --from=build /app/Server ./
\ No newline at end of file

From 10c8790f25f6c440fbe56405580a05debb285d36 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 16 Nov 2023 15:52:46 -0500
Subject: [PATCH 076/184] Update comments in Dockerfiles

---
 bitwarden_license/src/Scim/.dockerignore |  4 ----
 bitwarden_license/src/Scim/Dockerfile    |  4 ++--
 bitwarden_license/src/Sso/Dockerfile     | 11 ++++-------
 src/Admin/.dockerignore                  |  4 ----
 src/Admin/Dockerfile                     | 11 ++++-------
 src/Api/.dockerignore                    |  4 ----
 src/Api/Dockerfile                       |  4 ++--
 src/Billing/.dockerignore                |  4 ----
 src/Billing/Dockerfile                   |  4 ++--
 src/Events/.dockerignore                 |  4 ----
 src/Events/Dockerfile                    |  4 ++--
 src/EventsProcessor/Dockerfile           |  4 ++--
 src/Icons/.dockerignore                  |  4 ----
 src/Icons/Dockerfile                     |  4 ++--
 src/Identity/.dockerignore               |  4 ----
 src/Identity/Dockerfile                  |  4 ++--
 src/Notifications/.dockerignore          |  4 ----
 src/Notifications/Dockerfile             |  4 ++--
 util/Attachments/.dockerignore           |  2 --
 util/Attachments/Dockerfile              |  4 ++--
 util/MsSqlMigratorUtility/.dockerignore  |  3 ---
 util/MsSqlMigratorUtility/Dockerfile     |  4 ++--
 util/Setup/.dockerignore                 |  4 ----
 util/Setup/Dockerfile                    |  4 ++--
 24 files changed, 30 insertions(+), 77 deletions(-)
 delete mode 100644 bitwarden_license/src/Scim/.dockerignore
 delete mode 100644 src/Admin/.dockerignore
 delete mode 100644 src/Api/.dockerignore
 delete mode 100644 src/Billing/.dockerignore
 delete mode 100644 src/Events/.dockerignore
 delete mode 100644 src/Icons/.dockerignore
 delete mode 100644 src/Identity/.dockerignore
 delete mode 100644 src/Notifications/.dockerignore
 delete mode 100644 util/Attachments/.dockerignore
 delete mode 100644 util/MsSqlMigratorUtility/.dockerignore
 delete mode 100644 util/Setup/.dockerignore

diff --git a/bitwarden_license/src/Scim/.dockerignore b/bitwarden_license/src/Scim/.dockerignore
deleted file mode 100644
index fc12f25146..0000000000
--- a/bitwarden_license/src/Scim/.dockerignore
+++ /dev/null
@@ -1,4 +0,0 @@
-*
-!obj/build-output/publish/*
-!obj/Docker/empty/
-!entrypoint.sh
diff --git a/bitwarden_license/src/Scim/Dockerfile b/bitwarden_license/src/Scim/Dockerfile
index 0c97fdcf49..a6823a46a3 100644
--- a/bitwarden_license/src/Scim/Dockerfile
+++ b/bitwarden_license/src/Scim/Dockerfile
@@ -26,7 +26,7 @@ COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFram
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
 
-# Restore Scim project dependencies and tools
+# Restore project dependencies and tools
 WORKDIR /source/bitwarden_license/src/Scim
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
@@ -39,7 +39,7 @@ COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
-# Build Scim app
+# Build app
 WORKDIR /source/bitwarden_license/src/Scim
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Scim --no-restore --no-self-contained -r $RID
 
diff --git a/bitwarden_license/src/Sso/Dockerfile b/bitwarden_license/src/Sso/Dockerfile
index 784647dee2..e53fdeb1af 100644
--- a/bitwarden_license/src/Sso/Dockerfile
+++ b/bitwarden_license/src/Sso/Dockerfile
@@ -34,9 +34,6 @@ RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | b
 ENV NODE_PATH $NVM_DIR/versions/node/v$NODE_VERSION/lib/node_modules
 ENV PATH      $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
 
-# Install gulp
-RUN npm install -g gulp
-
 # Copy csproj files as distinct layers
 WORKDIR /source
 COPY bitwarden_license/src/Sso/*.csproj ./bitwarden_license/src/Sso/
@@ -46,7 +43,7 @@ COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFram
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
 
-# Restore Sso project dependencies and tools
+# Restore project dependencies and tools
 WORKDIR /source/bitwarden_license/src/Sso
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
@@ -59,10 +56,10 @@ COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
-# Build Sso app
+# Build app
 WORKDIR /source/bitwarden_license/src/Sso
-RUN npm install
-RUN gulp --gulpfile "gulpfile.js" build
+RUN npm ci
+RUN npm run build
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Sso --no-restore --no-self-contained -r $RID
 
 WORKDIR /app
diff --git a/src/Admin/.dockerignore b/src/Admin/.dockerignore
deleted file mode 100644
index fc12f25146..0000000000
--- a/src/Admin/.dockerignore
+++ /dev/null
@@ -1,4 +0,0 @@
-*
-!obj/build-output/publish/*
-!obj/Docker/empty/
-!entrypoint.sh
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 20930d774e..f9eeb172c9 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -34,9 +34,6 @@ RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | b
 ENV NODE_PATH $NVM_DIR/versions/node/v$NODE_VERSION/lib/node_modules
 ENV PATH      $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
 
-# Install gulp
-RUN npm install -g gulp
-
 # Copy csproj files as distinct layers
 WORKDIR /source
 COPY src/Admin/*.csproj ./src/Admin/
@@ -52,7 +49,7 @@ COPY bitwarden_license/src/Commercial.Core/*.csproj ./bitwarden_license/src/Comm
 COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/*.csproj ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
 COPY Directory.Build.props .
 
-# Restore Admin project dependencies and tools
+# Restore project dependencies and tools
 WORKDIR /source/src/Admin
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
@@ -72,10 +69,10 @@ COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.
 COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
 COPY .git/. ./.git/
 
-# Build Admin app
+# Build app
 WORKDIR /source/src/Admin
-RUN npm install
-RUN gulp --gulpfile "gulpfile.js" build
+RUN npm ci
+RUN npm run build
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Admin --no-restore --no-self-contained -r $RID
 
 WORKDIR /app
diff --git a/src/Api/.dockerignore b/src/Api/.dockerignore
deleted file mode 100644
index fc12f25146..0000000000
--- a/src/Api/.dockerignore
+++ /dev/null
@@ -1,4 +0,0 @@
-*
-!obj/build-output/publish/*
-!obj/Docker/empty/
-!entrypoint.sh
diff --git a/src/Api/Dockerfile b/src/Api/Dockerfile
index 0f6e70ff86..728d1accd2 100644
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@@ -28,7 +28,7 @@ COPY bitwarden_license/src/Commercial.Core/*.csproj ./bitwarden_license/src/Comm
 COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/*.csproj ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
 COPY Directory.Build.props .
 
-# Restore Api project dependencies and tools
+# Restore project dependencies and tools
 WORKDIR /source/src/Api
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
@@ -43,7 +43,7 @@ COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.
 COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
 COPY .git/. ./.git/
 
-# Build Api app
+# Build app
 WORKDIR /source/src/Api
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Api --no-restore --no-self-contained -r $RID
 
diff --git a/src/Billing/.dockerignore b/src/Billing/.dockerignore
deleted file mode 100644
index fc12f25146..0000000000
--- a/src/Billing/.dockerignore
+++ /dev/null
@@ -1,4 +0,0 @@
-*
-!obj/build-output/publish/*
-!obj/Docker/empty/
-!entrypoint.sh
diff --git a/src/Billing/Dockerfile b/src/Billing/Dockerfile
index 58258f5730..9c17890bd8 100644
--- a/src/Billing/Dockerfile
+++ b/src/Billing/Dockerfile
@@ -26,7 +26,7 @@ COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFram
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
 
-# Restore Billing project dependencies and tools
+# Restore project dependencies and tools
 WORKDIR /source/src/Billing
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
@@ -39,7 +39,7 @@ COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
-# Build Billing app
+# Build app
 WORKDIR /source/src/Billing
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Billing --no-restore --no-self-contained -r $RID
 
diff --git a/src/Events/.dockerignore b/src/Events/.dockerignore
deleted file mode 100644
index fc12f25146..0000000000
--- a/src/Events/.dockerignore
+++ /dev/null
@@ -1,4 +0,0 @@
-*
-!obj/build-output/publish/*
-!obj/Docker/empty/
-!entrypoint.sh
diff --git a/src/Events/Dockerfile b/src/Events/Dockerfile
index 2833c860f9..88a0b06530 100644
--- a/src/Events/Dockerfile
+++ b/src/Events/Dockerfile
@@ -26,7 +26,7 @@ COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFram
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
 
-# Restore Events project dependencies and tools
+# Restore project dependencies and tools
 WORKDIR /source/src/Events
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
@@ -39,7 +39,7 @@ COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
-# Build Events app
+# Build app
 WORKDIR /source/src/Events
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Events --no-restore --no-self-contained -r $RID
 
diff --git a/src/EventsProcessor/Dockerfile b/src/EventsProcessor/Dockerfile
index 7b67dffb7f..28e1d72357 100644
--- a/src/EventsProcessor/Dockerfile
+++ b/src/EventsProcessor/Dockerfile
@@ -26,7 +26,7 @@ COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFram
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
 
-# Restore EventsProcessor project dependencies and tools
+# Restore project dependencies and tools
 WORKDIR /source/src/EventsProcessor
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
@@ -39,7 +39,7 @@ COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
-# Build EventsProcessor app
+# Build app
 WORKDIR /source/src/EventsProcessor
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/EventsProcessor --no-restore --no-self-contained -r $RID
 
diff --git a/src/Icons/.dockerignore b/src/Icons/.dockerignore
deleted file mode 100644
index fc12f25146..0000000000
--- a/src/Icons/.dockerignore
+++ /dev/null
@@ -1,4 +0,0 @@
-*
-!obj/build-output/publish/*
-!obj/Docker/empty/
-!entrypoint.sh
diff --git a/src/Icons/Dockerfile b/src/Icons/Dockerfile
index 384f75410d..f4780fe779 100644
--- a/src/Icons/Dockerfile
+++ b/src/Icons/Dockerfile
@@ -26,7 +26,7 @@ COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFram
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
 
-# Restore Icons project dependencies and tools
+# Restore project dependencies and tools
 WORKDIR /source/src/Icons
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
@@ -39,7 +39,7 @@ COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
-# Build Icons app
+# Build app
 WORKDIR /source/src/Icons
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Icons --no-restore --no-self-contained -r $RID
 
diff --git a/src/Identity/.dockerignore b/src/Identity/.dockerignore
deleted file mode 100644
index fc12f25146..0000000000
--- a/src/Identity/.dockerignore
+++ /dev/null
@@ -1,4 +0,0 @@
-*
-!obj/build-output/publish/*
-!obj/Docker/empty/
-!entrypoint.sh
diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile
index cbcc32413e..cc2bc1618f 100644
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@@ -26,7 +26,7 @@ COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFram
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
 
-# Restore Identity project dependencies and tools
+# Restore project dependencies and tools
 WORKDIR /source/src/Identity
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
@@ -39,7 +39,7 @@ COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
-# Build Identity app
+# Build app
 WORKDIR /source/src/Identity
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Identity --no-restore --no-self-contained -r $RID
 
diff --git a/src/Notifications/.dockerignore b/src/Notifications/.dockerignore
deleted file mode 100644
index fc12f25146..0000000000
--- a/src/Notifications/.dockerignore
+++ /dev/null
@@ -1,4 +0,0 @@
-*
-!obj/build-output/publish/*
-!obj/Docker/empty/
-!entrypoint.sh
diff --git a/src/Notifications/Dockerfile b/src/Notifications/Dockerfile
index b257fcb367..a13d3b4fd9 100644
--- a/src/Notifications/Dockerfile
+++ b/src/Notifications/Dockerfile
@@ -26,7 +26,7 @@ COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFram
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
 
-# Restore Notifications project dependencies and tools
+# Restore project dependencies and tools
 WORKDIR /source/src/Notifications
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
@@ -39,7 +39,7 @@ COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
-# Build Notifications app
+# Build app
 WORKDIR /source/src/Notifications
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Notifications --no-restore --no-self-contained -r $RID
 
diff --git a/util/Attachments/.dockerignore b/util/Attachments/.dockerignore
deleted file mode 100644
index 864179fda5..0000000000
--- a/util/Attachments/.dockerignore
+++ /dev/null
@@ -1,2 +0,0 @@
-*
-!entrypoint.sh
diff --git a/util/Attachments/Dockerfile b/util/Attachments/Dockerfile
index 4270972f71..407792b1af 100644
--- a/util/Attachments/Dockerfile
+++ b/util/Attachments/Dockerfile
@@ -22,7 +22,7 @@ WORKDIR /source
 COPY util/Server/*.csproj ./util/Server/
 COPY Directory.Build.props .
 
-# Restore Server project dependencies and tools
+# Restore project dependencies and tools
 WORKDIR /source/util/Server
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
@@ -31,7 +31,7 @@ WORKDIR /source
 COPY util/Server/. ./util/Server/
 COPY .git/. ./.git/
 
-# Build Server app
+# Build app
 WORKDIR /source/util/Server
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Server --no-restore --no-self-contained -r $RID
 
diff --git a/util/MsSqlMigratorUtility/.dockerignore b/util/MsSqlMigratorUtility/.dockerignore
deleted file mode 100644
index 546b9afbef..0000000000
--- a/util/MsSqlMigratorUtility/.dockerignore
+++ /dev/null
@@ -1,3 +0,0 @@
-*
-!obj/build-output/publish/*
-!obj/Docker/empty/
diff --git a/util/MsSqlMigratorUtility/Dockerfile b/util/MsSqlMigratorUtility/Dockerfile
index 69342ccfd2..f7c3917fc3 100644
--- a/util/MsSqlMigratorUtility/Dockerfile
+++ b/util/MsSqlMigratorUtility/Dockerfile
@@ -25,7 +25,7 @@ COPY util/Migrator/*.csproj ./util/Migrator/
 COPY util/MsSqlMigratorUtility/*.csproj ./util/MsSqlMigratorUtility/
 COPY Directory.Build.props .
 
-# Restore MsSqlMigratorUtility project dependencies and tools
+# Restore project dependencies and tools
 WORKDIR /source/util/MsSqlMigratorUtility
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
@@ -36,7 +36,7 @@ COPY util/Migrator/. ./util/Migrator/
 COPY util/MsSqlMigratorUtility/. ./util/MsSqlMigratorUtility/
 COPY .git/. ./.git/
 
-# Build MsSqlMigratorUtility app
+# Build app
 WORKDIR /source/util/MsSqlMigratorUtility
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/MsSqlMigratorUtility --no-restore --no-self-contained -r $RID
 
diff --git a/util/Setup/.dockerignore b/util/Setup/.dockerignore
deleted file mode 100644
index fc12f25146..0000000000
--- a/util/Setup/.dockerignore
+++ /dev/null
@@ -1,4 +0,0 @@
-*
-!obj/build-output/publish/*
-!obj/Docker/empty/
-!entrypoint.sh
diff --git a/util/Setup/Dockerfile b/util/Setup/Dockerfile
index dce42a14bb..0b91995f7b 100644
--- a/util/Setup/Dockerfile
+++ b/util/Setup/Dockerfile
@@ -24,7 +24,7 @@ COPY util/Migrator/*.csproj ./util/Migrator/
 COPY util/Setup/*.csproj ./util/Setup/
 COPY Directory.Build.props .
 
-# Restore Setup project dependencies and tools
+# Restore project dependencies and tools
 WORKDIR /source/util/Setup
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
@@ -35,7 +35,7 @@ COPY util/Migrator/. ./util/Migrator/
 COPY util/Setup/. ./util/Setup/
 COPY .git/. ./.git/
 
-# Build Setup app
+# Build app
 WORKDIR /source/util/Setup
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Setup --no-restore --no-self-contained -r $RID
 

From eb5830ef11d5cd470c526eabb46371ff8a4c19a4 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Mon, 20 Nov 2023 16:36:33 -0500
Subject: [PATCH 077/184] Update comments in Dockerfiles

---
 bitwarden_license/src/Scim/Dockerfile |  2 +-
 bitwarden_license/src/Sso/Dockerfile  |  2 +-
 src/Admin/Dockerfile                  | 17 +++++++++--------
 src/Api/Dockerfile                    |  2 +-
 src/Billing/Dockerfile                |  2 +-
 src/Events/Dockerfile                 |  2 +-
 src/EventsProcessor/Dockerfile        |  2 +-
 src/Icons/Dockerfile                  |  2 +-
 src/Identity/Dockerfile               |  2 +-
 src/Notifications/Dockerfile          |  2 +-
 util/Attachments/Dockerfile           |  2 +-
 util/MsSqlMigratorUtility/Dockerfile  |  2 +-
 util/Setup/Dockerfile                 |  2 +-
 13 files changed, 21 insertions(+), 20 deletions(-)

diff --git a/bitwarden_license/src/Scim/Dockerfile b/bitwarden_license/src/Scim/Dockerfile
index a6823a46a3..51ed4458e2 100644
--- a/bitwarden_license/src/Scim/Dockerfile
+++ b/bitwarden_license/src/Scim/Dockerfile
@@ -39,7 +39,7 @@ COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
-# Build app
+# Build project
 WORKDIR /source/bitwarden_license/src/Scim
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Scim --no-restore --no-self-contained -r $RID
 
diff --git a/bitwarden_license/src/Sso/Dockerfile b/bitwarden_license/src/Sso/Dockerfile
index e53fdeb1af..2541bc8878 100644
--- a/bitwarden_license/src/Sso/Dockerfile
+++ b/bitwarden_license/src/Sso/Dockerfile
@@ -56,7 +56,7 @@ COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
-# Build app
+# Build project
 WORKDIR /source/bitwarden_license/src/Sso
 RUN npm ci
 RUN npm run build
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index f9eeb172c9..6da566ce41 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -5,8 +5,6 @@ FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS build
 
 # Docker buildx supplies the value for this arg
 ARG TARGETPLATFORM
-ARG NODE_VERSION=16.20.2
-ENV NVM_DIR /usr/local/nvm
 
 # Determine proper runtime value for .NET
 # We put the value in a file to be read by later layers.
@@ -25,6 +23,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 
 # Set up Node
+ARG NODE_VERSION=16.20.2
+ENV NVM_DIR /usr/local/nvm
 RUN mkdir -p $NVM_DIR
 RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash \
     && . $NVM_DIR/nvm.sh \
@@ -51,6 +51,7 @@ COPY Directory.Build.props .
 
 # Restore project dependencies and tools
 WORKDIR /source/src/Admin
+RUN npm ci
 RUN . /tmp/rid.txt && dotnet restore -r $RID
 
 # Copy required project files
@@ -69,9 +70,8 @@ COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.
 COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
 COPY .git/. ./.git/
 
-# Build app
+# Build project
 WORKDIR /source/src/Admin
-RUN npm ci
 RUN npm run build
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Admin --no-restore --no-self-contained -r $RID
 
@@ -88,17 +88,18 @@ ENV ASPNETCORE_ENVIRONMENT=Production
 ENV ASPNETCORE_URLS http://+:5000
 EXPOSE 5000
 
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
+RUN apt-get update && apt-get install -y --no-install-recommends \
         gosu \
         curl \
     && rm -rf /var/lib/apt/lists/*
 
+# Copy image entrypoint
+COPY src/Admin/entrypoint.sh /
+RUN chmod +x /entrypoint.sh
+
 # Copy app from the build stage
 WORKDIR /app
 COPY --from=build /app/Admin ./
-COPY src/Admin/entrypoint.sh /
-RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000 || exit 1
 
diff --git a/src/Api/Dockerfile b/src/Api/Dockerfile
index 728d1accd2..f065fb4d7c 100644
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@@ -43,7 +43,7 @@ COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.
 COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
 COPY .git/. ./.git/
 
-# Build app
+# Build project
 WORKDIR /source/src/Api
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Api --no-restore --no-self-contained -r $RID
 
diff --git a/src/Billing/Dockerfile b/src/Billing/Dockerfile
index 9c17890bd8..66302ee0b0 100644
--- a/src/Billing/Dockerfile
+++ b/src/Billing/Dockerfile
@@ -39,7 +39,7 @@ COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
-# Build app
+# Build project
 WORKDIR /source/src/Billing
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Billing --no-restore --no-self-contained -r $RID
 
diff --git a/src/Events/Dockerfile b/src/Events/Dockerfile
index 88a0b06530..473111a13f 100644
--- a/src/Events/Dockerfile
+++ b/src/Events/Dockerfile
@@ -39,7 +39,7 @@ COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
-# Build app
+# Build project
 WORKDIR /source/src/Events
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Events --no-restore --no-self-contained -r $RID
 
diff --git a/src/EventsProcessor/Dockerfile b/src/EventsProcessor/Dockerfile
index 28e1d72357..16c9e8e234 100644
--- a/src/EventsProcessor/Dockerfile
+++ b/src/EventsProcessor/Dockerfile
@@ -39,7 +39,7 @@ COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
-# Build app
+# Build project
 WORKDIR /source/src/EventsProcessor
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/EventsProcessor --no-restore --no-self-contained -r $RID
 
diff --git a/src/Icons/Dockerfile b/src/Icons/Dockerfile
index f4780fe779..026abd22f1 100644
--- a/src/Icons/Dockerfile
+++ b/src/Icons/Dockerfile
@@ -39,7 +39,7 @@ COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
-# Build app
+# Build project
 WORKDIR /source/src/Icons
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Icons --no-restore --no-self-contained -r $RID
 
diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile
index cc2bc1618f..fb04d03c5d 100644
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@@ -39,7 +39,7 @@ COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
-# Build app
+# Build project
 WORKDIR /source/src/Identity
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Identity --no-restore --no-self-contained -r $RID
 
diff --git a/src/Notifications/Dockerfile b/src/Notifications/Dockerfile
index a13d3b4fd9..8e2f59bc93 100644
--- a/src/Notifications/Dockerfile
+++ b/src/Notifications/Dockerfile
@@ -39,7 +39,7 @@ COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY .git/. ./.git/
 
-# Build app
+# Build project
 WORKDIR /source/src/Notifications
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Notifications --no-restore --no-self-contained -r $RID
 
diff --git a/util/Attachments/Dockerfile b/util/Attachments/Dockerfile
index 407792b1af..e7a97dc0f0 100644
--- a/util/Attachments/Dockerfile
+++ b/util/Attachments/Dockerfile
@@ -31,7 +31,7 @@ WORKDIR /source
 COPY util/Server/. ./util/Server/
 COPY .git/. ./.git/
 
-# Build app
+# Build project
 WORKDIR /source/util/Server
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Server --no-restore --no-self-contained -r $RID
 
diff --git a/util/MsSqlMigratorUtility/Dockerfile b/util/MsSqlMigratorUtility/Dockerfile
index f7c3917fc3..320e14045d 100644
--- a/util/MsSqlMigratorUtility/Dockerfile
+++ b/util/MsSqlMigratorUtility/Dockerfile
@@ -36,7 +36,7 @@ COPY util/Migrator/. ./util/Migrator/
 COPY util/MsSqlMigratorUtility/. ./util/MsSqlMigratorUtility/
 COPY .git/. ./.git/
 
-# Build app
+# Build project
 WORKDIR /source/util/MsSqlMigratorUtility
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/MsSqlMigratorUtility --no-restore --no-self-contained -r $RID
 
diff --git a/util/Setup/Dockerfile b/util/Setup/Dockerfile
index 0b91995f7b..21d6aeb46b 100644
--- a/util/Setup/Dockerfile
+++ b/util/Setup/Dockerfile
@@ -35,7 +35,7 @@ COPY util/Migrator/. ./util/Migrator/
 COPY util/Setup/. ./util/Setup/
 COPY .git/. ./.git/
 
-# Build app
+# Build project
 WORKDIR /source/util/Setup
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Setup --no-restore --no-self-contained -r $RID
 

From 7562a8e9701951327c1c94a7bd3fdcc997298911 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Tue, 21 Nov 2023 09:16:23 -0500
Subject: [PATCH 078/184] Test order of commands

---
 src/Admin/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 6da566ce41..220abd866f 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -51,8 +51,8 @@ COPY Directory.Build.props .
 
 # Restore project dependencies and tools
 WORKDIR /source/src/Admin
-RUN npm ci
 RUN . /tmp/rid.txt && dotnet restore -r $RID
+RUN npm ci
 
 # Copy required project files
 WORKDIR /source

From 62579de436d3b15f899f9cc44246543b14173601 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Tue, 21 Nov 2023 10:33:11 -0500
Subject: [PATCH 079/184] Move commands around in Dockerfile for Admin

---
 src/Admin/Dockerfile | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 220abd866f..44abe6c662 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -34,6 +34,11 @@ RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | b
 ENV NODE_PATH $NVM_DIR/versions/node/v$NODE_VERSION/lib/node_modules
 ENV PATH      $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
 
+# Copying package.json, package-lock.json, and packages.lock.json
+WORKDIR /source/src/Admin
+COPY package*.json .
+RUN npm ci
+
 # Copy csproj files as distinct layers
 WORKDIR /source
 COPY src/Admin/*.csproj ./src/Admin/
@@ -52,7 +57,6 @@ COPY Directory.Build.props .
 # Restore project dependencies and tools
 WORKDIR /source/src/Admin
 RUN . /tmp/rid.txt && dotnet restore -r $RID
-RUN npm ci
 
 # Copy required project files
 WORKDIR /source

From 4980c5041d76da23bc3662d81f1f3f5f6d6fdc76 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Tue, 21 Nov 2023 10:50:35 -0500
Subject: [PATCH 080/184] Fix path

---
 src/Admin/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 44abe6c662..c8d5d53285 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -36,7 +36,7 @@ ENV PATH      $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
 
 # Copying package.json, package-lock.json, and packages.lock.json
 WORKDIR /source/src/Admin
-COPY package*.json .
+COPY src/Admin/package*.json .
 RUN npm ci
 
 # Copy csproj files as distinct layers

From d034fa10b08ec8f8b12cfe0dec01705c776074b9 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 8 May 2024 14:32:52 -0400
Subject: [PATCH 081/184] Fix errors

---
 .github/workflows/build.yml | 45 ++++++++++---------------------------
 1 file changed, 12 insertions(+), 33 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 070a367776..67e95e2092 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -30,8 +30,7 @@ jobs:
   build-artifacts:
     name: Build artifacts
     runs-on: ubuntu-22.04
-    needs:
-      - lint
+    needs: lint
     strategy:
       fail-fast: false
       matrix:
@@ -193,10 +192,10 @@ jobs:
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
 
       ########## ACRs ##########
-      - name: Log in to Azure - production subscription
+      - name: Log in to Azure - CI subscription
         uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
         with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
       - name: Login to PROD ACR
         run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
@@ -241,6 +240,13 @@ jobs:
           fi
           echo "tags=$TAGS" >> $GITHUB_OUTPUT
 
+      - name: Generate image full name
+        id: image-name
+        env:
+          IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
+          PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
+        run: echo "name=${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
+
       - name: Build Docker image
         uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
@@ -255,29 +261,6 @@ jobs:
           push: true
           tags: ${{ steps.image-name.outputs.name }}
 
-      - name: Zip project
-        if: ${{ matrix.upload_artifact }}
-        working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }}
-        run: |
-          mkdir build
-          docker run --rm --platform linux/amd64 --volume $(pwd)/build:/temp --entrypoint bash \
-            ${{ steps.image-name.outputs.name }} -c "cp -r ./ /temp"
-
-          cd build
-          zip -r ${{ matrix.project_name }}.zip .
-          mv ${{ matrix.project_name }}.zip ../
-
-          pwd
-          ls -atlh ../
-
-      - name: Upload project artifact
-        if: ${{ matrix.upload_artifact }}
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        with:
-          name: ${{ matrix.project_name }}.zip
-          path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip
-          if-no-files-found: error
-
       - name: Scan Docker image
         id: container-scan
         uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
@@ -291,13 +274,10 @@ jobs:
         with:
           sarif_file: ${{ steps.container-scan.outputs.sarif }}
 
-      - name: Log out of Docker
-        run: docker logout
-
   build-stub-swagger:
     name: Build Docker-Stub/Swagger
     runs-on: ubuntu-22.04
-    needs: testing
+    needs: build-docker
     steps:
       - name: Checkout repo
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -422,7 +402,7 @@ jobs:
   build-mssqlmigratorutility:
     name: Build MSSQL migrator utility
     runs-on: ubuntu-22.04
-    needs: testing
+    needs: build-docker
     defaults:
       run:
         shell: bash
@@ -548,7 +528,6 @@ jobs:
       - lint
       - build-artifacts
       - build-docker
-      - upload
       - build-mssqlmigratorutility
       - self-host-build
       - trigger-k8s-deploy

From 79328da856e03d9f79ffbda14c06d07675b0a806 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 8 May 2024 14:41:19 -0400
Subject: [PATCH 082/184] Remove buid-artifacts job

---
 .github/workflows/build.yml | 91 +------------------------------------
 1 file changed, 1 insertion(+), 90 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 67e95e2092..df394fa83e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -27,100 +27,12 @@ jobs:
       - name: Verify format
         run: dotnet format --verify-no-changes
 
-  build-artifacts:
-    name: Build artifacts
-    runs-on: ubuntu-22.04
-    needs: lint
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - project_name: Admin
-            base_path: ./src
-            upload_artifact: true
-          - project_name: Api
-            base_path: ./src
-          - project_name: Billing
-            base_path: ./src
-          - project_name: Events
-            base_path: ./src
-          - project_name: EventsProcessor
-            base_path: ./src
-          - project_name: Icons
-            base_path: ./src
-          - project_name: Identity
-            base_path: ./src
-          - project_name: MsSqlMigratorUtility
-            base_path: ./util
-            dotnet: true
-          - project_name: Notifications
-            base_path: ./src
-          - project_name: Scim
-            base_path: ./bitwarden_license/src
-            dotnet: true
-          - project_name: Server
-            base_path: ./util
-          - project_name: Setup
-            base_path: ./util
-          - project_name: Sso
-            base_path: ./bitwarden_license/src
-            node: true
-    steps:
-      - name: Check out repo
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-
-      - name: Set up .NET
-        uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
-
-      - name: Set up Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
-        with:
-          cache: "npm"
-          cache-dependency-path: "**/package-lock.json"
-          node-version: "16"
-
-      - name: Print environment
-        run: |
-          whoami
-          dotnet --info
-          node --version
-          npm --version
-          echo "GitHub ref: $GITHUB_REF"
-          echo "GitHub event: $GITHUB_EVENT"
-
-      - name: Build node
-        if: ${{ matrix.node }}
-        working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }}
-        run: |
-          npm ci
-          npm run build
-
-      - name: Publish project
-        working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }}
-        run: |
-          echo "Publish"
-          dotnet publish -c "Release" -o obj/build-output/publish
-
-          cd obj/build-output/publish
-          zip -r ${{ matrix.project_name }}.zip .
-          mv ${{ matrix.project_name }}.zip ../../../
-
-          pwd
-          ls -atlh ../../../
-
-      - name: Upload project artifact
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        with:
-          name: ${{ matrix.project_name }}.zip
-          path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip
-          if-no-files-found: error
-
   build-docker:
     name: Build Docker images
     runs-on: ubuntu-22.04
     permissions:
       security-events: write
-    needs: build-artifacts
+    needs: lint
     strategy:
       fail-fast: false
       matrix:
@@ -526,7 +438,6 @@ jobs:
     runs-on: ubuntu-22.04
     needs:
       - lint
-      - build-artifacts
       - build-docker
       - build-mssqlmigratorutility
       - self-host-build

From 798e391b1beba0e26306c2fcd66af38fbbaca821 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 8 May 2024 14:46:49 -0400
Subject: [PATCH 083/184] Add secret retrieval step

---
 .github/workflows/build.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index df394fa83e..930b0e36db 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -109,6 +109,13 @@ jobs:
         with:
           creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
+      - name: Retrieve GitHub PAT secrets
+        id: retrieve-secret-pat
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+
       - name: Login to PROD ACR
         run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
 
@@ -172,6 +179,8 @@ jobs:
             linux/arm64
           push: true
           tags: ${{ steps.image-name.outputs.name }}
+          secrets: |
+            "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
 
       - name: Scan Docker image
         id: container-scan

From cea54aad3fabf3a99b79f9179816422b5b1e35d8 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 8 May 2024 14:56:37 -0400
Subject: [PATCH 084/184] Change SP

---
 .github/workflows/build.yml | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 930b0e36db..e48598c6f8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -104,17 +104,10 @@ jobs:
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
 
       ########## ACRs ##########
-      - name: Log in to Azure - CI subscription
+      - name: Log in to Azure - Production subscription
         uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
         with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-
-      - name: Retrieve GitHub PAT secrets
-        id: retrieve-secret-pat
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+          creds: ${{ secrets.AZURE_KV_PROD_SERVICE_PRINCIPAL }}
 
       - name: Login to PROD ACR
         run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}

From ce7d50fe030f1e1c67eec94106dcb5f14c470d4c Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 8 May 2024 15:00:28 -0400
Subject: [PATCH 085/184] Fix SP name

---
 .github/workflows/build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e48598c6f8..897b8da424 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -104,10 +104,10 @@ jobs:
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
 
       ########## ACRs ##########
-      - name: Log in to Azure - Production subscription
+      - name: Login to Azure - PROD Subscription
         uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
         with:
-          creds: ${{ secrets.AZURE_KV_PROD_SERVICE_PRINCIPAL }}
+          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
 
       - name: Login to PROD ACR
         run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}

From 42289f140560d4fd5353f4efa58a136650496ae2 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 8 May 2024 15:10:32 -0400
Subject: [PATCH 086/184] Update Attachments Dockerfile to .NET 8

---
 util/Attachments/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/Attachments/Dockerfile b/util/Attachments/Dockerfile
index e7a97dc0f0..623b5c7466 100644
--- a/util/Attachments/Dockerfile
+++ b/util/Attachments/Dockerfile
@@ -1,7 +1,7 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0 AS build
 
 # Docker buildx supplies the value for this arg
 ARG TARGETPLATFORM
@@ -40,7 +40,7 @@ WORKDIR /app
 ###############################################
 #                  App stage                  #
 ###############################################
-FROM mcr.microsoft.com/dotnet/aspnet:6.0
+FROM mcr.microsoft.com/dotnet/aspnet:8.0
 
 ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"

From 144ecb452bff85098aca6d81f07cb83523fabc43 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 8 May 2024 15:26:35 -0400
Subject: [PATCH 087/184] Add dotnet tool restore step

---
 .github/workflows/build.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 897b8da424..fbdf80d1d0 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -207,6 +207,9 @@ jobs:
       - name: Login to PROD ACR
         run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
 
+      - name: Restore
+        run: dotnet tool restore
+
       - name: Make Docker stubs
         if: github.ref == 'refs/heads/main' ||
           github.ref == 'refs/heads/rc' ||

From dd02ffbe9f4c1ac6f68bfcbda40bc0517306e57d Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 8 May 2024 15:59:57 -0400
Subject: [PATCH 088/184] Try caching

---
 .github/workflows/build.yml | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index fbdf80d1d0..ad6fba7ba7 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -153,17 +153,16 @@ jobs:
           echo "tags=$TAGS" >> $GITHUB_OUTPUT
 
       - name: Generate image full name
-        id: image-name
+        id: cache-name
         env:
-          IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
           PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
-        run: echo "name=${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
+        run: echo "name=${_AZ_REGISTRY}/${PROJECT_NAME}:buildcache" >> $GITHUB_OUTPUT
 
       - name: Build Docker image
         uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
-          cache-from: type=registry,ref=${{ steps.image-name.outputs.name }}
-          cache-to: type=inline
+          cache-from: type=registry,ref=${{ steps.cache-name.outputs.name }}
+          cache-to: type=registry,ref=${{ steps.cache-name.outputs.name}},mode=max
           context: .
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
           platforms: |
@@ -171,9 +170,7 @@ jobs:
             linux/arm/v7,
             linux/arm64
           push: true
-          tags: ${{ steps.image-name.outputs.name }}
-          secrets: |
-            "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
+          tags: ${{ steps.image-tags.outputs.tags }}
 
       - name: Scan Docker image
         id: container-scan

From b303d21c7cdc920d04db35bdfe425946d3eb2d3d Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 23 May 2024 15:18:53 -0400
Subject: [PATCH 089/184] Add justfile

---
 .github/workflows/build.yml | 59 +++++++++++++++++++++----------------
 justfile                    | 30 +++++++++++++++++++
 2 files changed, 64 insertions(+), 25 deletions(-)
 create mode 100644 justfile

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ad6fba7ba7..6251fb7c48 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -24,8 +24,8 @@ jobs:
       - name: Set up .NET
         uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
 
-      - name: Verify format
-        run: dotnet format --verify-no-changes
+      - name: Lint
+        run: just lint
 
   build-docker:
     name: Build Docker images
@@ -33,6 +33,9 @@ jobs:
     permissions:
       security-events: write
     needs: lint
+    env:
+      PROJECT_NAME: ${{ matrix.project_name }}
+      BASE_PATH: ${{ matrix.base_path}}
     strategy:
       fail-fast: false
       matrix:
@@ -109,33 +112,39 @@ jobs:
         with:
           creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
 
-      - name: Login to PROD ACR
-        run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
+      # - name: Login to PROD ACR
+      #   run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
 
-      ########## Generate image tag and build Docker image ##########
-      - name: Generate Docker image tag
-        id: tag
-        run: |
-          if [[ $(grep "pull" <<< "${GITHUB_REF}") ]]; then
-            IMAGE_TAG=$(echo "${GITHUB_HEAD_REF}" | sed "s#/#-#g")
-          else
-            IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")
-          fi
+      # ########## Generate image tag and build Docker image ##########
+      # - name: Generate Docker image tag
+      #   id: tag
+      #   run: |
+      #     if [[ $(grep "pull" <<< "${GITHUB_REF}") ]]; then
+      #       IMAGE_TAG=$(echo "${GITHUB_HEAD_REF}" | sed "s#/#-#g")
+      #     else
+      #       IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")
+      #     fi
 
-          if [[ "$IMAGE_TAG" == "main" ]]; then
-            IMAGE_TAG=dev
-          fi
+      #     if [[ "$IMAGE_TAG" == "main" ]]; then
+      #       IMAGE_TAG=dev
+      #     fi
 
-          echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
-          echo "### :mega: Docker Image Tag: $IMAGE_TAG" >> $GITHUB_STEP_SUMMARY
+      #     echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
+      #     echo "### :mega: Docker Image Tag: $IMAGE_TAG" >> $GITHUB_STEP_SUMMARY
 
-      - name: Set up project name
-        id: setup
-        run: |
-          PROJECT_NAME=$(echo "${{ matrix.project_name }}" | awk '{print tolower($0)}')
-          echo "Matrix name: ${{ matrix.project_name }}"
-          echo "PROJECT_NAME: $PROJECT_NAME"
-          echo "project_name=$PROJECT_NAME" >> $GITHUB_OUTPUT
+      # - name: Set up project name
+      #   id: setup
+      #   run: |
+      #     PROJECT_NAME=$(echo "${{ matrix.project_name }}" | awk '{print tolower($0)}')
+      #     echo "Matrix name: ${{ matrix.project_name }}"
+      #     echo "PROJECT_NAME: $PROJECT_NAME"
+      #     echo "project_name=$PROJECT_NAME" >> $GITHUB_OUTPUT
+
+      - name: Justfile
+        run: just build
+
+      - name: TEST FAIL
+        run: exit 1
 
       - name: Generate image tags(s)
         id: image-tags
diff --git a/justfile b/justfile
new file mode 100644
index 0000000000..7306378ae6
--- /dev/null
+++ b/justfile
@@ -0,0 +1,30 @@
+default:
+  @just --list
+
+all: lint test build upload
+
+lint:
+  dotnet format --verify-no-changes
+
+test:
+  echo "Testing..."
+
+build:
+  # Login to ACR
+  az acr login -n bitwardenprod.azurecr.io
+  if [[ $(grep "pull" <<< "${GITHUB_REF}") ]]; then
+    IMAGE_TAG=$(echo "${GITHUB_HEAD_REF}" | sed "s#/#-#g")
+  else
+    IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")
+  fi
+
+  if [[ "$IMAGE_TAG" == "main" ]]; then
+    IMAGE_TAG=dev
+  fi
+
+  echo $PROJECT_NAME
+  PROJECT_NAME=$(echo "$PROJECT_NAME" | awk '{print tolower($0)}')
+  echo $PROJECT_NAME
+
+upload:
+  echo "Uploading..."

From f4ca4afbcbde4fbfb9aa542ecbbcd7039066cb07 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 23 May 2024 15:25:19 -0400
Subject: [PATCH 090/184] Add steps to install just

---
 .github/workflows/build.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6251fb7c48..d9837c4cef 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -24,6 +24,11 @@ jobs:
       - name: Set up .NET
         uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
 
+      - name: Install just
+        uses: taiki-e/install-action@4fedbddde88aab767a45a011661f832d68202716 # v2.33.28
+        with:
+          tool: just
+
       - name: Lint
         run: just lint
 
@@ -86,6 +91,11 @@ jobs:
       - name: Checkout repo
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
+      - name: Install just
+        uses: taiki-e/install-action@4fedbddde88aab767a45a011661f832d68202716 # v2.33.28
+        with:
+          tool: just
+
       - name: Check branch to publish
         env:
           PUBLISH_BRANCHES: "main,rc,hotfix-rc"

From 800c187f51dd22759d7464c5fc7b57e32c63a44c Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 23 May 2024 15:28:18 -0400
Subject: [PATCH 091/184] Disable check failures job

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d9837c4cef..a047db6d24 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -455,7 +455,7 @@ jobs:
 
   check-failures:
     name: Check for failures
-    if: always()
+    if: false
     runs-on: ubuntu-22.04
     needs:
       - lint

From 8978d9c861985f993a2339bd3516ce14547056e8 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 23 May 2024 16:02:06 -0400
Subject: [PATCH 092/184] Change syntax

---
 justfile | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/justfile b/justfile
index 7306378ae6..91388d4a9d 100644
--- a/justfile
+++ b/justfile
@@ -12,19 +12,19 @@ test:
 build:
   # Login to ACR
   az acr login -n bitwardenprod.azurecr.io
-  if [[ $(grep "pull" <<< "${GITHUB_REF}") ]]; then
-    IMAGE_TAG=$(echo "${GITHUB_HEAD_REF}" | sed "s#/#-#g")
+  if `grep "pull" <<< "${GITHUB_REF}"`; then
+    IMAGE_TAG := `echo "${GITHUB_HEAD_REF}" | sed "s#/#-#g"`
   else
-    IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")
+    IMAGE_TAG := `echo "${GITHUB_REF:11}" | sed "s#/#-#g"`
   fi
 
-  if [[ "$IMAGE_TAG" == "main" ]]; then
-    IMAGE_TAG=dev
+  if "${IMAGE_TAG}" == "main"; then
+    IMAGE_TAG := dev
   fi
 
-  echo $PROJECT_NAME
-  PROJECT_NAME=$(echo "$PROJECT_NAME" | awk '{print tolower($0)}')
-  echo $PROJECT_NAME
+  echo ${PROJECT_NAME}
+  PROJECT_NAME := `echo "$PROJECT_NAME" | awk '{print tolower($0)}'`
+  echo ${PROJECT_NAME}
 
 upload:
   echo "Uploading..."

From f3d59bd707efb378bfef8eaafcd32e8c2da34b28 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 23 May 2024 16:15:58 -0400
Subject: [PATCH 093/184] Change spacing

---
 justfile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/justfile b/justfile
index 91388d4a9d..17edb02a8b 100644
--- a/justfile
+++ b/justfile
@@ -13,13 +13,13 @@ build:
   # Login to ACR
   az acr login -n bitwardenprod.azurecr.io
   if `grep "pull" <<< "${GITHUB_REF}"`; then
-    IMAGE_TAG := `echo "${GITHUB_HEAD_REF}" | sed "s#/#-#g"`
+  IMAGE_TAG := `echo "${GITHUB_HEAD_REF}" | sed "s#/#-#g"`
   else
-    IMAGE_TAG := `echo "${GITHUB_REF:11}" | sed "s#/#-#g"`
+  IMAGE_TAG := `echo "${GITHUB_REF:11}" | sed "s#/#-#g"`
   fi
 
   if "${IMAGE_TAG}" == "main"; then
-    IMAGE_TAG := dev
+  IMAGE_TAG := dev
   fi
 
   echo ${PROJECT_NAME}

From af0dc31fe376bc7dc1399d81b4a34098dfaf36dd Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 23 May 2024 16:27:03 -0400
Subject: [PATCH 094/184] Test new syntax

---
 justfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/justfile b/justfile
index 17edb02a8b..d523d41482 100644
--- a/justfile
+++ b/justfile
@@ -12,7 +12,7 @@ test:
 build:
   # Login to ACR
   az acr login -n bitwardenprod.azurecr.io
-  if `grep "pull" <<< "${GITHUB_REF}"`; then
+  if `grep "pull"` <<< "${GITHUB_REF}"; then
   IMAGE_TAG := `echo "${GITHUB_HEAD_REF}" | sed "s#/#-#g"`
   else
   IMAGE_TAG := `echo "${GITHUB_REF:11}" | sed "s#/#-#g"`

From bd1602ed989e9b975a849660887b07a8d6b25b59 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Mon, 10 Mar 2025 14:08:38 -0400
Subject: [PATCH 095/184] Fix build workflow

---
 .github/workflows/build.yml | 159 +++++++-----------------------------
 justfile                    |  30 -------
 2 files changed, 28 insertions(+), 161 deletions(-)
 delete mode 100644 justfile

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index bdfa12591d..faac75146f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -34,101 +34,10 @@ jobs:
       - name: Verify format
         run: dotnet format --verify-no-changes
 
-  build-artifacts:
-    name: Build artifacts
-    runs-on: ubuntu-22.04
-    needs: lint
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - project_name: Admin
-            base_path: ./src
-            node: true
-          - project_name: Api
-            base_path: ./src
-          - project_name: Billing
-            base_path: ./src
-          - project_name: Events
-            base_path: ./src
-          - project_name: EventsProcessor
-            base_path: ./src
-          - project_name: Icons
-            base_path: ./src
-          - project_name: Identity
-            base_path: ./src
-          - project_name: MsSqlMigratorUtility
-            base_path: ./util
-            dotnet: true
-          - project_name: Notifications
-            base_path: ./src
-          - project_name: Scim
-            base_path: ./bitwarden_license/src
-            dotnet: true
-          - project_name: Server
-            base_path: ./util
-          - project_name: Setup
-            base_path: ./util
-          - project_name: Sso
-            base_path: ./bitwarden_license/src
-            node: true
-    steps:
-      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Set up .NET
-        uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
-
-      - name: Set up Node
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
-        with:
-          cache: "npm"
-          cache-dependency-path: "**/package-lock.json"
-          node-version: "16"
-
-      - name: Print environment
-        run: |
-          whoami
-          dotnet --info
-          node --version
-          npm --version
-          echo "GitHub ref: $GITHUB_REF"
-          echo "GitHub event: $GITHUB_EVENT"
-
-      - name: Build node
-        if: ${{ matrix.node }}
-        working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }}
-        run: |
-          npm ci
-          npm run build
-
-      - name: Publish project
-        working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }}
-        run: |
-          echo "Publish"
-          dotnet publish -c "Release" -o obj/build-output/publish
-
-          cd obj/build-output/publish
-          zip -r ${{ matrix.project_name }}.zip .
-          mv ${{ matrix.project_name }}.zip ../../../
-
-          pwd
-          ls -atlh ../../../
-
-      - name: Upload project artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
-        with:
-          name: ${{ matrix.project_name }}.zip
-          path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip
-          if-no-files-found: error
-
   build-docker:
     name: Build Docker images
     runs-on: ubuntu-22.04
-    needs:
-      - build-artifacts
+    needs: lint
     permissions:
       id-token: write
       security-events: write
@@ -197,6 +106,13 @@ jobs:
             echo "is_publish_branch=false" >> $GITHUB_ENV
           fi
 
+      ########## Set up Docker ##########
+      - name: Set up QEMU emulators
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
       ########## ACRs ##########
       - name: Log in to Azure - production subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -206,25 +122,6 @@ jobs:
       - name: Log in to ACR - production subscription
         run: az acr login -n bitwardenprod
 
-      - name: Log in to Azure - CI subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
-        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-
-      - name: Retrieve GitHub PAT secrets
-        id: retrieve-secret-pat
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
-
-      ########## Set up Docker ##########
-      - name: Set up QEMU emulators
-        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
-
       ########## Generate image tag and build Docker image ##########
       - name: Generate Docker image tag
         id: tag
@@ -235,6 +132,13 @@ jobs:
             IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")
           fi
 
+          if [[ "$IMAGE_TAG" == "main" ]]; then
+            IMAGE_TAG=dev
+          fi
+
+          echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
+          echo "### :mega: Docker Image Tag: $IMAGE_TAG" >> $GITHUB_STEP_SUMMARY
+
       - name: Set up project name
         id: setup
         run: |
@@ -258,25 +162,18 @@ jobs:
           fi
           echo "tags=$TAGS" >> $GITHUB_OUTPUT
 
-      - name: Get build artifact
-        if: ${{ matrix.dotnet }}
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          name: ${{ matrix.project_name }}.zip
-
-      - name: Set up build artifact
-        if: ${{ matrix.dotnet }}
-        run: |
-          mkdir -p ${{ matrix.base_path}}/${{ matrix.project_name }}/obj/build-output/publish
-          unzip ${{ matrix.project_name }}.zip \
-            -d ${{ matrix.base_path }}/${{ matrix.project_name }}/obj/build-output/publish
+      - name: Generate image full name
+        id: cache-name
+        env:
+          PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
+        run: echo "name=${_AZ_REGISTRY}/${PROJECT_NAME}:buildcache" >> $GITHUB_OUTPUT
 
       - name: Build Docker image
         id: build-docker
         uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0
         with:
-        #   cache-from: type=registry,ref=${{ steps.cache-name.outputs.name }}
-        #   cache-to: type=registry,ref=${{ steps.cache-name.outputs.name}},mode=max
+          cache-from: type=registry,ref=${{ steps.cache-name.outputs.name }}
+          cache-to: type=registry,ref=${{ steps.cache-name.outputs.name}},mode=max
           context: .
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
           platforms: |
@@ -560,8 +457,7 @@ jobs:
       github.event_name != 'pull_request_target'
       && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
     runs-on: ubuntu-22.04
-    needs:
-      - build-docker
+    needs: build-docker
     steps:
       - name: Log in to Azure - CI subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -594,8 +490,7 @@ jobs:
     name: Trigger k8s deploy
     if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
     runs-on: ubuntu-22.04
-    needs:
-      - build-docker
+    needs: build-docker
     steps:
       - name: Log in to Azure - CI subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -631,8 +526,7 @@ jobs:
       github.event_name == 'pull_request_target'
       && contains(github.event.pull_request.labels.*.name, 'ephemeral-environment')
     runs-on: ubuntu-24.04
-    needs:
-      - build-docker
+    needs: build-docker
     steps:
       - name: Log in to Azure - CI subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -683,9 +577,12 @@ jobs:
     needs:
       - lint
       - build-docker
+      - build-stub-swagger
       - build-mssqlmigratorutility
       - self-host-build
       - trigger-k8s-deploy
+      - trigger-ee-updates
+      - trigger-ephemeral-environment-sync
     steps:
       - name: Check if any job failed
         if: |
diff --git a/justfile b/justfile
deleted file mode 100644
index d523d41482..0000000000
--- a/justfile
+++ /dev/null
@@ -1,30 +0,0 @@
-default:
-  @just --list
-
-all: lint test build upload
-
-lint:
-  dotnet format --verify-no-changes
-
-test:
-  echo "Testing..."
-
-build:
-  # Login to ACR
-  az acr login -n bitwardenprod.azurecr.io
-  if `grep "pull"` <<< "${GITHUB_REF}"; then
-  IMAGE_TAG := `echo "${GITHUB_HEAD_REF}" | sed "s#/#-#g"`
-  else
-  IMAGE_TAG := `echo "${GITHUB_REF:11}" | sed "s#/#-#g"`
-  fi
-
-  if "${IMAGE_TAG}" == "main"; then
-  IMAGE_TAG := dev
-  fi
-
-  echo ${PROJECT_NAME}
-  PROJECT_NAME := `echo "$PROJECT_NAME" | awk '{print tolower($0)}'`
-  echo ${PROJECT_NAME}
-
-upload:
-  echo "Uploading..."

From e305e1490d4c95bf3cb325b277a9592e175f113c Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Mon, 10 Mar 2025 14:24:57 -0400
Subject: [PATCH 096/184] Fix ENV in Dockerfiles

---
 bitwarden_license/src/Scim/Dockerfile | 2 +-
 bitwarden_license/src/Sso/Dockerfile  | 8 ++++----
 src/Admin/Dockerfile                  | 8 ++++----
 src/Api/Dockerfile                    | 2 +-
 src/Billing/Dockerfile                | 2 +-
 src/Events/Dockerfile                 | 2 +-
 src/EventsProcessor/Dockerfile        | 2 +-
 src/Icons/Dockerfile                  | 2 +-
 src/Identity/Dockerfile               | 2 +-
 src/Notifications/Dockerfile          | 2 +-
 util/Attachments/Dockerfile           | 2 +-
 11 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/bitwarden_license/src/Scim/Dockerfile b/bitwarden_license/src/Scim/Dockerfile
index ce2b29e5c9..c3d97e4758 100644
--- a/bitwarden_license/src/Scim/Dockerfile
+++ b/bitwarden_license/src/Scim/Dockerfile
@@ -53,7 +53,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:8.0
 ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
 ENV ASPNETCORE_ENVIRONMENT=Production
-ENV ASPNETCORE_URLS http://+:5000
+ENV ASPNETCORE_URLS=http://+:5000
 EXPOSE 5000
 
 RUN apt-get update \
diff --git a/bitwarden_license/src/Sso/Dockerfile b/bitwarden_license/src/Sso/Dockerfile
index a8343a8048..a25eba6ae9 100644
--- a/bitwarden_license/src/Sso/Dockerfile
+++ b/bitwarden_license/src/Sso/Dockerfile
@@ -6,7 +6,7 @@ FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0 AS build
 # Docker buildx supplies the value for this arg
 ARG TARGETPLATFORM
 ENV NODE_VERSION=16.20.2
-ENV NVM_DIR /usr/local/nvm
+ENV NVM_DIR=/usr/local/nvm
 
 # Determine proper runtime value for .NET
 # We put the value in a file to be read by later layers.
@@ -31,8 +31,8 @@ RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | b
     && nvm install $NODE_VERSION \
     && nvm alias default $NODE_VERSION \
     && nvm use default
-ENV NODE_PATH $NVM_DIR/versions/node/v$NODE_VERSION/lib/node_modules
-ENV PATH      $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
+ENV NODE_PATH=$NVM_DIR/versions/node/v$NODE_VERSION/lib/node_modules
+ENV PATH=$NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
 
 # Copy csproj files as distinct layers
 WORKDIR /source
@@ -72,7 +72,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:8.0
 ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
 ENV ASPNETCORE_ENVIRONMENT=Production
-ENV ASPNETCORE_URLS http://+:5000
+ENV ASPNETCORE_URLS=http://+:5000
 EXPOSE 5000
 
 RUN apt-get update \
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index d73edcb3d0..c8e54b45e8 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -25,15 +25,15 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 # Set up Node
 ARG NODE_VERSION=16.20.2
-ENV NVM_DIR /usr/local/nvm
+ENV NVM_DIR=/usr/local/nvm
 RUN mkdir -p $NVM_DIR
 RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash \
     && . $NVM_DIR/nvm.sh \
     && nvm install $NODE_VERSION \
     && nvm alias default $NODE_VERSION \
     && nvm use default
-ENV NODE_PATH $NVM_DIR/versions/node/v$NODE_VERSION/lib/node_modules
-ENV PATH      $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
+ENV NODE_PATH=$NVM_DIR/versions/node/v$NODE_VERSION/lib/node_modules
+ENV PATH=$NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
 
 # Copying package.json, package-lock.json, and packages.lock.json
 WORKDIR /source/src/Admin
@@ -90,7 +90,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:8.0
 ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
 ENV ASPNETCORE_ENVIRONMENT=Production
-ENV ASPNETCORE_URLS http://+:5000
+ENV ASPNETCORE_URLS=http://+:5000
 EXPOSE 5000
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
diff --git a/src/Api/Dockerfile b/src/Api/Dockerfile
index bacfb6a312..d88e31bc22 100644
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@@ -57,7 +57,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:8.0
 ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
 ENV ASPNETCORE_ENVIRONMENT=Production
-ENV ASPNETCORE_URLS http://+:5000
+ENV ASPNETCORE_URLS=http://+:5000
 EXPOSE 5000
 
 RUN apt-get update \
diff --git a/src/Billing/Dockerfile b/src/Billing/Dockerfile
index 6b58185585..1e47c2ada9 100644
--- a/src/Billing/Dockerfile
+++ b/src/Billing/Dockerfile
@@ -53,7 +53,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:8.0
 ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
 ENV ASPNETCORE_ENVIRONMENT=Production
-ENV ASPNETCORE_URLS http://+:5000
+ENV ASPNETCORE_URLS=http://+:5000
 EXPOSE 5000
 
 RUN apt-get update \
diff --git a/src/Events/Dockerfile b/src/Events/Dockerfile
index fddc1367e5..6cc8ef2438 100644
--- a/src/Events/Dockerfile
+++ b/src/Events/Dockerfile
@@ -53,7 +53,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:8.0
 ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
 ENV ASPNETCORE_ENVIRONMENT=Production
-ENV ASPNETCORE_URLS http://+:5000
+ENV ASPNETCORE_URLS=http://+:5000
 EXPOSE 5000
 
 RUN apt-get update \
diff --git a/src/EventsProcessor/Dockerfile b/src/EventsProcessor/Dockerfile
index fa302b7375..16a13851aa 100644
--- a/src/EventsProcessor/Dockerfile
+++ b/src/EventsProcessor/Dockerfile
@@ -53,7 +53,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:8.0
 ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
 ENV ASPNETCORE_ENVIRONMENT=Production
-ENV ASPNETCORE_URLS http://+:5000
+ENV ASPNETCORE_URLS=http://+:5000
 EXPOSE 5000
 
 RUN apt-get update \
diff --git a/src/Icons/Dockerfile b/src/Icons/Dockerfile
index f8c26ccbcf..12d8700179 100644
--- a/src/Icons/Dockerfile
+++ b/src/Icons/Dockerfile
@@ -53,7 +53,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:8.0
 ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
 ENV ASPNETCORE_ENVIRONMENT=Production
-ENV ASPNETCORE_URLS http://+:5000
+ENV ASPNETCORE_URLS=http://+:5000
 EXPOSE 5000
 
 RUN apt-get update \
diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile
index 1ad1bad8cb..715f779b27 100644
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@@ -53,7 +53,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:8.0
 ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
 ENV ASPNETCORE_ENVIRONMENT=Production
-ENV ASPNETCORE_URLS http://+:5000
+ENV ASPNETCORE_URLS=http://+:5000
 EXPOSE 5000
 
 RUN apt-get update \
diff --git a/src/Notifications/Dockerfile b/src/Notifications/Dockerfile
index 26ed86d2ce..fc42b07542 100644
--- a/src/Notifications/Dockerfile
+++ b/src/Notifications/Dockerfile
@@ -53,7 +53,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:8.0
 ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
 ENV ASPNETCORE_ENVIRONMENT=Production
-ENV ASPNETCORE_URLS http://+:5000
+ENV ASPNETCORE_URLS=http://+:5000
 EXPOSE 5000
 
 RUN apt-get update \
diff --git a/util/Attachments/Dockerfile b/util/Attachments/Dockerfile
index 623b5c7466..5dc211d148 100644
--- a/util/Attachments/Dockerfile
+++ b/util/Attachments/Dockerfile
@@ -45,7 +45,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:8.0
 ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
 ENV ASPNETCORE_ENVIRONMENT=Production
-ENV ASPNETCORE_URLS http://+:5000
+ENV ASPNETCORE_URLS=http://+:5000
 EXPOSE 5000
 
 RUN apt-get update \

From b89a04d7ff6b9e8f59b29803d2eeb2c7d74fee91 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Mon, 10 Mar 2025 16:01:19 -0400
Subject: [PATCH 097/184] Update

---
 src/Admin/Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index c8e54b45e8..1f9626530d 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -27,7 +27,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 ARG NODE_VERSION=16.20.2
 ENV NVM_DIR=/usr/local/nvm
 RUN mkdir -p $NVM_DIR
-RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash \
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash \
     && . $NVM_DIR/nvm.sh \
     && nvm install $NODE_VERSION \
     && nvm alias default $NODE_VERSION \
@@ -77,6 +77,7 @@ COPY .git/. ./.git/
 
 # Build project
 WORKDIR /source/src/Admin
+RUN npm ci
 RUN npm run build
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Admin --no-restore --no-self-contained -r $RID
 

From 0f5d033b686fd365b1aa307b6c4671a6d4aa9e5a Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Tue, 11 Mar 2025 10:47:11 -0400
Subject: [PATCH 098/184] Add .editorconfig to Dockerfiles

---
 bitwarden_license/src/Scim/Dockerfile | 1 +
 bitwarden_license/src/Sso/Dockerfile  | 1 +
 src/Admin/Dockerfile                  | 1 +
 src/Api/Dockerfile                    | 1 +
 src/Billing/Dockerfile                | 1 +
 src/Events/Dockerfile                 | 1 +
 src/EventsProcessor/Dockerfile        | 1 +
 src/Icons/Dockerfile                  | 1 +
 src/Identity/Dockerfile               | 1 +
 src/Notifications/Dockerfile          | 1 +
 util/Attachments/Dockerfile           | 1 +
 util/MsSqlMigratorUtility/Dockerfile  | 1 +
 util/Setup/Dockerfile                 | 1 +
 13 files changed, 13 insertions(+)

diff --git a/bitwarden_license/src/Scim/Dockerfile b/bitwarden_license/src/Scim/Dockerfile
index c3d97e4758..9aa08e880e 100644
--- a/bitwarden_license/src/Scim/Dockerfile
+++ b/bitwarden_license/src/Scim/Dockerfile
@@ -25,6 +25,7 @@ COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
 COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
+COPY .editorconfig .
 
 # Restore project dependencies and tools
 WORKDIR /source/bitwarden_license/src/Scim
diff --git a/bitwarden_license/src/Sso/Dockerfile b/bitwarden_license/src/Sso/Dockerfile
index a25eba6ae9..f72823bb10 100644
--- a/bitwarden_license/src/Sso/Dockerfile
+++ b/bitwarden_license/src/Sso/Dockerfile
@@ -42,6 +42,7 @@ COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
 COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
+COPY .editorconfig .
 
 # Restore project dependencies and tools
 WORKDIR /source/bitwarden_license/src/Sso
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 1f9626530d..f419452549 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -54,6 +54,7 @@ COPY util/SqliteMigrations/*.csproj ./util/SqliteMigrations/
 COPY bitwarden_license/src/Commercial.Core/*.csproj ./bitwarden_license/src/Commercial.Core/
 COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/*.csproj ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
 COPY Directory.Build.props .
+COPY .editorconfig .
 
 # Restore project dependencies and tools
 WORKDIR /source/src/Admin
diff --git a/src/Api/Dockerfile b/src/Api/Dockerfile
index d88e31bc22..53ef5e849c 100644
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@@ -27,6 +27,7 @@ COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY bitwarden_license/src/Commercial.Core/*.csproj ./bitwarden_license/src/Commercial.Core/
 COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/*.csproj ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
 COPY Directory.Build.props .
+COPY .editorconfig .
 
 # Restore project dependencies and tools
 WORKDIR /source/src/Api
diff --git a/src/Billing/Dockerfile b/src/Billing/Dockerfile
index 1e47c2ada9..11b1539a11 100644
--- a/src/Billing/Dockerfile
+++ b/src/Billing/Dockerfile
@@ -25,6 +25,7 @@ COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
 COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
+COPY .editorconfig .
 
 # Restore project dependencies and tools
 WORKDIR /source/src/Billing
diff --git a/src/Events/Dockerfile b/src/Events/Dockerfile
index 6cc8ef2438..3d2c119e11 100644
--- a/src/Events/Dockerfile
+++ b/src/Events/Dockerfile
@@ -25,6 +25,7 @@ COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
 COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
+COPY .editorconfig .
 
 # Restore project dependencies and tools
 WORKDIR /source/src/Events
diff --git a/src/EventsProcessor/Dockerfile b/src/EventsProcessor/Dockerfile
index 16a13851aa..10de833d4e 100644
--- a/src/EventsProcessor/Dockerfile
+++ b/src/EventsProcessor/Dockerfile
@@ -25,6 +25,7 @@ COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
 COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
+COPY .editorconfig .
 
 # Restore project dependencies and tools
 WORKDIR /source/src/EventsProcessor
diff --git a/src/Icons/Dockerfile b/src/Icons/Dockerfile
index 12d8700179..39dcb01059 100644
--- a/src/Icons/Dockerfile
+++ b/src/Icons/Dockerfile
@@ -25,6 +25,7 @@ COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
 COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
+COPY .editorconfig .
 
 # Restore project dependencies and tools
 WORKDIR /source/src/Icons
diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile
index 715f779b27..aa1d9e4a28 100644
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@@ -25,6 +25,7 @@ COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
 COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
+COPY .editorconfig .
 
 # Restore project dependencies and tools
 WORKDIR /source/src/Identity
diff --git a/src/Notifications/Dockerfile b/src/Notifications/Dockerfile
index fc42b07542..6953e8f60c 100644
--- a/src/Notifications/Dockerfile
+++ b/src/Notifications/Dockerfile
@@ -25,6 +25,7 @@ COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
 COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/*.csproj ./src/SharedWeb/
 COPY Directory.Build.props .
+COPY .editorconfig .
 
 # Restore project dependencies and tools
 WORKDIR /source/src/Notifications
diff --git a/util/Attachments/Dockerfile b/util/Attachments/Dockerfile
index 5dc211d148..0b04dc88aa 100644
--- a/util/Attachments/Dockerfile
+++ b/util/Attachments/Dockerfile
@@ -21,6 +21,7 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
 WORKDIR /source
 COPY util/Server/*.csproj ./util/Server/
 COPY Directory.Build.props .
+COPY .editorconfig .
 
 # Restore project dependencies and tools
 WORKDIR /source/util/Server
diff --git a/util/MsSqlMigratorUtility/Dockerfile b/util/MsSqlMigratorUtility/Dockerfile
index 60caa23b26..9efc0bbdf9 100644
--- a/util/MsSqlMigratorUtility/Dockerfile
+++ b/util/MsSqlMigratorUtility/Dockerfile
@@ -24,6 +24,7 @@ COPY src/Core/*.csproj ./src/Core/
 COPY util/Migrator/*.csproj ./util/Migrator/
 COPY util/MsSqlMigratorUtility/*.csproj ./util/MsSqlMigratorUtility/
 COPY Directory.Build.props .
+COPY .editorconfig .
 
 # Restore project dependencies and tools
 WORKDIR /source/util/MsSqlMigratorUtility
diff --git a/util/Setup/Dockerfile b/util/Setup/Dockerfile
index 8a7c4d1103..a4d292565f 100644
--- a/util/Setup/Dockerfile
+++ b/util/Setup/Dockerfile
@@ -23,6 +23,7 @@ COPY src/Core/*.csproj ./src/Core/
 COPY util/Migrator/*.csproj ./util/Migrator/
 COPY util/Setup/*.csproj ./util/Setup/
 COPY Directory.Build.props .
+COPY .editorconfig .
 
 # Restore project dependencies and tools
 WORKDIR /source/util/Setup

From 828076e2bcc9d1e0b78d5cf728d79a5b92d01f37 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 19 Mar 2025 11:52:01 -0400
Subject: [PATCH 099/184] Update runner images

---
 .github/workflows/build.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index faac75146f..3117fd7a47 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -20,7 +20,7 @@ jobs:
 
   lint:
     name: Lint
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: check-run
     steps:
       - name: Check out repo
@@ -36,7 +36,7 @@ jobs:
 
   build-docker:
     name: Build Docker images
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: lint
     permissions:
       id-token: write
@@ -215,7 +215,7 @@ jobs:
 
   build-stub-swagger:
     name: Build Docker-Stub/Swagger
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: build-docker
     steps:
       - name: Check out repo
@@ -396,7 +396,7 @@ jobs:
 
   build-mssqlmigratorutility:
     name: Build MSSQL migrator utility
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: lint
     defaults:
       run:
@@ -456,7 +456,7 @@ jobs:
     if: |
       github.event_name != 'pull_request_target'
       && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: build-docker
     steps:
       - name: Log in to Azure - CI subscription
@@ -489,7 +489,7 @@ jobs:
   trigger-k8s-deploy:
     name: Trigger k8s deploy
     if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: build-docker
     steps:
       - name: Log in to Azure - CI subscription
@@ -573,7 +573,7 @@ jobs:
   check-failures:
     name: Check for failures
     if: false
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs:
       - lint
       - build-docker

From 1fea15c1ffec6587b21ed38d8b508614b7cd1093 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 19 Mar 2025 12:35:59 -0400
Subject: [PATCH 100/184] Remove unused matrix input

---
 .github/workflows/build.yml | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3117fd7a47..b4553c2cec 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -55,38 +55,28 @@ jobs:
             base_path: ./util
           - project_name: Billing
             base_path: ./src
-            upload_artifact: true
           - project_name: Events
             base_path: ./src
-            upload_artifact: true
           - project_name: EventsProcessor
             base_path: ./src
-            upload_artifact: true
           - project_name: Icons
             base_path: ./src
-            upload_artifact: true
           - project_name: Identity
             base_path: ./src
-            upload_artifact: true
           - project_name: MsSql
             base_path: ./util
           - project_name: MsSqlMigratorUtility
             base_path: ./util
-            upload_artifact: true
           - project_name: Nginx
             base_path: ./util
           - project_name: Notifications
             base_path: ./src
-            upload_artifact: true
           - project_name: Scim
             base_path: ./bitwarden_license/src
-            upload_artifact: true
           - project_name: Setup
             base_path: ./util
-            upload_artifact: true
           - project_name: Sso
             base_path: ./bitwarden_license/src
-            upload_artifact: true
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

From 48df98d2b371eeb8d0e76334fee652496814f24a Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 19 Mar 2025 12:50:13 -0400
Subject: [PATCH 101/184] Update text references

---
 .github/workflows/build.yml | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b4553c2cec..d1c64b5788 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -34,8 +34,8 @@ jobs:
       - name: Verify format
         run: dotnet format --verify-no-changes
 
-  build-docker:
-    name: Build Docker images
+  build-container:
+    name: Build container images
     runs-on: ubuntu-24.04
     needs: lint
     permissions:
@@ -112,8 +112,8 @@ jobs:
       - name: Log in to ACR - production subscription
         run: az acr login -n bitwardenprod
 
-      ########## Generate image tag and build Docker image ##########
-      - name: Generate Docker image tag
+      ########## Generate image tag and build container image ##########
+      - name: Generate container image tag
         id: tag
         run: |
           if [[ "${GITHUB_EVENT_NAME}" == "pull_request_target" ]]; then
@@ -127,7 +127,7 @@ jobs:
           fi
 
           echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
-          echo "### :mega: Docker Image Tag: $IMAGE_TAG" >> $GITHUB_STEP_SUMMARY
+          echo "### :mega: Container Image Tag: $IMAGE_TAG" >> $GITHUB_STEP_SUMMARY
 
       - name: Set up project name
         id: setup
@@ -158,8 +158,8 @@ jobs:
           PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
         run: echo "name=${_AZ_REGISTRY}/${PROJECT_NAME}:buildcache" >> $GITHUB_OUTPUT
 
-      - name: Build Docker image
-        id: build-docker
+      - name: Build Container image
+        id: build-container
         uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0
         with:
           cache-from: type=registry,ref=${{ steps.cache-name.outputs.name }}
@@ -180,7 +180,7 @@ jobs:
       - name: Sign image with Cosign
         if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
         env:
-          DIGEST: ${{ steps.build-docker.outputs.digest }}
+          DIGEST: ${{ steps.build-container.outputs.digest }}
           TAGS: ${{ steps.image-tags.outputs.tags }}
         run: |
           IFS="," read -a tags <<< "${TAGS}"
@@ -190,7 +190,7 @@ jobs:
           done
           cosign sign --yes ${images}
 
-      - name: Scan Docker image
+      - name: Scan container image
         id: container-scan
         uses: anchore/scan-action@abae793926ec39a78ab18002bc7fc45bbbd94342 # v6.0.0
         with:
@@ -206,7 +206,7 @@ jobs:
   build-stub-swagger:
     name: Build Docker-Stub/Swagger
     runs-on: ubuntu-24.04
-    needs: build-docker
+    needs: build-container
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -447,7 +447,7 @@ jobs:
       github.event_name != 'pull_request_target'
       && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
     runs-on: ubuntu-24.04
-    needs: build-docker
+    needs: build-container
     steps:
       - name: Log in to Azure - CI subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -480,7 +480,7 @@ jobs:
     name: Trigger k8s deploy
     if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
     runs-on: ubuntu-24.04
-    needs: build-docker
+    needs: build-container
     steps:
       - name: Log in to Azure - CI subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -516,7 +516,7 @@ jobs:
       github.event_name == 'pull_request_target'
       && contains(github.event.pull_request.labels.*.name, 'ephemeral-environment')
     runs-on: ubuntu-24.04
-    needs: build-docker
+    needs: build-container
     steps:
       - name: Log in to Azure - CI subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -566,7 +566,7 @@ jobs:
     runs-on: ubuntu-24.04
     needs:
       - lint
-      - build-docker
+      - build-container
       - build-stub-swagger
       - build-mssqlmigratorutility
       - self-host-build

From c55672629957af864ba8d1456517d9439984d99f Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 19 Mar 2025 13:02:18 -0400
Subject: [PATCH 102/184] Enable check failures job

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d1c64b5788..7cbeb7f0a3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -562,7 +562,7 @@ jobs:
 
   check-failures:
     name: Check for failures
-    if: false
+    if: always()
     runs-on: ubuntu-24.04
     needs:
       - lint

From 3d66acb4ace32faeebb972d42494a88b067196ea Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 19 Mar 2025 13:04:48 -0400
Subject: [PATCH 103/184] Remove extra dotnet inputs from matrix

---
 .github/workflows/build.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7cbeb7f0a3..285f1f221f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -47,10 +47,8 @@ jobs:
         include:
           - project_name: Admin
             base_path: ./src
-            dotnet: true
           - project_name: Api
             base_path: ./src
-            dotnet: true
           - project_name: Attachments
             base_path: ./util
           - project_name: Billing

From 199a1bc681fa949a416477737d2d151ac85043ef Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 19 Mar 2025 13:07:22 -0400
Subject: [PATCH 104/184] Change NVM version

---
 bitwarden_license/src/Sso/Dockerfile | 2 +-
 src/Admin/Dockerfile                 | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/bitwarden_license/src/Sso/Dockerfile b/bitwarden_license/src/Sso/Dockerfile
index f72823bb10..9de0519605 100644
--- a/bitwarden_license/src/Sso/Dockerfile
+++ b/bitwarden_license/src/Sso/Dockerfile
@@ -26,7 +26,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 # Set up Node
 RUN mkdir -p $NVM_DIR
-RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash \
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.2/install.sh | bash \
     && . $NVM_DIR/nvm.sh \
     && nvm install $NODE_VERSION \
     && nvm alias default $NODE_VERSION \
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index f419452549..68a147b7cc 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -5,6 +5,8 @@ FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0 AS build
 
 # Docker buildx supplies the value for this arg
 ARG TARGETPLATFORM
+ENV NODE_VERSION=16.20.2
+ENV NVM_DIR=/usr/local/nvm
 
 # Determine proper runtime value for .NET
 # We put the value in a file to be read by later layers.
@@ -24,10 +26,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 
 # Set up Node
-ARG NODE_VERSION=16.20.2
-ENV NVM_DIR=/usr/local/nvm
 RUN mkdir -p $NVM_DIR
-RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash \
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.2/install.sh | bash \
     && . $NVM_DIR/nvm.sh \
     && nvm install $NODE_VERSION \
     && nvm alias default $NODE_VERSION \

From 5faee1528ad5b3842d90b0f5b36b6bd4817dd58a Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Wed, 19 Mar 2025 13:28:47 -0400
Subject: [PATCH 105/184] Add check-run job to each other job

---
 .github/workflows/build.yml | 29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 285f1f221f..8185b42e7f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -37,7 +37,9 @@ jobs:
   build-container:
     name: Build container images
     runs-on: ubuntu-24.04
-    needs: lint
+    needs:
+      - check-run
+      - lint
     permissions:
       id-token: write
       security-events: write
@@ -204,7 +206,9 @@ jobs:
   build-stub-swagger:
     name: Build Docker-Stub/Swagger
     runs-on: ubuntu-24.04
-    needs: build-container
+    needs:
+      - build-container
+      - check-run
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -385,7 +389,9 @@ jobs:
   build-mssqlmigratorutility:
     name: Build MSSQL migrator utility
     runs-on: ubuntu-24.04
-    needs: lint
+    needs:
+      - check-run
+      - lint
     defaults:
       run:
         shell: bash
@@ -445,7 +451,9 @@ jobs:
       github.event_name != 'pull_request_target'
       && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
     runs-on: ubuntu-24.04
-    needs: build-container
+    needs:
+      - build-container
+      - check-run
     steps:
       - name: Log in to Azure - CI subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -478,7 +486,9 @@ jobs:
     name: Trigger k8s deploy
     if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
     runs-on: ubuntu-24.04
-    needs: build-container
+    needs:
+      - build-container
+      - check-run
     steps:
       - name: Log in to Azure - CI subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -514,7 +524,9 @@ jobs:
       github.event_name == 'pull_request_target'
       && contains(github.event.pull_request.labels.*.name, 'ephemeral-environment')
     runs-on: ubuntu-24.04
-    needs: build-container
+    needs:
+      - build-container
+      - check-run
     steps:
       - name: Log in to Azure - CI subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -545,7 +557,9 @@ jobs:
 
   trigger-ephemeral-environment-sync:
     name: Trigger Ephemeral Environment Sync
-    needs: trigger-ee-updates
+    needs:
+      - check-run
+      - trigger-ee-updates
     if: |
       github.event_name == 'pull_request_target'
       && contains(github.event.pull_request.labels.*.name, 'ephemeral-environment')
@@ -567,6 +581,7 @@ jobs:
       - build-container
       - build-stub-swagger
       - build-mssqlmigratorutility
+      - check-run
       - self-host-build
       - trigger-k8s-deploy
       - trigger-ee-updates

From 948d8f707d7d98506b6f87f4157721e8b2838c22 Mon Sep 17 00:00:00 2001
From: Nick Krantz <125900171+nick-livefront@users.noreply.github.com>
Date: Thu, 20 Mar 2025 14:41:58 -0500
Subject: [PATCH 106/184] [PM-18858] Security Task email bugs (#5536)

* make "Review at-risk passwords" bold

* add owner and admin email address to the bottom of the security notification email

* fix plurality of text email
---
 .../SecurityTasksNotification.html.hbs        | 11 ++++-
 .../SecurityTasksNotification.text.hbs        |  9 ++++
 .../Mail/SecurityTaskNotificationViewModel.cs |  2 +
 src/Core/Services/IMailService.cs             |  2 +-
 .../Implementations/HandlebarsMailService.cs  | 42 ++++++++++++++++++-
 .../NoopImplementations/NoopMailService.cs    |  2 +-
 .../CreateManyTaskNotificationsCommand.cs     | 10 ++++-
 7 files changed, 71 insertions(+), 7 deletions(-)

diff --git a/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs b/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs
index 039806f44b..ca015e3e83 100644
--- a/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs
@@ -15,14 +15,21 @@
   </tr>
 </table>
 <table width="100%" border="0" cellpadding="0" cellspacing="0"
-  style="display: table; width:100%; padding-bottom: 35px; text-align: center;" align="center">
+  style="display: table; width:100%; padding-bottom: 24px; text-align: center;" align="center">
   <tr>
     <td display="display: table-cell">
       <a href="{{ReviewPasswordsUrl}}" clicktracking=off target="_blank"
-        style="display: inline-block; color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; border-radius: 999px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+        style="display: inline-block; font-weight: bold; color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; border-radius: 999px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
         Review at-risk passwords
       </a>
     </td>
   </tr>
+<table width="100%" border="0" cellpadding="0" cellspacing="0"
+  style="display: table; width:100%; padding-bottom: 24px; text-align: center;" align="center">
+  <tr>
+    <td display="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 12px; line-height: 16px;">
+      {{formatAdminOwnerEmails AdminOwnerEmails}}
+    </td>
+  </tr>
 </table>
 {{/SecurityTasksHtmlLayout}}
diff --git a/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs b/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs
index ba8650ad10..f5493e4503 100644
--- a/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs
+++ b/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs
@@ -5,4 +5,13 @@ breach.
 Launch the Bitwarden extension to review your at-risk passwords.
 
 Review at-risk passwords ({{{ReviewPasswordsUrl}}})
+
+{{#if (eq (length AdminOwnerEmails) 1)}}
+This request was initiated by {{AdminOwnerEmails.[0]}}.
+{{else}}
+This request was initiated by
+{{#each AdminOwnerEmails}}
+  {{#if @last}}and {{/if}}{{this}}{{#unless @last}}, {{/unless}}
+{{/each}}.
+{{/if}}
 {{/SecurityTasksHtmlLayout}}
diff --git a/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs b/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs
index 7f93ac2439..8871a53424 100644
--- a/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs
+++ b/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs
@@ -8,5 +8,7 @@ public class SecurityTaskNotificationViewModel : BaseMailModel
 
     public bool TaskCountPlural => TaskCount != 1;
 
+    public IEnumerable<string> AdminOwnerEmails { get; set; }
+
     public string ReviewPasswordsUrl => $"{WebVaultUrl}/browser-extension-prompt";
 }
diff --git a/src/Core/Services/IMailService.cs b/src/Core/Services/IMailService.cs
index 04b302bad9..e61127c57a 100644
--- a/src/Core/Services/IMailService.cs
+++ b/src/Core/Services/IMailService.cs
@@ -99,5 +99,5 @@ public interface IMailService
         string organizationName);
     Task SendClaimedDomainUserEmailAsync(ManagedUserDomainClaimedEmails emailList);
     Task SendDeviceApprovalRequestedNotificationEmailAsync(IEnumerable<string> adminEmails, Guid organizationId, string email, string userName);
-    Task SendBulkSecurityTaskNotificationsAsync(Organization org, IEnumerable<UserSecurityTasksCount> securityTaskNotifications);
+    Task SendBulkSecurityTaskNotificationsAsync(Organization org, IEnumerable<UserSecurityTasksCount> securityTaskNotifications, IEnumerable<string> adminOwnerEmails);
 }
diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index 588365f8c9..edb99809f7 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -740,6 +740,45 @@ public class HandlebarsMailService : IMailService
             var clickTrackingText = (clickTrackingOff ? "clicktracking=off" : string.Empty);
             writer.WriteSafeString($"<a href=\"{href}\" target=\"_blank\" {clickTrackingText}>{text}</a>");
         });
+
+        // Construct markup for admin and owner email addresses.
+        // Using conditionals within the handlebar syntax was including extra spaces around
+        // concatenated strings, which this helper avoids.
+        Handlebars.RegisterHelper("formatAdminOwnerEmails", (writer, context, parameters) =>
+        {
+            if (parameters.Length == 0)
+            {
+                writer.WriteSafeString(string.Empty);
+                return;
+            }
+
+            var emailList = ((IEnumerable<string>)parameters[0]).ToList();
+            if (emailList.Count == 0)
+            {
+                writer.WriteSafeString(string.Empty);
+                return;
+            }
+
+            string constructAnchorElement(string email)
+            {
+                return $"<a style=\"color: #175DDC\" href=\"mailto:{email}\">{email}</a>";
+            }
+
+            var outputMessage = "This request was initiated by ";
+
+            if (emailList.Count == 1)
+            {
+                outputMessage += $"{constructAnchorElement(emailList[0])}.";
+            }
+            else
+            {
+                outputMessage += string.Join(", ", emailList.Take(emailList.Count - 1)
+                    .Select(email => constructAnchorElement(email)));
+                outputMessage += $", and {constructAnchorElement(emailList.Last())}.";
+            }
+
+            writer.WriteSafeString($"{outputMessage}");
+        });
     }
 
     public async Task SendEmergencyAccessInviteEmailAsync(EmergencyAccess emergencyAccess, string name, string token)
@@ -1201,7 +1240,7 @@ public class HandlebarsMailService : IMailService
         await _mailDeliveryService.SendEmailAsync(message);
     }
 
-    public async Task SendBulkSecurityTaskNotificationsAsync(Organization org, IEnumerable<UserSecurityTasksCount> securityTaskNotifications)
+    public async Task SendBulkSecurityTaskNotificationsAsync(Organization org, IEnumerable<UserSecurityTasksCount> securityTaskNotifications, IEnumerable<string> adminOwnerEmails)
     {
         MailQueueMessage CreateMessage(UserSecurityTasksCount notification)
         {
@@ -1211,6 +1250,7 @@ public class HandlebarsMailService : IMailService
             {
                 OrgName = CoreHelpers.SanitizeForEmail(sanitizedOrgName, false),
                 TaskCount = notification.TaskCount,
+                AdminOwnerEmails = adminOwnerEmails,
                 WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
             };
             message.Category = "SecurityTasksNotification";
diff --git a/src/Core/Services/NoopImplementations/NoopMailService.cs b/src/Core/Services/NoopImplementations/NoopMailService.cs
index 776dd07f19..d829fbbacb 100644
--- a/src/Core/Services/NoopImplementations/NoopMailService.cs
+++ b/src/Core/Services/NoopImplementations/NoopMailService.cs
@@ -324,7 +324,7 @@ public class NoopMailService : IMailService
         return Task.FromResult(0);
     }
 
-    public Task SendBulkSecurityTaskNotificationsAsync(Organization org, IEnumerable<UserSecurityTasksCount> securityTaskNotifications)
+    public Task SendBulkSecurityTaskNotificationsAsync(Organization org, IEnumerable<UserSecurityTasksCount> securityTaskNotifications, IEnumerable<string> adminOwnerEmails)
     {
         return Task.FromResult(0);
     }
diff --git a/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs b/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs
index f939816301..a335b059a4 100644
--- a/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs
+++ b/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs
@@ -17,19 +17,22 @@ public class CreateManyTaskNotificationsCommand : ICreateManyTaskNotificationsCo
     private readonly IMailService _mailService;
     private readonly ICreateNotificationCommand _createNotificationCommand;
     private readonly IPushNotificationService _pushNotificationService;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
 
     public CreateManyTaskNotificationsCommand(
         IGetSecurityTasksNotificationDetailsQuery getSecurityTasksNotificationDetailsQuery,
         IOrganizationRepository organizationRepository,
         IMailService mailService,
         ICreateNotificationCommand createNotificationCommand,
-        IPushNotificationService pushNotificationService)
+        IPushNotificationService pushNotificationService,
+        IOrganizationUserRepository organizationUserRepository)
     {
         _getSecurityTasksNotificationDetailsQuery = getSecurityTasksNotificationDetailsQuery;
         _organizationRepository = organizationRepository;
         _mailService = mailService;
         _createNotificationCommand = createNotificationCommand;
         _pushNotificationService = pushNotificationService;
+        _organizationUserRepository = organizationUserRepository;
     }
 
     public async Task CreateAsync(Guid orgId, IEnumerable<SecurityTask> securityTasks)
@@ -45,8 +48,11 @@ public class CreateManyTaskNotificationsCommand : ICreateManyTaskNotificationsCo
         }).ToList();
 
         var organization = await _organizationRepository.GetByIdAsync(orgId);
+        var orgAdminEmails = await _organizationUserRepository.GetManyDetailsByRoleAsync(orgId, OrganizationUserType.Admin);
+        var orgOwnerEmails = await _organizationUserRepository.GetManyDetailsByRoleAsync(orgId, OrganizationUserType.Owner);
+        var orgAdminAndOwnerEmails = orgAdminEmails.Concat(orgOwnerEmails).Select(x => x.Email).Distinct().ToList();
 
-        await _mailService.SendBulkSecurityTaskNotificationsAsync(organization, userTaskCount);
+        await _mailService.SendBulkSecurityTaskNotificationsAsync(organization, userTaskCount, orgAdminAndOwnerEmails);
 
         // Break securityTaskCiphers into separate lists by user Id
         var securityTaskCiphersByUser = securityTaskCiphers.GroupBy(x => x.UserId)

From 5d549402c713f179781c9680952ac95186055934 Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Fri, 21 Mar 2025 10:15:22 +0000
Subject: [PATCH 107/184] Bumped version to 2025.3.3

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index cbe9786d65..2ede6ad8d1 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.3.2</Version>
+    <Version>2025.3.3</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From c7c6528faaa2fb6f20b9e3e9186404405986abe0 Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Fri, 21 Mar 2025 10:07:55 -0400
Subject: [PATCH 108/184] Ac/pm 18240 implement policy requirement for reset
 password policy (#5521)

* wip

* fix test

* fix test

* refactor

* fix factory method and tests

* cleanup

* refactor

* update copy

* cleanup
---
 .../OrganizationUsersController.cs            | 11 ++-
 .../Controllers/OrganizationsController.cs    | 15 ++-
 .../ResetPasswordPolicyRequirement.cs         | 46 ++++++++++
 .../PolicyServiceCollectionExtensions.cs      |  1 +
 .../Implementations/OrganizationService.cs    | 29 ++++--
 .../OrganizationUsersControllerTests.cs       | 91 +++++++++++++++++++
 .../OrganizationsControllerTests.cs           | 57 ++++++++++++
 ...etPasswordPolicyRequirementFactoryTests.cs | 37 ++++++++
 8 files changed, 277 insertions(+), 10 deletions(-)
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirement.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirementFactoryTests.cs

diff --git a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
index 5a73e57204..cc7f2314fd 100644
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@@ -8,6 +8,8 @@ using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Enums;
@@ -55,6 +57,7 @@ public class OrganizationUsersController : Controller
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
     private readonly IDeleteManagedOrganizationUserAccountCommand _deleteManagedOrganizationUserAccountCommand;
     private readonly IGetOrganizationUsersManagementStatusQuery _getOrganizationUsersManagementStatusQuery;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;
     private readonly IFeatureService _featureService;
     private readonly IPricingClient _pricingClient;
 
@@ -79,6 +82,7 @@ public class OrganizationUsersController : Controller
         IRemoveOrganizationUserCommand removeOrganizationUserCommand,
         IDeleteManagedOrganizationUserAccountCommand deleteManagedOrganizationUserAccountCommand,
         IGetOrganizationUsersManagementStatusQuery getOrganizationUsersManagementStatusQuery,
+        IPolicyRequirementQuery policyRequirementQuery,
         IFeatureService featureService,
         IPricingClient pricingClient)
     {
@@ -102,6 +106,7 @@ public class OrganizationUsersController : Controller
         _removeOrganizationUserCommand = removeOrganizationUserCommand;
         _deleteManagedOrganizationUserAccountCommand = deleteManagedOrganizationUserAccountCommand;
         _getOrganizationUsersManagementStatusQuery = getOrganizationUsersManagementStatusQuery;
+        _policyRequirementQuery = policyRequirementQuery;
         _featureService = featureService;
         _pricingClient = pricingClient;
     }
@@ -315,11 +320,13 @@ public class OrganizationUsersController : Controller
             throw new UnauthorizedAccessException();
         }
 
-        var useMasterPasswordPolicy = await ShouldHandleResetPasswordAsync(orgId);
+        var useMasterPasswordPolicy = _featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements)
+        ? (await _policyRequirementQuery.GetAsync<ResetPasswordPolicyRequirement>(user.Id)).AutoEnrollEnabled(orgId)
+        : await ShouldHandleResetPasswordAsync(orgId);
 
         if (useMasterPasswordPolicy && string.IsNullOrWhiteSpace(model.ResetPasswordKey))
         {
-            throw new BadRequestException(string.Empty, "Master Password reset is required, but not provided.");
+            throw new BadRequestException("Master Password reset is required, but not provided.");
         }
 
         await _acceptOrgUserCommand.AcceptOrgUserByEmailTokenAsync(organizationUserId, user, model.Token, _userService);
diff --git a/src/Api/AdminConsole/Controllers/OrganizationsController.cs b/src/Api/AdminConsole/Controllers/OrganizationsController.cs
index 34da3de10c..9fa9cb6672 100644
--- a/src/Api/AdminConsole/Controllers/OrganizationsController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationsController.cs
@@ -16,6 +16,8 @@ using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationApiKeys.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Repositories;
@@ -61,6 +63,7 @@ public class OrganizationsController : Controller
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
     private readonly ICloudOrganizationSignUpCommand _cloudOrganizationSignUpCommand;
     private readonly IOrganizationDeleteCommand _organizationDeleteCommand;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;
     private readonly IPricingClient _pricingClient;
 
     public OrganizationsController(
@@ -84,6 +87,7 @@ public class OrganizationsController : Controller
         IRemoveOrganizationUserCommand removeOrganizationUserCommand,
         ICloudOrganizationSignUpCommand cloudOrganizationSignUpCommand,
         IOrganizationDeleteCommand organizationDeleteCommand,
+        IPolicyRequirementQuery policyRequirementQuery,
         IPricingClient pricingClient)
     {
         _organizationRepository = organizationRepository;
@@ -106,6 +110,7 @@ public class OrganizationsController : Controller
         _removeOrganizationUserCommand = removeOrganizationUserCommand;
         _cloudOrganizationSignUpCommand = cloudOrganizationSignUpCommand;
         _organizationDeleteCommand = organizationDeleteCommand;
+        _policyRequirementQuery = policyRequirementQuery;
         _pricingClient = pricingClient;
     }
 
@@ -163,8 +168,13 @@ public class OrganizationsController : Controller
             throw new NotFoundException();
         }
 
-        var resetPasswordPolicy =
-            await _policyRepository.GetByOrganizationIdTypeAsync(organization.Id, PolicyType.ResetPassword);
+        if (_featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements))
+        {
+            var resetPasswordPolicyRequirement = await _policyRequirementQuery.GetAsync<ResetPasswordPolicyRequirement>(user.Id);
+            return new OrganizationAutoEnrollStatusResponseModel(organization.Id, resetPasswordPolicyRequirement.AutoEnrollEnabled(organization.Id));
+        }
+
+        var resetPasswordPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(organization.Id, PolicyType.ResetPassword);
         if (resetPasswordPolicy == null || !resetPasswordPolicy.Enabled || resetPasswordPolicy.Data == null)
         {
             return new OrganizationAutoEnrollStatusResponseModel(organization.Id, false);
@@ -172,6 +182,7 @@ public class OrganizationsController : Controller
 
         var data = JsonSerializer.Deserialize<ResetPasswordDataModel>(resetPasswordPolicy.Data, JsonHelpers.IgnoreCase);
         return new OrganizationAutoEnrollStatusResponseModel(organization.Id, data?.AutoEnrollEnabled ?? false);
+
     }
 
     [HttpPost("")]
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirement.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirement.cs
new file mode 100644
index 0000000000..4feef1b088
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirement.cs
@@ -0,0 +1,46 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.Enums;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+/// <summary>
+/// Policy requirements for the Account recovery administration policy.
+/// </summary>
+public class ResetPasswordPolicyRequirement : IPolicyRequirement
+{
+    /// <summary>
+    /// List of Organization Ids that require automatic enrollment in password recovery.
+    /// </summary>
+    private IEnumerable<Guid> _autoEnrollOrganizations;
+    public IEnumerable<Guid> AutoEnrollOrganizations { init => _autoEnrollOrganizations = value; }
+
+    /// <summary>
+    /// Returns true if provided organizationId requires automatic enrollment in password recovery.
+    /// </summary>
+    public bool AutoEnrollEnabled(Guid organizationId)
+    {
+        return _autoEnrollOrganizations.Contains(organizationId);
+    }
+
+
+}
+
+public class ResetPasswordPolicyRequirementFactory : BasePolicyRequirementFactory<ResetPasswordPolicyRequirement>
+{
+    public override PolicyType PolicyType => PolicyType.ResetPassword;
+
+    protected override bool ExemptProviders => false;
+
+    protected override IEnumerable<OrganizationUserType> ExemptRoles => [];
+
+    public override ResetPasswordPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
+    {
+        var result = policyDetails
+        .Where(p => p.GetDataModel<ResetPasswordDataModel>().AutoEnrollEnabled)
+        .Select(p => p.OrganizationId)
+        .ToHashSet();
+
+        return new ResetPasswordPolicyRequirement() { AutoEnrollOrganizations = result };
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
index 6c698f9ffc..d386006ad2 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
@@ -33,5 +33,6 @@ public static class PolicyServiceCollectionExtensions
     {
         services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, DisableSendPolicyRequirementFactory>();
         services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, SendOptionsPolicyRequirementFactory>();
+        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, ResetPasswordPolicyRequirementFactory>();
     }
 }
diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 1b44eea496..772b407951 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -6,6 +6,8 @@ using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Models.Business;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Enums;
@@ -76,6 +78,7 @@ public class OrganizationService : IOrganizationService
     private readonly IOrganizationBillingService _organizationBillingService;
     private readonly IHasConfirmedOwnersExceptQuery _hasConfirmedOwnersExceptQuery;
     private readonly IPricingClient _pricingClient;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;
 
     public OrganizationService(
         IOrganizationRepository organizationRepository,
@@ -111,7 +114,8 @@ public class OrganizationService : IOrganizationService
         ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
         IOrganizationBillingService organizationBillingService,
         IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery,
-        IPricingClient pricingClient)
+        IPricingClient pricingClient,
+        IPolicyRequirementQuery policyRequirementQuery)
     {
         _organizationRepository = organizationRepository;
         _organizationUserRepository = organizationUserRepository;
@@ -147,6 +151,7 @@ public class OrganizationService : IOrganizationService
         _organizationBillingService = organizationBillingService;
         _hasConfirmedOwnersExceptQuery = hasConfirmedOwnersExceptQuery;
         _pricingClient = pricingClient;
+        _policyRequirementQuery = policyRequirementQuery;
     }
 
     public async Task ReplacePaymentMethodAsync(Guid organizationId, string paymentToken,
@@ -1353,13 +1358,25 @@ public class OrganizationService : IOrganizationService
         }
 
         // Block the user from withdrawal if auto enrollment is enabled
-        if (resetPasswordKey == null && resetPasswordPolicy.Data != null)
+        if (_featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements))
         {
-            var data = JsonSerializer.Deserialize<ResetPasswordDataModel>(resetPasswordPolicy.Data, JsonHelpers.IgnoreCase);
-
-            if (data?.AutoEnrollEnabled ?? false)
+            var resetPasswordPolicyRequirement = await _policyRequirementQuery.GetAsync<ResetPasswordPolicyRequirement>(userId);
+            if (resetPasswordKey == null && resetPasswordPolicyRequirement.AutoEnrollEnabled(organizationId))
             {
-                throw new BadRequestException("Due to an Enterprise Policy, you are not allowed to withdraw from Password Reset.");
+                throw new BadRequestException("Due to an Enterprise Policy, you are not allowed to withdraw from account recovery.");
+            }
+
+        }
+        else
+        {
+            if (resetPasswordKey == null && resetPasswordPolicy.Data != null)
+            {
+                var data = JsonSerializer.Deserialize<ResetPasswordDataModel>(resetPasswordPolicy.Data, JsonHelpers.IgnoreCase);
+
+                if (data?.AutoEnrollEnabled ?? false)
+                {
+                    throw new BadRequestException("Due to an Enterprise Policy, you are not allowed to withdraw from account recovery.");
+                }
             }
         }
 
diff --git a/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs b/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
index e3071bd227..a19560ecee 100644
--- a/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
+++ b/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
@@ -7,6 +7,8 @@ using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Repositories;
@@ -424,4 +426,93 @@ public class OrganizationUsersControllerTests
             .GetManyDetailsByOrganizationAsync(organizationAbility.Id, Arg.Any<bool>(), Arg.Any<bool>())
             .Returns(organizationUsers);
     }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Accept_WhenOrganizationUsePoliciesIsEnabledAndResetPolicyIsEnabled_WithPolicyRequirementsEnabled_ShouldHandleResetPassword(Guid orgId, Guid orgUserId,
+        OrganizationUserAcceptRequestModel model, User user, SutProvider<OrganizationUsersController> sutProvider)
+    {
+        // Arrange
+        var applicationCacheService = sutProvider.GetDependency<IApplicationCacheService>();
+        applicationCacheService.GetOrganizationAbilityAsync(orgId).Returns(new OrganizationAbility { UsePolicies = true });
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.PolicyRequirements).Returns(true);
+
+        var policy = new Policy
+        {
+            Enabled = true,
+            Data = CoreHelpers.ClassToJsonData(new ResetPasswordDataModel { AutoEnrollEnabled = true, }),
+        };
+        var userService = sutProvider.GetDependency<IUserService>();
+        userService.GetUserByPrincipalAsync(default).ReturnsForAnyArgs(user);
+
+        var policyRequirementQuery = sutProvider.GetDependency<IPolicyRequirementQuery>();
+
+        var policyRepository = sutProvider.GetDependency<IPolicyRepository>();
+
+        var policyRequirement = new ResetPasswordPolicyRequirement { AutoEnrollOrganizations = [orgId] };
+
+        policyRequirementQuery.GetAsync<ResetPasswordPolicyRequirement>(user.Id).Returns(policyRequirement);
+
+        // Act
+        await sutProvider.Sut.Accept(orgId, orgUserId, model);
+
+        // Assert
+        await sutProvider.GetDependency<IAcceptOrgUserCommand>().Received(1)
+            .AcceptOrgUserByEmailTokenAsync(orgUserId, user, model.Token, userService);
+        await sutProvider.GetDependency<IOrganizationService>().Received(1)
+            .UpdateUserResetPasswordEnrollmentAsync(orgId, user.Id, model.ResetPasswordKey, user.Id);
+
+        await userService.Received(1).GetUserByPrincipalAsync(default);
+        await applicationCacheService.Received(0).GetOrganizationAbilityAsync(orgId);
+        await policyRepository.Received(0).GetByOrganizationIdTypeAsync(orgId, PolicyType.ResetPassword);
+        await policyRequirementQuery.Received(1).GetAsync<ResetPasswordPolicyRequirement>(user.Id);
+        Assert.True(policyRequirement.AutoEnrollEnabled(orgId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Accept_WithInvalidModelResetPasswordKey_WithPolicyRequirementsEnabled_ThrowsBadRequestException(Guid orgId, Guid orgUserId,
+        OrganizationUserAcceptRequestModel model, User user, SutProvider<OrganizationUsersController> sutProvider)
+    {
+        // Arrange
+        model.ResetPasswordKey = " ";
+        var applicationCacheService = sutProvider.GetDependency<IApplicationCacheService>();
+        applicationCacheService.GetOrganizationAbilityAsync(orgId).Returns(new OrganizationAbility { UsePolicies = true });
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.PolicyRequirements).Returns(true);
+
+        var policy = new Policy
+        {
+            Enabled = true,
+            Data = CoreHelpers.ClassToJsonData(new ResetPasswordDataModel { AutoEnrollEnabled = true, }),
+        };
+        var userService = sutProvider.GetDependency<IUserService>();
+        userService.GetUserByPrincipalAsync(default).ReturnsForAnyArgs(user);
+
+        var policyRepository = sutProvider.GetDependency<IPolicyRepository>();
+
+        var policyRequirementQuery = sutProvider.GetDependency<IPolicyRequirementQuery>();
+
+        var policyRequirement = new ResetPasswordPolicyRequirement { AutoEnrollOrganizations = [orgId] };
+
+        policyRequirementQuery.GetAsync<ResetPasswordPolicyRequirement>(user.Id).Returns(policyRequirement);
+
+        // Act
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+        sutProvider.Sut.Accept(orgId, orgUserId, model));
+
+        // Assert
+        await sutProvider.GetDependency<IAcceptOrgUserCommand>().Received(0)
+            .AcceptOrgUserByEmailTokenAsync(orgUserId, user, model.Token, userService);
+        await sutProvider.GetDependency<IOrganizationService>().Received(0)
+            .UpdateUserResetPasswordEnrollmentAsync(orgId, user.Id, model.ResetPasswordKey, user.Id);
+
+        await userService.Received(1).GetUserByPrincipalAsync(default);
+        await applicationCacheService.Received(0).GetOrganizationAbilityAsync(orgId);
+        await policyRepository.Received(0).GetByOrganizationIdTypeAsync(orgId, PolicyType.ResetPassword);
+        await policyRequirementQuery.Received(1).GetAsync<ResetPasswordPolicyRequirement>(user.Id);
+
+        Assert.Equal("Master Password reset is required, but not provided.", exception.Message);
+    }
 }
diff --git a/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs b/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
index b0906ddc43..8e6d2ce27b 100644
--- a/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
+++ b/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
@@ -4,12 +4,15 @@ using Bit.Api.AdminConsole.Controllers;
 using Bit.Api.Auth.Models.Request.Accounts;
 using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Models.Business.Tokenables;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationApiKeys.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Enums;
@@ -55,6 +58,7 @@ public class OrganizationsControllerTests : IDisposable
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
     private readonly ICloudOrganizationSignUpCommand _cloudOrganizationSignUpCommand;
     private readonly IOrganizationDeleteCommand _organizationDeleteCommand;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;
     private readonly IPricingClient _pricingClient;
     private readonly OrganizationsController _sut;
 
@@ -80,6 +84,7 @@ public class OrganizationsControllerTests : IDisposable
         _removeOrganizationUserCommand = Substitute.For<IRemoveOrganizationUserCommand>();
         _cloudOrganizationSignUpCommand = Substitute.For<ICloudOrganizationSignUpCommand>();
         _organizationDeleteCommand = Substitute.For<IOrganizationDeleteCommand>();
+        _policyRequirementQuery = Substitute.For<IPolicyRequirementQuery>();
         _pricingClient = Substitute.For<IPricingClient>();
 
         _sut = new OrganizationsController(
@@ -103,6 +108,7 @@ public class OrganizationsControllerTests : IDisposable
             _removeOrganizationUserCommand,
             _cloudOrganizationSignUpCommand,
             _organizationDeleteCommand,
+            _policyRequirementQuery,
             _pricingClient);
     }
 
@@ -236,4 +242,55 @@ public class OrganizationsControllerTests : IDisposable
 
         await _organizationDeleteCommand.Received(1).DeleteAsync(organization);
     }
+
+    [Theory, AutoData]
+    public async Task GetAutoEnrollStatus_WithPolicyRequirementsEnabled_ReturnsOrganizationAutoEnrollStatus_WithResetPasswordEnabledTrue(
+        User user,
+        Organization organization,
+        OrganizationUser organizationUser
+    )
+    {
+        var policyRequirement = new ResetPasswordPolicyRequirement() { AutoEnrollOrganizations = [organization.Id] };
+
+        _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(user);
+        _organizationRepository.GetByIdentifierAsync(organization.Id.ToString()).Returns(organization);
+        _featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements).Returns(true);
+        _organizationUserRepository.GetByOrganizationAsync(organization.Id, user.Id).Returns(organizationUser);
+        _policyRequirementQuery.GetAsync<ResetPasswordPolicyRequirement>(user.Id).Returns(policyRequirement);
+
+        var result = await _sut.GetAutoEnrollStatus(organization.Id.ToString());
+
+        await _userService.Received(1).GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>());
+        await _organizationRepository.Received(1).GetByIdentifierAsync(organization.Id.ToString());
+        await _policyRequirementQuery.Received(1).GetAsync<ResetPasswordPolicyRequirement>(user.Id);
+
+        Assert.True(result.ResetPasswordEnabled);
+        Assert.Equal(result.Id, organization.Id);
+    }
+
+    [Theory, AutoData]
+    public async Task GetAutoEnrollStatus_WithPolicyRequirementsDisabled_ReturnsOrganizationAutoEnrollStatus_WithResetPasswordEnabledTrue(
+    User user,
+    Organization organization,
+    OrganizationUser organizationUser
+)
+    {
+
+        var policy = new Policy() { Type = PolicyType.ResetPassword, Enabled = true, Data = "{\"AutoEnrollEnabled\": true}", OrganizationId = organization.Id };
+
+        _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(user);
+        _organizationRepository.GetByIdentifierAsync(organization.Id.ToString()).Returns(organization);
+        _featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements).Returns(false);
+        _organizationUserRepository.GetByOrganizationAsync(organization.Id, user.Id).Returns(organizationUser);
+        _policyRepository.GetByOrganizationIdTypeAsync(organization.Id, PolicyType.ResetPassword).Returns(policy);
+
+        var result = await _sut.GetAutoEnrollStatus(organization.Id.ToString());
+
+        await _userService.Received(1).GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>());
+        await _organizationRepository.Received(1).GetByIdentifierAsync(organization.Id.ToString());
+        await _policyRequirementQuery.Received(0).GetAsync<ResetPasswordPolicyRequirement>(user.Id);
+        await _policyRepository.Received(1).GetByOrganizationIdTypeAsync(organization.Id, PolicyType.ResetPassword);
+
+        Assert.True(result.ResetPasswordEnabled);
+    }
 }
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirementFactoryTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirementFactoryTests.cs
new file mode 100644
index 0000000000..181f4f170e
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirementFactoryTests.cs
@@ -0,0 +1,37 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+[SutProviderCustomize]
+public class ResetPasswordPolicyRequirementFactoryTests
+{
+    [Theory, BitAutoData]
+    public void AutoEnroll_WithNoPolicies_IsEmpty(SutProvider<ResetPasswordPolicyRequirementFactory> sutProvider, Guid orgId)
+    {
+        var actual = sutProvider.Sut.Create([]);
+
+        Assert.False(actual.AutoEnrollEnabled(orgId));
+    }
+
+    [Theory, BitAutoData]
+    public void AutoEnrollAdministration_WithAnyResetPasswordPolices_ReturnsEnabledOrganizationIds(
+        [PolicyDetails(PolicyType.ResetPassword)] PolicyDetails[] policies,
+        SutProvider<ResetPasswordPolicyRequirementFactory> sutProvider)
+    {
+        policies[0].SetDataModel(new ResetPasswordDataModel { AutoEnrollEnabled = true });
+        policies[1].SetDataModel(new ResetPasswordDataModel { AutoEnrollEnabled = false });
+        policies[2].SetDataModel(new ResetPasswordDataModel { AutoEnrollEnabled = true });
+
+        var actual = sutProvider.Sut.Create(policies);
+
+        Assert.True(actual.AutoEnrollEnabled(policies[0].OrganizationId));
+        Assert.False(actual.AutoEnrollEnabled(policies[1].OrganizationId));
+        Assert.True(actual.AutoEnrollEnabled(policies[2].OrganizationId));
+    }
+}

From 7eb8ad8fa3a0d9975da0722874f777738d818cfe Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Mon, 24 Mar 2025 10:49:33 +0000
Subject: [PATCH 109/184] Bumped version to 2025.3.4

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 2ede6ad8d1..0ef5513003 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.3.3</Version>
+    <Version>2025.3.4</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From 1db37a14abdb20a06ebe853de1aaa569782c1d13 Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Mon, 24 Mar 2025 10:56:04 +0000
Subject: [PATCH 110/184] Bumped version to 2025.3.5

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 0ef5513003..0d17b69b55 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.3.4</Version>
+    <Version>2025.3.5</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From d345937ecca07aefd07f8cea421ae7ca2b6fcf98 Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Mon, 24 Mar 2025 11:22:29 +0000
Subject: [PATCH 111/184] Bumped version to 2025.3.6

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 0d17b69b55..b9b8cf557a 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.3.5</Version>
+    <Version>2025.3.6</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From 24b63f2dcd12e1268fa625c8e1bef3e16c2aa17f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Mon, 24 Mar 2025 17:05:46 +0000
Subject: [PATCH 112/184] [PM-12493] Extract ConfirmUser methods from
 OrganizationService into commands (#5505)

* Add ConfirmOrganizationUserCommand and IConfirmOrganizationUserCommand interface for managing organization user confirmations

* Add unit tests for ConfirmOrganizationUserCommand to validate user confirmation scenarios

* Register ConfirmOrganizationUserCommand for dependency injection

* Refactor OrganizationUsersController to utilize IConfirmOrganizationUserCommand for user confirmation processes

* Remove ConfirmUserAsync and ConfirmUsersAsync methods from IOrganizationService and OrganizationService

* Rename test methods in ConfirmOrganizationUserCommandTests for clarity and consistency

* Update test method name in ConfirmOrganizationUserCommandTests for improved clarity
---
 .../OrganizationUsersController.cs            |  11 +-
 .../ConfirmOrganizationUserCommand.cs         | 186 ++++++++++
 .../IConfirmOrganizationUserCommand.cs        |  30 ++
 .../Services/IOrganizationService.cs          |   3 -
 .../Implementations/OrganizationService.cs    | 126 -------
 ...OrganizationServiceCollectionExtensions.cs |   1 +
 .../ConfirmOrganizationUserCommandTests.cs    | 324 ++++++++++++++++++
 .../Services/OrganizationServiceTests.cs      | 301 ----------------
 8 files changed, 548 insertions(+), 434 deletions(-)
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/ConfirmOrganizationUserCommand.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IConfirmOrganizationUserCommand.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/ConfirmOrganizationUserCommandTests.cs

diff --git a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
index cc7f2314fd..cfe93e87ce 100644
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@@ -60,6 +60,7 @@ public class OrganizationUsersController : Controller
     private readonly IPolicyRequirementQuery _policyRequirementQuery;
     private readonly IFeatureService _featureService;
     private readonly IPricingClient _pricingClient;
+    private readonly IConfirmOrganizationUserCommand _confirmOrganizationUserCommand;
 
     public OrganizationUsersController(
         IOrganizationRepository organizationRepository,
@@ -84,7 +85,8 @@ public class OrganizationUsersController : Controller
         IGetOrganizationUsersManagementStatusQuery getOrganizationUsersManagementStatusQuery,
         IPolicyRequirementQuery policyRequirementQuery,
         IFeatureService featureService,
-        IPricingClient pricingClient)
+        IPricingClient pricingClient,
+        IConfirmOrganizationUserCommand confirmOrganizationUserCommand)
     {
         _organizationRepository = organizationRepository;
         _organizationUserRepository = organizationUserRepository;
@@ -109,6 +111,7 @@ public class OrganizationUsersController : Controller
         _policyRequirementQuery = policyRequirementQuery;
         _featureService = featureService;
         _pricingClient = pricingClient;
+        _confirmOrganizationUserCommand = confirmOrganizationUserCommand;
     }
 
     [HttpGet("{id}")]
@@ -308,7 +311,7 @@ public class OrganizationUsersController : Controller
 
         await _organizationService.InitPendingOrganization(user.Id, orgId, organizationUserId, model.Keys.PublicKey, model.Keys.EncryptedPrivateKey, model.CollectionName);
         await _acceptOrgUserCommand.AcceptOrgUserByEmailTokenAsync(organizationUserId, user, model.Token, _userService);
-        await _organizationService.ConfirmUserAsync(orgId, organizationUserId, model.Key, user.Id);
+        await _confirmOrganizationUserCommand.ConfirmUserAsync(orgId, organizationUserId, model.Key, user.Id);
     }
 
     [HttpPost("{organizationUserId}/accept")]
@@ -364,7 +367,7 @@ public class OrganizationUsersController : Controller
         }
 
         var userId = _userService.GetProperUserId(User);
-        var result = await _organizationService.ConfirmUserAsync(orgGuidId, new Guid(id), model.Key, userId.Value);
+        var result = await _confirmOrganizationUserCommand.ConfirmUserAsync(orgGuidId, new Guid(id), model.Key, userId.Value);
     }
 
     [HttpPost("confirm")]
@@ -378,7 +381,7 @@ public class OrganizationUsersController : Controller
         }
 
         var userId = _userService.GetProperUserId(User);
-        var results = await _organizationService.ConfirmUsersAsync(orgGuidId, model.ToDictionary(), userId.Value);
+        var results = await _confirmOrganizationUserCommand.ConfirmUsersAsync(orgGuidId, model.ToDictionary(), userId.Value);
 
         return new ListResponseModel<OrganizationUserBulkResponseModel>(results.Select(r =>
             new OrganizationUserBulkResponseModel(r.Item1.Id, r.Item2)));
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/ConfirmOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/ConfirmOrganizationUserCommand.cs
new file mode 100644
index 0000000000..9bfe8f791e
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/ConfirmOrganizationUserCommand.cs
@@ -0,0 +1,186 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.Services;
+using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
+
+public class ConfirmOrganizationUserCommand : IConfirmOrganizationUserCommand
+{
+    private readonly IOrganizationRepository _organizationRepository;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IUserRepository _userRepository;
+    private readonly IEventService _eventService;
+    private readonly IMailService _mailService;
+    private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
+    private readonly IPushNotificationService _pushNotificationService;
+    private readonly IPushRegistrationService _pushRegistrationService;
+    private readonly IPolicyService _policyService;
+    private readonly IDeviceRepository _deviceRepository;
+
+    public ConfirmOrganizationUserCommand(
+        IOrganizationRepository organizationRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IUserRepository userRepository,
+        IEventService eventService,
+        IMailService mailService,
+        ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
+        IPushNotificationService pushNotificationService,
+        IPushRegistrationService pushRegistrationService,
+        IPolicyService policyService,
+        IDeviceRepository deviceRepository)
+    {
+        _organizationRepository = organizationRepository;
+        _organizationUserRepository = organizationUserRepository;
+        _userRepository = userRepository;
+        _eventService = eventService;
+        _mailService = mailService;
+        _twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
+        _pushNotificationService = pushNotificationService;
+        _pushRegistrationService = pushRegistrationService;
+        _policyService = policyService;
+        _deviceRepository = deviceRepository;
+    }
+
+    public async Task<OrganizationUser> ConfirmUserAsync(Guid organizationId, Guid organizationUserId, string key,
+        Guid confirmingUserId)
+    {
+        var result = await ConfirmUsersAsync(
+            organizationId,
+            new Dictionary<Guid, string>() { { organizationUserId, key } },
+            confirmingUserId);
+
+        if (!result.Any())
+        {
+            throw new BadRequestException("User not valid.");
+        }
+
+        var (orgUser, error) = result[0];
+        if (error != "")
+        {
+            throw new BadRequestException(error);
+        }
+        return orgUser;
+    }
+
+    public async Task<List<Tuple<OrganizationUser, string>>> ConfirmUsersAsync(Guid organizationId, Dictionary<Guid, string> keys,
+        Guid confirmingUserId)
+    {
+        var selectedOrganizationUsers = await _organizationUserRepository.GetManyAsync(keys.Keys);
+        var validSelectedOrganizationUsers = selectedOrganizationUsers
+            .Where(u => u.Status == OrganizationUserStatusType.Accepted && u.OrganizationId == organizationId && u.UserId != null)
+            .ToList();
+
+        if (!validSelectedOrganizationUsers.Any())
+        {
+            return new List<Tuple<OrganizationUser, string>>();
+        }
+
+        var validSelectedUserIds = validSelectedOrganizationUsers.Select(u => u.UserId.Value).ToList();
+
+        var organization = await _organizationRepository.GetByIdAsync(organizationId);
+        var allUsersOrgs = await _organizationUserRepository.GetManyByManyUsersAsync(validSelectedUserIds);
+        var users = await _userRepository.GetManyAsync(validSelectedUserIds);
+        var usersTwoFactorEnabled = await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(validSelectedUserIds);
+
+        var keyedFilteredUsers = validSelectedOrganizationUsers.ToDictionary(u => u.UserId.Value, u => u);
+        var keyedOrganizationUsers = allUsersOrgs.GroupBy(u => u.UserId.Value)
+            .ToDictionary(u => u.Key, u => u.ToList());
+
+        var succeededUsers = new List<OrganizationUser>();
+        var result = new List<Tuple<OrganizationUser, string>>();
+
+        foreach (var user in users)
+        {
+            if (!keyedFilteredUsers.ContainsKey(user.Id))
+            {
+                continue;
+            }
+            var orgUser = keyedFilteredUsers[user.Id];
+            var orgUsers = keyedOrganizationUsers.GetValueOrDefault(user.Id, new List<OrganizationUser>());
+            try
+            {
+                if (organization.PlanType == PlanType.Free && (orgUser.Type == OrganizationUserType.Admin
+                    || orgUser.Type == OrganizationUserType.Owner))
+                {
+                    // Since free organizations only supports a few users there is not much point in avoiding N+1 queries for this.
+                    var adminCount = await _organizationUserRepository.GetCountByFreeOrganizationAdminUserAsync(user.Id);
+                    if (adminCount > 0)
+                    {
+                        throw new BadRequestException("User can only be an admin of one free organization.");
+                    }
+                }
+
+                var twoFactorEnabled = usersTwoFactorEnabled.FirstOrDefault(tuple => tuple.userId == user.Id).twoFactorIsEnabled;
+                await CheckPoliciesAsync(organizationId, user, orgUsers, twoFactorEnabled);
+                orgUser.Status = OrganizationUserStatusType.Confirmed;
+                orgUser.Key = keys[orgUser.Id];
+                orgUser.Email = null;
+
+                await _eventService.LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_Confirmed);
+                await _mailService.SendOrganizationConfirmedEmailAsync(organization.DisplayName(), user.Email, orgUser.AccessSecretsManager);
+                await DeleteAndPushUserRegistrationAsync(organizationId, user.Id);
+                succeededUsers.Add(orgUser);
+                result.Add(Tuple.Create(orgUser, ""));
+            }
+            catch (BadRequestException e)
+            {
+                result.Add(Tuple.Create(orgUser, e.Message));
+            }
+        }
+
+        await _organizationUserRepository.ReplaceManyAsync(succeededUsers);
+
+        return result;
+    }
+
+    private async Task CheckPoliciesAsync(Guid organizationId, User user,
+        ICollection<OrganizationUser> userOrgs, bool twoFactorEnabled)
+    {
+        // Enforce Two Factor Authentication Policy for this organization
+        var orgRequiresTwoFactor = (await _policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.TwoFactorAuthentication))
+            .Any(p => p.OrganizationId == organizationId);
+        if (orgRequiresTwoFactor && !twoFactorEnabled)
+        {
+            throw new BadRequestException("User does not have two-step login enabled.");
+        }
+
+        var hasOtherOrgs = userOrgs.Any(ou => ou.OrganizationId != organizationId);
+        var singleOrgPolicies = await _policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.SingleOrg);
+        var otherSingleOrgPolicies =
+            singleOrgPolicies.Where(p => p.OrganizationId != organizationId);
+        // Enforce Single Organization Policy for this organization
+        if (hasOtherOrgs && singleOrgPolicies.Any(p => p.OrganizationId == organizationId))
+        {
+            throw new BadRequestException("Cannot confirm this member to the organization until they leave or remove all other organizations.");
+        }
+        // Enforce Single Organization Policy of other organizations user is a member of
+        if (otherSingleOrgPolicies.Any())
+        {
+            throw new BadRequestException("Cannot confirm this member to the organization because they are in another organization which forbids it.");
+        }
+    }
+
+    private async Task DeleteAndPushUserRegistrationAsync(Guid organizationId, Guid userId)
+    {
+        var devices = await GetUserDeviceIdsAsync(userId);
+        await _pushRegistrationService.DeleteUserRegistrationOrganizationAsync(devices,
+            organizationId.ToString());
+        await _pushNotificationService.PushSyncOrgKeysAsync(userId);
+    }
+
+    private async Task<IEnumerable<string>> GetUserDeviceIdsAsync(Guid userId)
+    {
+        var devices = await _deviceRepository.GetManyByUserIdAsync(userId);
+        return devices
+            .Where(d => !string.IsNullOrWhiteSpace(d.PushToken))
+            .Select(d => d.Id.ToString());
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IConfirmOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IConfirmOrganizationUserCommand.cs
new file mode 100644
index 0000000000..302ee0901d
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IConfirmOrganizationUserCommand.cs
@@ -0,0 +1,30 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+
+/// <summary>
+/// Command to confirm organization users who have accepted their invitations.
+/// </summary>
+public interface IConfirmOrganizationUserCommand
+{
+    /// <summary>
+    /// Confirms a single organization user who has accepted their invitation.
+    /// </summary>
+    /// <param name="organizationId">The ID of the organization.</param>
+    /// <param name="organizationUserId">The ID of the organization user to confirm.</param>
+    /// <param name="key">The encrypted organization key for the user.</param>
+    /// <param name="confirmingUserId">The ID of the user performing the confirmation.</param>
+    /// <returns>The confirmed organization user.</returns>
+    /// <exception cref="BadRequestException">Thrown when the user is not valid or cannot be confirmed.</exception>
+    Task<OrganizationUser> ConfirmUserAsync(Guid organizationId, Guid organizationUserId, string key, Guid confirmingUserId);
+
+    /// <summary>
+    /// Confirms multiple organization users who have accepted their invitations.
+    /// </summary>
+    /// <param name="organizationId">The ID of the organization.</param>
+    /// <param name="keys">A dictionary mapping organization user IDs to their encrypted organization keys.</param>
+    /// <param name="confirmingUserId">The ID of the user performing the confirmation.</param>
+    /// <returns>A list of tuples containing the organization user and an error message (if any).</returns>
+    Task<List<Tuple<OrganizationUser, string>>> ConfirmUsersAsync(Guid organizationId, Dictionary<Guid, string> keys,
+        Guid confirmingUserId);
+}
diff --git a/src/Core/AdminConsole/Services/IOrganizationService.cs b/src/Core/AdminConsole/Services/IOrganizationService.cs
index dacb2ab162..476fccb480 100644
--- a/src/Core/AdminConsole/Services/IOrganizationService.cs
+++ b/src/Core/AdminConsole/Services/IOrganizationService.cs
@@ -38,9 +38,6 @@ public interface IOrganizationService
         IEnumerable<(OrganizationUserInvite invite, string externalId)> invites);
     Task<IEnumerable<Tuple<OrganizationUser, string>>> ResendInvitesAsync(Guid organizationId, Guid? invitingUserId, IEnumerable<Guid> organizationUsersId);
     Task ResendInviteAsync(Guid organizationId, Guid? invitingUserId, Guid organizationUserId, bool initOrganization = false);
-    Task<OrganizationUser> ConfirmUserAsync(Guid organizationId, Guid organizationUserId, string key, Guid confirmingUserId);
-    Task<List<Tuple<OrganizationUser, string>>> ConfirmUsersAsync(Guid organizationId, Dictionary<Guid, string> keys,
-        Guid confirmingUserId);
     Task UpdateUserResetPasswordEnrollmentAsync(Guid organizationId, Guid userId, string resetPasswordKey, Guid? callingUserId);
     Task ImportAsync(Guid organizationId, IEnumerable<ImportedGroup> groups,
         IEnumerable<ImportedOrganizationUser> newUsers, IEnumerable<string> removeUserExternalIds,
diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 772b407951..ab5703eaa1 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -1127,98 +1127,6 @@ public class OrganizationService : IOrganizationService
         );
     }
 
-    public async Task<OrganizationUser> ConfirmUserAsync(Guid organizationId, Guid organizationUserId, string key,
-        Guid confirmingUserId)
-    {
-        var result = await ConfirmUsersAsync(
-            organizationId,
-            new Dictionary<Guid, string>() { { organizationUserId, key } },
-            confirmingUserId);
-
-        if (!result.Any())
-        {
-            throw new BadRequestException("User not valid.");
-        }
-
-        var (orgUser, error) = result[0];
-        if (error != "")
-        {
-            throw new BadRequestException(error);
-        }
-        return orgUser;
-    }
-
-    public async Task<List<Tuple<OrganizationUser, string>>> ConfirmUsersAsync(Guid organizationId, Dictionary<Guid, string> keys,
-        Guid confirmingUserId)
-    {
-        var selectedOrganizationUsers = await _organizationUserRepository.GetManyAsync(keys.Keys);
-        var validSelectedOrganizationUsers = selectedOrganizationUsers
-            .Where(u => u.Status == OrganizationUserStatusType.Accepted && u.OrganizationId == organizationId && u.UserId != null)
-            .ToList();
-
-        if (!validSelectedOrganizationUsers.Any())
-        {
-            return new List<Tuple<OrganizationUser, string>>();
-        }
-
-        var validSelectedUserIds = validSelectedOrganizationUsers.Select(u => u.UserId.Value).ToList();
-
-        var organization = await GetOrgById(organizationId);
-        var allUsersOrgs = await _organizationUserRepository.GetManyByManyUsersAsync(validSelectedUserIds);
-        var users = await _userRepository.GetManyAsync(validSelectedUserIds);
-        var usersTwoFactorEnabled = await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(validSelectedUserIds);
-
-        var keyedFilteredUsers = validSelectedOrganizationUsers.ToDictionary(u => u.UserId.Value, u => u);
-        var keyedOrganizationUsers = allUsersOrgs.GroupBy(u => u.UserId.Value)
-            .ToDictionary(u => u.Key, u => u.ToList());
-
-        var succeededUsers = new List<OrganizationUser>();
-        var result = new List<Tuple<OrganizationUser, string>>();
-
-        foreach (var user in users)
-        {
-            if (!keyedFilteredUsers.ContainsKey(user.Id))
-            {
-                continue;
-            }
-            var orgUser = keyedFilteredUsers[user.Id];
-            var orgUsers = keyedOrganizationUsers.GetValueOrDefault(user.Id, new List<OrganizationUser>());
-            try
-            {
-                if (organization.PlanType == PlanType.Free && (orgUser.Type == OrganizationUserType.Admin
-                    || orgUser.Type == OrganizationUserType.Owner))
-                {
-                    // Since free organizations only supports a few users there is not much point in avoiding N+1 queries for this.
-                    var adminCount = await _organizationUserRepository.GetCountByFreeOrganizationAdminUserAsync(user.Id);
-                    if (adminCount > 0)
-                    {
-                        throw new BadRequestException("User can only be an admin of one free organization.");
-                    }
-                }
-
-                var twoFactorEnabled = usersTwoFactorEnabled.FirstOrDefault(tuple => tuple.userId == user.Id).twoFactorIsEnabled;
-                await CheckPoliciesAsync(organizationId, user, orgUsers, twoFactorEnabled);
-                orgUser.Status = OrganizationUserStatusType.Confirmed;
-                orgUser.Key = keys[orgUser.Id];
-                orgUser.Email = null;
-
-                await _eventService.LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_Confirmed);
-                await _mailService.SendOrganizationConfirmedEmailAsync(organization.DisplayName(), user.Email, orgUser.AccessSecretsManager);
-                await DeleteAndPushUserRegistrationAsync(organizationId, user.Id);
-                succeededUsers.Add(orgUser);
-                result.Add(Tuple.Create(orgUser, ""));
-            }
-            catch (BadRequestException e)
-            {
-                result.Add(Tuple.Create(orgUser, e.Message));
-            }
-        }
-
-        await _organizationUserRepository.ReplaceManyAsync(succeededUsers);
-
-        return result;
-    }
-
     internal async Task<(bool canScale, string failureReason)> CanScaleAsync(
         Organization organization,
         int seatsToAdd)
@@ -1305,32 +1213,7 @@ public class OrganizationService : IOrganizationService
         }
     }
 
-    private async Task CheckPoliciesAsync(Guid organizationId, User user,
-        ICollection<OrganizationUser> userOrgs, bool twoFactorEnabled)
-    {
-        // Enforce Two Factor Authentication Policy for this organization
-        var orgRequiresTwoFactor = (await _policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.TwoFactorAuthentication))
-            .Any(p => p.OrganizationId == organizationId);
-        if (orgRequiresTwoFactor && !twoFactorEnabled)
-        {
-            throw new BadRequestException("User does not have two-step login enabled.");
-        }
 
-        var hasOtherOrgs = userOrgs.Any(ou => ou.OrganizationId != organizationId);
-        var singleOrgPolicies = await _policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.SingleOrg);
-        var otherSingleOrgPolicies =
-            singleOrgPolicies.Where(p => p.OrganizationId != organizationId);
-        // Enforce Single Organization Policy for this organization
-        if (hasOtherOrgs && singleOrgPolicies.Any(p => p.OrganizationId == organizationId))
-        {
-            throw new BadRequestException("Cannot confirm this member to the organization until they leave or remove all other organizations.");
-        }
-        // Enforce Single Organization Policy of other organizations user is a member of
-        if (otherSingleOrgPolicies.Any())
-        {
-            throw new BadRequestException("Cannot confirm this member to the organization because they are in another organization which forbids it.");
-        }
-    }
 
     public async Task UpdateUserResetPasswordEnrollmentAsync(Guid organizationId, Guid userId, string resetPasswordKey, Guid? callingUserId)
     {
@@ -1640,15 +1523,6 @@ public class OrganizationService : IOrganizationService
         await _groupRepository.UpdateUsersAsync(group.Id, users);
     }
 
-    private async Task DeleteAndPushUserRegistrationAsync(Guid organizationId, Guid userId)
-    {
-        var devices = await GetUserDeviceIdsAsync(userId);
-        await _pushRegistrationService.DeleteUserRegistrationOrganizationAsync(devices,
-            organizationId.ToString());
-        await _pushNotificationService.PushSyncOrgKeysAsync(userId);
-    }
-
-
     private async Task<IEnumerable<string>> GetUserDeviceIdsAsync(Guid userId)
     {
         var devices = await _deviceRepository.GetManyByUserIdAsync(userId);
diff --git a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
index 232e04fbd0..e13a06f660 100644
--- a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
+++ b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
@@ -116,6 +116,7 @@ public static class OrganizationServiceCollectionExtensions
         services.AddScoped<IUpdateOrganizationUserCommand, UpdateOrganizationUserCommand>();
         services.AddScoped<IUpdateOrganizationUserGroupsCommand, UpdateOrganizationUserGroupsCommand>();
         services.AddScoped<IDeleteManagedOrganizationUserAccountCommand, DeleteManagedOrganizationUserAccountCommand>();
+        services.AddScoped<IConfirmOrganizationUserCommand, ConfirmOrganizationUserCommand>();
     }
 
     private static void AddOrganizationApiKeyCommandsQueries(this IServiceCollection services)
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/ConfirmOrganizationUserCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/ConfirmOrganizationUserCommandTests.cs
new file mode 100644
index 0000000000..06335f668d
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/ConfirmOrganizationUserCommandTests.cs
@@ -0,0 +1,324 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
+using Bit.Core.AdminConsole.Services;
+using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Core.Test.AutoFixture.OrganizationUserFixtures;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers;
+
+[SutProviderCustomize]
+public class ConfirmOrganizationUserCommandTests
+{
+    [Theory, BitAutoData]
+    public async Task ConfirmUserAsync_WithInvalidStatus_ThrowsBadRequestException(OrganizationUser confirmingUser,
+        [OrganizationUser(OrganizationUserStatusType.Invited)] OrganizationUser orgUser, string key,
+        SutProvider<ConfirmOrganizationUserCommand> sutProvider)
+    {
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+
+        organizationUserRepository.GetByIdAsync(orgUser.Id).Returns(orgUser);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id));
+        Assert.Contains("User not valid.", exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ConfirmUserAsync_WithWrongOrganization_ThrowsBadRequestException(OrganizationUser confirmingUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, string key,
+        SutProvider<ConfirmOrganizationUserCommand> sutProvider)
+    {
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+
+        organizationUserRepository.GetByIdAsync(orgUser.Id).Returns(orgUser);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.ConfirmUserAsync(confirmingUser.OrganizationId, orgUser.Id, key, confirmingUser.Id));
+        Assert.Contains("User not valid.", exception.Message);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Admin)]
+    [BitAutoData(OrganizationUserType.Owner)]
+    public async Task ConfirmUserAsync_ToFree_WithExistingAdminOrOwner_ThrowsBadRequestException(OrganizationUserType userType, Organization org, OrganizationUser confirmingUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
+        string key, SutProvider<ConfirmOrganizationUserCommand> sutProvider)
+    {
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+
+        org.PlanType = PlanType.Free;
+        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
+        orgUser.UserId = user.Id;
+        orgUser.Type = userType;
+        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { orgUser });
+        organizationUserRepository.GetCountByFreeOrganizationAdminUserAsync(orgUser.UserId.Value).Returns(1);
+        organizationRepository.GetByIdAsync(org.Id).Returns(org);
+        userRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { user });
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id));
+        Assert.Contains("User can only be an admin of one free organization.", exception.Message);
+    }
+
+    [Theory]
+    [BitAutoData(PlanType.Custom, OrganizationUserType.Admin)]
+    [BitAutoData(PlanType.Custom, OrganizationUserType.Owner)]
+    [BitAutoData(PlanType.EnterpriseAnnually, OrganizationUserType.Admin)]
+    [BitAutoData(PlanType.EnterpriseAnnually, OrganizationUserType.Owner)]
+    [BitAutoData(PlanType.EnterpriseAnnually2020, OrganizationUserType.Admin)]
+    [BitAutoData(PlanType.EnterpriseAnnually2020, OrganizationUserType.Owner)]
+    [BitAutoData(PlanType.EnterpriseAnnually2019, OrganizationUserType.Admin)]
+    [BitAutoData(PlanType.EnterpriseAnnually2019, OrganizationUserType.Owner)]
+    [BitAutoData(PlanType.EnterpriseMonthly, OrganizationUserType.Admin)]
+    [BitAutoData(PlanType.EnterpriseMonthly, OrganizationUserType.Owner)]
+    [BitAutoData(PlanType.EnterpriseMonthly2020, OrganizationUserType.Admin)]
+    [BitAutoData(PlanType.EnterpriseMonthly2020, OrganizationUserType.Owner)]
+    [BitAutoData(PlanType.EnterpriseMonthly2019, OrganizationUserType.Admin)]
+    [BitAutoData(PlanType.EnterpriseMonthly2019, OrganizationUserType.Owner)]
+    [BitAutoData(PlanType.FamiliesAnnually, OrganizationUserType.Admin)]
+    [BitAutoData(PlanType.FamiliesAnnually, OrganizationUserType.Owner)]
+    [BitAutoData(PlanType.FamiliesAnnually2019, OrganizationUserType.Admin)]
+    [BitAutoData(PlanType.FamiliesAnnually2019, OrganizationUserType.Owner)]
+    [BitAutoData(PlanType.TeamsAnnually, OrganizationUserType.Admin)]
+    [BitAutoData(PlanType.TeamsAnnually, OrganizationUserType.Owner)]
+    [BitAutoData(PlanType.TeamsAnnually2020, OrganizationUserType.Admin)]
+    [BitAutoData(PlanType.TeamsAnnually2020, OrganizationUserType.Owner)]
+    [BitAutoData(PlanType.TeamsAnnually2019, OrganizationUserType.Admin)]
+    [BitAutoData(PlanType.TeamsAnnually2019, OrganizationUserType.Owner)]
+    [BitAutoData(PlanType.TeamsMonthly, OrganizationUserType.Admin)]
+    [BitAutoData(PlanType.TeamsMonthly, OrganizationUserType.Owner)]
+    [BitAutoData(PlanType.TeamsMonthly2020, OrganizationUserType.Admin)]
+    [BitAutoData(PlanType.TeamsMonthly2020, OrganizationUserType.Owner)]
+    [BitAutoData(PlanType.TeamsMonthly2019, OrganizationUserType.Admin)]
+    [BitAutoData(PlanType.TeamsMonthly2019, OrganizationUserType.Owner)]
+    public async Task ConfirmUserAsync_ToNonFree_WithExistingFreeAdminOrOwner_Succeeds(PlanType planType, OrganizationUserType orgUserType, Organization org, OrganizationUser confirmingUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
+        string key, SutProvider<ConfirmOrganizationUserCommand> sutProvider)
+    {
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+
+        org.PlanType = planType;
+        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
+        orgUser.UserId = user.Id;
+        orgUser.Type = orgUserType;
+        orgUser.AccessSecretsManager = false;
+        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { orgUser });
+        organizationUserRepository.GetCountByFreeOrganizationAdminUserAsync(orgUser.UserId.Value).Returns(1);
+        organizationRepository.GetByIdAsync(org.Id).Returns(org);
+        userRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { user });
+
+        await sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id);
+
+        await sutProvider.GetDependency<IEventService>().Received(1).LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_Confirmed);
+        await sutProvider.GetDependency<IMailService>().Received(1).SendOrganizationConfirmedEmailAsync(org.DisplayName(), user.Email);
+        await organizationUserRepository.Received(1).ReplaceManyAsync(Arg.Is<List<OrganizationUser>>(users => users.Contains(orgUser) && users.Count == 1));
+    }
+
+
+    [Theory, BitAutoData]
+    public async Task ConfirmUserAsync_AsUser_WithSingleOrgPolicyAppliedFromConfirmingOrg_ThrowsBadRequestException(Organization org, OrganizationUser confirmingUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
+        OrganizationUser orgUserAnotherOrg, [OrganizationUserPolicyDetails(PolicyType.SingleOrg)] OrganizationUserPolicyDetails singleOrgPolicy,
+        string key, SutProvider<ConfirmOrganizationUserCommand> sutProvider)
+    {
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+        var policyService = sutProvider.GetDependency<IPolicyService>();
+
+        org.PlanType = PlanType.EnterpriseAnnually;
+        orgUser.Status = OrganizationUserStatusType.Accepted;
+        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
+        orgUser.UserId = orgUserAnotherOrg.UserId = user.Id;
+        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { orgUser });
+        organizationUserRepository.GetManyByManyUsersAsync(default).ReturnsForAnyArgs(new[] { orgUserAnotherOrg });
+        organizationRepository.GetByIdAsync(org.Id).Returns(org);
+        userRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { user });
+        singleOrgPolicy.OrganizationId = org.Id;
+        policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.SingleOrg).Returns(new[] { singleOrgPolicy });
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id));
+        Assert.Contains("Cannot confirm this member to the organization until they leave or remove all other organizations.", exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ConfirmUserAsync_AsUser_WithSingleOrgPolicyAppliedFromOtherOrg_ThrowsBadRequestException(Organization org, OrganizationUser confirmingUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
+        OrganizationUser orgUserAnotherOrg, [OrganizationUserPolicyDetails(PolicyType.SingleOrg)] OrganizationUserPolicyDetails singleOrgPolicy,
+        string key, SutProvider<ConfirmOrganizationUserCommand> sutProvider)
+    {
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+        var policyService = sutProvider.GetDependency<IPolicyService>();
+
+        org.PlanType = PlanType.EnterpriseAnnually;
+        orgUser.Status = OrganizationUserStatusType.Accepted;
+        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
+        orgUser.UserId = orgUserAnotherOrg.UserId = user.Id;
+        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { orgUser });
+        organizationUserRepository.GetManyByManyUsersAsync(default).ReturnsForAnyArgs(new[] { orgUserAnotherOrg });
+        organizationRepository.GetByIdAsync(org.Id).Returns(org);
+        userRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { user });
+        singleOrgPolicy.OrganizationId = orgUserAnotherOrg.Id;
+        policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.SingleOrg).Returns(new[] { singleOrgPolicy });
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id));
+        Assert.Contains("Cannot confirm this member to the organization because they are in another organization which forbids it.", exception.Message);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Admin)]
+    [BitAutoData(OrganizationUserType.Owner)]
+    public async Task ConfirmUserAsync_AsOwnerOrAdmin_WithSingleOrgPolicy_ExcludedViaUserType_Success(
+        OrganizationUserType userType, Organization org, OrganizationUser confirmingUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
+        OrganizationUser orgUserAnotherOrg,
+        string key, SutProvider<ConfirmOrganizationUserCommand> sutProvider)
+    {
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+
+        org.PlanType = PlanType.EnterpriseAnnually;
+        orgUser.Type = userType;
+        orgUser.Status = OrganizationUserStatusType.Accepted;
+        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
+        orgUser.UserId = orgUserAnotherOrg.UserId = user.Id;
+        orgUser.AccessSecretsManager = true;
+        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { orgUser });
+        organizationUserRepository.GetManyByManyUsersAsync(default).ReturnsForAnyArgs(new[] { orgUserAnotherOrg });
+        organizationRepository.GetByIdAsync(org.Id).Returns(org);
+        userRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { user });
+
+        await sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id);
+
+        await sutProvider.GetDependency<IEventService>().Received(1).LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_Confirmed);
+        await sutProvider.GetDependency<IMailService>().Received(1).SendOrganizationConfirmedEmailAsync(org.DisplayName(), user.Email, true);
+        await organizationUserRepository.Received(1).ReplaceManyAsync(Arg.Is<List<OrganizationUser>>(users => users.Contains(orgUser) && users.Count == 1));
+    }
+
+    [Theory, BitAutoData]
+    public async Task ConfirmUserAsync_WithTwoFactorPolicyAndTwoFactorDisabled_ThrowsBadRequestException(Organization org, OrganizationUser confirmingUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
+        OrganizationUser orgUserAnotherOrg,
+        [OrganizationUserPolicyDetails(PolicyType.TwoFactorAuthentication)] OrganizationUserPolicyDetails twoFactorPolicy,
+        string key, SutProvider<ConfirmOrganizationUserCommand> sutProvider)
+    {
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+        var policyService = sutProvider.GetDependency<IPolicyService>();
+        var twoFactorIsEnabledQuery = sutProvider.GetDependency<ITwoFactorIsEnabledQuery>();
+
+        org.PlanType = PlanType.EnterpriseAnnually;
+        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
+        orgUser.UserId = orgUserAnotherOrg.UserId = user.Id;
+        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { orgUser });
+        organizationUserRepository.GetManyByManyUsersAsync(default).ReturnsForAnyArgs(new[] { orgUserAnotherOrg });
+        organizationRepository.GetByIdAsync(org.Id).Returns(org);
+        userRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { user });
+        twoFactorPolicy.OrganizationId = org.Id;
+        policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.TwoFactorAuthentication).Returns(new[] { twoFactorPolicy });
+        twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(user.Id)))
+            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (user.Id, false) });
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id));
+        Assert.Contains("User does not have two-step login enabled.", exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ConfirmUserAsync_WithTwoFactorPolicyAndTwoFactorEnabled_Succeeds(Organization org, OrganizationUser confirmingUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
+        [OrganizationUserPolicyDetails(PolicyType.TwoFactorAuthentication)] OrganizationUserPolicyDetails twoFactorPolicy,
+        string key, SutProvider<ConfirmOrganizationUserCommand> sutProvider)
+    {
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+        var policyService = sutProvider.GetDependency<IPolicyService>();
+        var twoFactorIsEnabledQuery = sutProvider.GetDependency<ITwoFactorIsEnabledQuery>();
+
+        org.PlanType = PlanType.EnterpriseAnnually;
+        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
+        orgUser.UserId = user.Id;
+        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { orgUser });
+        organizationRepository.GetByIdAsync(org.Id).Returns(org);
+        userRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { user });
+        twoFactorPolicy.OrganizationId = org.Id;
+        policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.TwoFactorAuthentication).Returns(new[] { twoFactorPolicy });
+        twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(user.Id)))
+            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (user.Id, true) });
+
+        await sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ConfirmUsersAsync_WithMultipleUsers_ReturnsExpectedMixedResults(Organization org,
+        OrganizationUser confirmingUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser1,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser2,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser3,
+        OrganizationUser anotherOrgUser, User user1, User user2, User user3,
+        [OrganizationUserPolicyDetails(PolicyType.TwoFactorAuthentication)] OrganizationUserPolicyDetails twoFactorPolicy,
+        [OrganizationUserPolicyDetails(PolicyType.SingleOrg)] OrganizationUserPolicyDetails singleOrgPolicy,
+        string key, SutProvider<ConfirmOrganizationUserCommand> sutProvider)
+    {
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+        var policyService = sutProvider.GetDependency<IPolicyService>();
+        var twoFactorIsEnabledQuery = sutProvider.GetDependency<ITwoFactorIsEnabledQuery>();
+
+        org.PlanType = PlanType.EnterpriseAnnually;
+        orgUser1.OrganizationId = orgUser2.OrganizationId = orgUser3.OrganizationId = confirmingUser.OrganizationId = org.Id;
+        orgUser1.UserId = user1.Id;
+        orgUser2.UserId = user2.Id;
+        orgUser3.UserId = user3.Id;
+        anotherOrgUser.UserId = user3.Id;
+        var orgUsers = new[] { orgUser1, orgUser2, orgUser3 };
+        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(orgUsers);
+        organizationRepository.GetByIdAsync(org.Id).Returns(org);
+        userRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { user1, user2, user3 });
+        twoFactorPolicy.OrganizationId = org.Id;
+        policyService.GetPoliciesApplicableToUserAsync(Arg.Any<Guid>(), PolicyType.TwoFactorAuthentication).Returns(new[] { twoFactorPolicy });
+        twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(user1.Id) && ids.Contains(user2.Id) && ids.Contains(user3.Id)))
+            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>()
+            {
+                (user1.Id, true),
+                (user2.Id, false),
+                (user3.Id, true)
+            });
+        singleOrgPolicy.OrganizationId = org.Id;
+        policyService.GetPoliciesApplicableToUserAsync(user3.Id, PolicyType.SingleOrg)
+            .Returns(new[] { singleOrgPolicy });
+        organizationUserRepository.GetManyByManyUsersAsync(default)
+            .ReturnsForAnyArgs(new[] { orgUser1, orgUser2, orgUser3, anotherOrgUser });
+
+        var keys = orgUsers.ToDictionary(ou => ou.Id, _ => key);
+        var result = await sutProvider.Sut.ConfirmUsersAsync(confirmingUser.OrganizationId, keys, confirmingUser.Id);
+        Assert.Contains("", result[0].Item2);
+        Assert.Contains("User does not have two-step login enabled.", result[1].Item2);
+        Assert.Contains("Cannot confirm this member to the organization until they leave or remove all other organizations.", result[2].Item2);
+    }
+}
diff --git a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
index 4c42fdfeb9..82dc0e2ebe 100644
--- a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
+++ b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
@@ -24,7 +24,6 @@ using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
-using Bit.Core.Test.AdminConsole.AutoFixture;
 using Bit.Core.Test.AutoFixture.OrganizationFixtures;
 using Bit.Core.Test.AutoFixture.OrganizationUserFixtures;
 using Bit.Core.Tokens;
@@ -978,306 +977,6 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
         sutProvider.GetDependency<ICurrentContext>().ManageUsers(organization.Id).Returns(true);
     }
 
-    [Theory, BitAutoData]
-    public async Task ConfirmUser_InvalidStatus(OrganizationUser confirmingUser,
-        [OrganizationUser(OrganizationUserStatusType.Invited)] OrganizationUser orgUser, string key,
-        SutProvider<OrganizationService> sutProvider)
-    {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-
-        organizationUserRepository.GetByIdAsync(orgUser.Id).Returns(orgUser);
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id));
-        Assert.Contains("User not valid.", exception.Message);
-    }
-
-    [Theory, BitAutoData]
-    public async Task ConfirmUser_WrongOrganization(OrganizationUser confirmingUser,
-        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, string key,
-        SutProvider<OrganizationService> sutProvider)
-    {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-
-        organizationUserRepository.GetByIdAsync(orgUser.Id).Returns(orgUser);
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.ConfirmUserAsync(confirmingUser.OrganizationId, orgUser.Id, key, confirmingUser.Id));
-        Assert.Contains("User not valid.", exception.Message);
-    }
-
-    [Theory]
-    [BitAutoData(OrganizationUserType.Admin)]
-    [BitAutoData(OrganizationUserType.Owner)]
-    public async Task ConfirmUserToFree_AlreadyFreeAdminOrOwner_Throws(OrganizationUserType userType, Organization org, OrganizationUser confirmingUser,
-        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
-        string key, SutProvider<OrganizationService> sutProvider)
-    {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
-        var userRepository = sutProvider.GetDependency<IUserRepository>();
-
-        org.PlanType = PlanType.Free;
-        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
-        orgUser.UserId = user.Id;
-        orgUser.Type = userType;
-        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { orgUser });
-        organizationUserRepository.GetCountByFreeOrganizationAdminUserAsync(orgUser.UserId.Value).Returns(1);
-        organizationRepository.GetByIdAsync(org.Id).Returns(org);
-        userRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { user });
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id));
-        Assert.Contains("User can only be an admin of one free organization.", exception.Message);
-    }
-
-    [Theory]
-    [BitAutoData(PlanType.Custom, OrganizationUserType.Admin)]
-    [BitAutoData(PlanType.Custom, OrganizationUserType.Owner)]
-    [BitAutoData(PlanType.EnterpriseAnnually, OrganizationUserType.Admin)]
-    [BitAutoData(PlanType.EnterpriseAnnually, OrganizationUserType.Owner)]
-    [BitAutoData(PlanType.EnterpriseAnnually2020, OrganizationUserType.Admin)]
-    [BitAutoData(PlanType.EnterpriseAnnually2020, OrganizationUserType.Owner)]
-    [BitAutoData(PlanType.EnterpriseAnnually2019, OrganizationUserType.Admin)]
-    [BitAutoData(PlanType.EnterpriseAnnually2019, OrganizationUserType.Owner)]
-    [BitAutoData(PlanType.EnterpriseMonthly, OrganizationUserType.Admin)]
-    [BitAutoData(PlanType.EnterpriseMonthly, OrganizationUserType.Owner)]
-    [BitAutoData(PlanType.EnterpriseMonthly2020, OrganizationUserType.Admin)]
-    [BitAutoData(PlanType.EnterpriseMonthly2020, OrganizationUserType.Owner)]
-    [BitAutoData(PlanType.EnterpriseMonthly2019, OrganizationUserType.Admin)]
-    [BitAutoData(PlanType.EnterpriseMonthly2019, OrganizationUserType.Owner)]
-    [BitAutoData(PlanType.FamiliesAnnually, OrganizationUserType.Admin)]
-    [BitAutoData(PlanType.FamiliesAnnually, OrganizationUserType.Owner)]
-    [BitAutoData(PlanType.FamiliesAnnually2019, OrganizationUserType.Admin)]
-    [BitAutoData(PlanType.FamiliesAnnually2019, OrganizationUserType.Owner)]
-    [BitAutoData(PlanType.TeamsAnnually, OrganizationUserType.Admin)]
-    [BitAutoData(PlanType.TeamsAnnually, OrganizationUserType.Owner)]
-    [BitAutoData(PlanType.TeamsAnnually2020, OrganizationUserType.Admin)]
-    [BitAutoData(PlanType.TeamsAnnually2020, OrganizationUserType.Owner)]
-    [BitAutoData(PlanType.TeamsAnnually2019, OrganizationUserType.Admin)]
-    [BitAutoData(PlanType.TeamsAnnually2019, OrganizationUserType.Owner)]
-    [BitAutoData(PlanType.TeamsMonthly, OrganizationUserType.Admin)]
-    [BitAutoData(PlanType.TeamsMonthly, OrganizationUserType.Owner)]
-    [BitAutoData(PlanType.TeamsMonthly2020, OrganizationUserType.Admin)]
-    [BitAutoData(PlanType.TeamsMonthly2020, OrganizationUserType.Owner)]
-    [BitAutoData(PlanType.TeamsMonthly2019, OrganizationUserType.Admin)]
-    [BitAutoData(PlanType.TeamsMonthly2019, OrganizationUserType.Owner)]
-    public async Task ConfirmUserToNonFree_AlreadyFreeAdminOrOwner_DoesNotThrow(PlanType planType, OrganizationUserType orgUserType, Organization org, OrganizationUser confirmingUser,
-        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
-        string key, SutProvider<OrganizationService> sutProvider)
-    {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
-        var userRepository = sutProvider.GetDependency<IUserRepository>();
-
-        org.PlanType = planType;
-        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
-        orgUser.UserId = user.Id;
-        orgUser.Type = orgUserType;
-        orgUser.AccessSecretsManager = false;
-        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { orgUser });
-        organizationUserRepository.GetCountByFreeOrganizationAdminUserAsync(orgUser.UserId.Value).Returns(1);
-        organizationRepository.GetByIdAsync(org.Id).Returns(org);
-        userRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { user });
-
-        await sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id);
-
-        await sutProvider.GetDependency<IEventService>().Received(1).LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_Confirmed);
-        await sutProvider.GetDependency<IMailService>().Received(1).SendOrganizationConfirmedEmailAsync(org.DisplayName(), user.Email);
-        await organizationUserRepository.Received(1).ReplaceManyAsync(Arg.Is<List<OrganizationUser>>(users => users.Contains(orgUser) && users.Count == 1));
-    }
-
-
-    [Theory, BitAutoData]
-    public async Task ConfirmUser_AsUser_SingleOrgPolicy_AppliedFromConfirmingOrg_Throws(Organization org, OrganizationUser confirmingUser,
-        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
-        OrganizationUser orgUserAnotherOrg, [OrganizationUserPolicyDetails(PolicyType.SingleOrg)] OrganizationUserPolicyDetails singleOrgPolicy,
-        string key, SutProvider<OrganizationService> sutProvider)
-    {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
-        var userRepository = sutProvider.GetDependency<IUserRepository>();
-        var policyService = sutProvider.GetDependency<IPolicyService>();
-
-        org.PlanType = PlanType.EnterpriseAnnually;
-        orgUser.Status = OrganizationUserStatusType.Accepted;
-        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
-        orgUser.UserId = orgUserAnotherOrg.UserId = user.Id;
-        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { orgUser });
-        organizationUserRepository.GetManyByManyUsersAsync(default).ReturnsForAnyArgs(new[] { orgUserAnotherOrg });
-        organizationRepository.GetByIdAsync(org.Id).Returns(org);
-        userRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { user });
-        singleOrgPolicy.OrganizationId = org.Id;
-        policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.SingleOrg).Returns(new[] { singleOrgPolicy });
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id));
-        Assert.Contains("Cannot confirm this member to the organization until they leave or remove all other organizations.", exception.Message);
-    }
-
-    [Theory, BitAutoData]
-    public async Task ConfirmUser_AsUser_SingleOrgPolicy_AppliedFromOtherOrg_Throws(Organization org, OrganizationUser confirmingUser,
-        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
-        OrganizationUser orgUserAnotherOrg, [OrganizationUserPolicyDetails(PolicyType.SingleOrg)] OrganizationUserPolicyDetails singleOrgPolicy,
-        string key, SutProvider<OrganizationService> sutProvider)
-    {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
-        var userRepository = sutProvider.GetDependency<IUserRepository>();
-        var policyService = sutProvider.GetDependency<IPolicyService>();
-
-        org.PlanType = PlanType.EnterpriseAnnually;
-        orgUser.Status = OrganizationUserStatusType.Accepted;
-        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
-        orgUser.UserId = orgUserAnotherOrg.UserId = user.Id;
-        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { orgUser });
-        organizationUserRepository.GetManyByManyUsersAsync(default).ReturnsForAnyArgs(new[] { orgUserAnotherOrg });
-        organizationRepository.GetByIdAsync(org.Id).Returns(org);
-        userRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { user });
-        singleOrgPolicy.OrganizationId = orgUserAnotherOrg.Id;
-        policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.SingleOrg).Returns(new[] { singleOrgPolicy });
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id));
-        Assert.Contains("Cannot confirm this member to the organization because they are in another organization which forbids it.", exception.Message);
-    }
-
-    [Theory]
-    [BitAutoData(OrganizationUserType.Admin)]
-    [BitAutoData(OrganizationUserType.Owner)]
-    public async Task ConfirmUser_AsOwnerOrAdmin_SingleOrgPolicy_ExcludedViaUserType_Success(
-        OrganizationUserType userType, Organization org, OrganizationUser confirmingUser,
-        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
-        OrganizationUser orgUserAnotherOrg,
-        string key, SutProvider<OrganizationService> sutProvider)
-    {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
-        var userRepository = sutProvider.GetDependency<IUserRepository>();
-
-        org.PlanType = PlanType.EnterpriseAnnually;
-        orgUser.Type = userType;
-        orgUser.Status = OrganizationUserStatusType.Accepted;
-        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
-        orgUser.UserId = orgUserAnotherOrg.UserId = user.Id;
-        orgUser.AccessSecretsManager = true;
-        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { orgUser });
-        organizationUserRepository.GetManyByManyUsersAsync(default).ReturnsForAnyArgs(new[] { orgUserAnotherOrg });
-        organizationRepository.GetByIdAsync(org.Id).Returns(org);
-        userRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { user });
-
-        await sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id);
-
-        await sutProvider.GetDependency<IEventService>().Received(1).LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_Confirmed);
-        await sutProvider.GetDependency<IMailService>().Received(1).SendOrganizationConfirmedEmailAsync(org.DisplayName(), user.Email, true);
-        await organizationUserRepository.Received(1).ReplaceManyAsync(Arg.Is<List<OrganizationUser>>(users => users.Contains(orgUser) && users.Count == 1));
-    }
-
-    [Theory, BitAutoData]
-    public async Task ConfirmUser_TwoFactorPolicy_NotEnabled_Throws(Organization org, OrganizationUser confirmingUser,
-        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
-        OrganizationUser orgUserAnotherOrg,
-        [OrganizationUserPolicyDetails(PolicyType.TwoFactorAuthentication)] OrganizationUserPolicyDetails twoFactorPolicy,
-        string key, SutProvider<OrganizationService> sutProvider)
-    {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
-        var userRepository = sutProvider.GetDependency<IUserRepository>();
-        var policyService = sutProvider.GetDependency<IPolicyService>();
-        var twoFactorIsEnabledQuery = sutProvider.GetDependency<ITwoFactorIsEnabledQuery>();
-
-        org.PlanType = PlanType.EnterpriseAnnually;
-        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
-        orgUser.UserId = orgUserAnotherOrg.UserId = user.Id;
-        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { orgUser });
-        organizationUserRepository.GetManyByManyUsersAsync(default).ReturnsForAnyArgs(new[] { orgUserAnotherOrg });
-        organizationRepository.GetByIdAsync(org.Id).Returns(org);
-        userRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { user });
-        twoFactorPolicy.OrganizationId = org.Id;
-        policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.TwoFactorAuthentication).Returns(new[] { twoFactorPolicy });
-        twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(user.Id)))
-            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (user.Id, false) });
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id));
-        Assert.Contains("User does not have two-step login enabled.", exception.Message);
-    }
-
-    [Theory, BitAutoData]
-    public async Task ConfirmUser_TwoFactorPolicy_Enabled_Success(Organization org, OrganizationUser confirmingUser,
-        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser, User user,
-        [OrganizationUserPolicyDetails(PolicyType.TwoFactorAuthentication)] OrganizationUserPolicyDetails twoFactorPolicy,
-        string key, SutProvider<OrganizationService> sutProvider)
-    {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
-        var userRepository = sutProvider.GetDependency<IUserRepository>();
-        var policyService = sutProvider.GetDependency<IPolicyService>();
-        var twoFactorIsEnabledQuery = sutProvider.GetDependency<ITwoFactorIsEnabledQuery>();
-
-        org.PlanType = PlanType.EnterpriseAnnually;
-        orgUser.OrganizationId = confirmingUser.OrganizationId = org.Id;
-        orgUser.UserId = user.Id;
-        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { orgUser });
-        organizationRepository.GetByIdAsync(org.Id).Returns(org);
-        userRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { user });
-        twoFactorPolicy.OrganizationId = org.Id;
-        policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.TwoFactorAuthentication).Returns(new[] { twoFactorPolicy });
-        twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(user.Id)))
-            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (user.Id, true) });
-
-        await sutProvider.Sut.ConfirmUserAsync(orgUser.OrganizationId, orgUser.Id, key, confirmingUser.Id);
-    }
-
-    [Theory, BitAutoData]
-    public async Task ConfirmUsers_Success(Organization org,
-        OrganizationUser confirmingUser,
-        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser1,
-        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser2,
-        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser orgUser3,
-        OrganizationUser anotherOrgUser, User user1, User user2, User user3,
-        [OrganizationUserPolicyDetails(PolicyType.TwoFactorAuthentication)] OrganizationUserPolicyDetails twoFactorPolicy,
-        [OrganizationUserPolicyDetails(PolicyType.SingleOrg)] OrganizationUserPolicyDetails singleOrgPolicy,
-        string key, SutProvider<OrganizationService> sutProvider)
-    {
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
-        var userRepository = sutProvider.GetDependency<IUserRepository>();
-        var policyService = sutProvider.GetDependency<IPolicyService>();
-        var twoFactorIsEnabledQuery = sutProvider.GetDependency<ITwoFactorIsEnabledQuery>();
-
-        org.PlanType = PlanType.EnterpriseAnnually;
-        orgUser1.OrganizationId = orgUser2.OrganizationId = orgUser3.OrganizationId = confirmingUser.OrganizationId = org.Id;
-        orgUser1.UserId = user1.Id;
-        orgUser2.UserId = user2.Id;
-        orgUser3.UserId = user3.Id;
-        anotherOrgUser.UserId = user3.Id;
-        var orgUsers = new[] { orgUser1, orgUser2, orgUser3 };
-        organizationUserRepository.GetManyAsync(default).ReturnsForAnyArgs(orgUsers);
-        organizationRepository.GetByIdAsync(org.Id).Returns(org);
-        userRepository.GetManyAsync(default).ReturnsForAnyArgs(new[] { user1, user2, user3 });
-        twoFactorPolicy.OrganizationId = org.Id;
-        policyService.GetPoliciesApplicableToUserAsync(Arg.Any<Guid>(), PolicyType.TwoFactorAuthentication).Returns(new[] { twoFactorPolicy });
-        twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(user1.Id) && ids.Contains(user2.Id) && ids.Contains(user3.Id)))
-            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>()
-            {
-                (user1.Id, true),
-                (user2.Id, false),
-                (user3.Id, true)
-            });
-        singleOrgPolicy.OrganizationId = org.Id;
-        policyService.GetPoliciesApplicableToUserAsync(user3.Id, PolicyType.SingleOrg)
-            .Returns(new[] { singleOrgPolicy });
-        organizationUserRepository.GetManyByManyUsersAsync(default)
-            .ReturnsForAnyArgs(new[] { orgUser1, orgUser2, orgUser3, anotherOrgUser });
-
-        var keys = orgUsers.ToDictionary(ou => ou.Id, _ => key);
-        var result = await sutProvider.Sut.ConfirmUsersAsync(confirmingUser.OrganizationId, keys, confirmingUser.Id);
-        Assert.Contains("", result[0].Item2);
-        Assert.Contains("User does not have two-step login enabled.", result[1].Item2);
-        Assert.Contains("Cannot confirm this member to the organization until they leave or remove all other organizations.", result[2].Item2);
-    }
-
     [Theory, BitAutoData]
     public async Task UpdateOrganizationKeysAsync_WithoutManageResetPassword_Throws(Guid orgId, string publicKey,
         string privateKey, SutProvider<OrganizationService> sutProvider)

From efd33c3301e0c526172ef8212e6a94edf4b9c887 Mon Sep 17 00:00:00 2001
From: Addison Beck <addison@bitwarden.com>
Date: Mon, 24 Mar 2025 13:33:51 -0400
Subject: [PATCH 113/184] chore: set correct version for upcoming scheduled
 release (#5550)

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index b9b8cf557a..2ede6ad8d1 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.3.6</Version>
+    <Version>2025.3.3</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From f1a9545a0082e00cf6f3745543fa7c3b6ca00678 Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Mon, 24 Mar 2025 13:48:20 -0400
Subject: [PATCH 114/184] Remove unneeded exclusions (#5478)

---
 src/Billing/Billing.csproj                             | 2 --
 src/Core/Core.csproj                                   | 2 +-
 src/Infrastructure.Dapper/Infrastructure.Dapper.csproj | 2 +-
 3 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/Billing/Billing.csproj b/src/Billing/Billing.csproj
index 50e372791f..f32eccfe8c 100644
--- a/src/Billing/Billing.csproj
+++ b/src/Billing/Billing.csproj
@@ -3,8 +3,6 @@
   <PropertyGroup>
     <UserSecretsId>bitwarden-Billing</UserSecretsId>
     <MvcRazorCompileOnPublish>false</MvcRazorCompileOnPublish>
-    <!-- Temp exclusions until warnings are fixed -->
-    <WarningsNotAsErrors>$(WarningsNotAsErrors);CS9113</WarningsNotAsErrors>
   </PropertyGroup>
 
   <PropertyGroup Condition=" '$(RunConfiguration)' == 'Billing' " />
diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 2a3edcdc00..ea72f3c785 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -4,7 +4,7 @@
     <GenerateUserSecretsAttribute>false</GenerateUserSecretsAttribute>
     <DocumentationFile>bin\$(Configuration)\$(TargetFramework)\$(AssemblyName).xml</DocumentationFile>
     <!-- Temp exclusions until warnings are fixed -->
-    <WarningsNotAsErrors>$(WarningsNotAsErrors);CS1570;CS1574;CS8602;CS9113;CS1998;CS8604</WarningsNotAsErrors>
+    <WarningsNotAsErrors>$(WarningsNotAsErrors);CS1570;CS1574;CS9113;CS1998</WarningsNotAsErrors>
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
diff --git a/src/Infrastructure.Dapper/Infrastructure.Dapper.csproj b/src/Infrastructure.Dapper/Infrastructure.Dapper.csproj
index 19512670ce..c51af39824 100644
--- a/src/Infrastructure.Dapper/Infrastructure.Dapper.csproj
+++ b/src/Infrastructure.Dapper/Infrastructure.Dapper.csproj
@@ -2,7 +2,7 @@
 
     <PropertyGroup>
       <!-- Temp exclusions until warnings are fixed -->
-      <WarningsNotAsErrors>$(WarningsNotAsErrors);CS8618;CS4014</WarningsNotAsErrors>
+      <WarningsNotAsErrors>$(WarningsNotAsErrors);CS8618</WarningsNotAsErrors>
     </PropertyGroup>
 
     <ItemGroup>

From 229aecb55cb7ebf5450feb2d0459266384405e1a Mon Sep 17 00:00:00 2001
From: Matt Andreko <mandreko@bitwarden.com>
Date: Mon, 24 Mar 2025 14:20:42 -0400
Subject: [PATCH 115/184] Update SARIF upload to use proper branch (#5534)

---
 .github/workflows/build.yml | 2 ++
 .github/workflows/scan.yml  | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3b96eeb468..8f125b7811 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -317,6 +317,8 @@ jobs:
         uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
         with:
           sarif_file: ${{ steps.container-scan.outputs.sarif }}
+          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
+          ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
 
   upload:
     name: Upload
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 1fa5c9587c..fe88782e35 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -49,6 +49,8 @@ jobs:
         uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
         with:
           sarif_file: cx_result.sarif
+          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
+          ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
 
   quality:
     name: Quality scan

From 653b12a73171f6ec3663d91803cef03ba87ca3f0 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Mon, 24 Mar 2025 17:46:10 -0400
Subject: [PATCH 116/184] Fix Git hash

---
 Directory.Build.props | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 2ede6ad8d1..1cdb29febb 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -56,16 +56,11 @@
     This section is for getting & setting the gitHash value, which can easily be accessed
     via the Core.Utilities.AssemblyHelpers class.
   -->
-  <Target Name="SetSourceRevisionId" BeforeTargets="CoreGenerateAssemblyInfo">
-    <Exec Command="git describe --long --always --dirty --exclude=* --abbrev=8" ConsoleToMSBuild="True" IgnoreExitCode="False">
-      <Output PropertyName="SourceRevisionId" TaskParameter="ConsoleOutput"/>
-    </Exec>
-  </Target>
-  <Target Name="WriteRevision" AfterTargets="SetSourceRevisionId">
+  <Target Name="WriteRevision" BeforeTargets="CoreGenerateAssemblyInfo">
     <ItemGroup>
       <AssemblyAttribute Include="System.Reflection.AssemblyMetadataAttribute">
         <_Parameter1>GitHash</_Parameter1>
-        <_Parameter2>$(SourceRevisionId)</_Parameter2>
+        <_Parameter2>HASH_HERE</_Parameter2>
       </AssemblyAttribute>
     </ItemGroup>
   </Target>

From 5797b78843d08c9cb12c784d6fc48417632bc5da Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Mon, 24 Mar 2025 17:48:25 -0400
Subject: [PATCH 117/184] Set hash

---
 .github/workflows/build.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 212f86b4fa..1e8ed9b9f9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -95,6 +95,15 @@ jobs:
           else
             echo "is_publish_branch=false" >> $GITHUB_ENV
           fi
+      
+      - name: Set SourceRevisionId
+        run: |
+          GIT_HASH=$(git describe --long --always --dirty --exclude='*' --abbrev=8)
+          echo "GitHash: ${GIT_HASH}"
+
+          sed -i 's/HASH_HERE/$GIT_HASH/' Directory.Build.props
+          cat Directory.Build.props
+          exit 1
 
       ########## Set up Docker ##########
       - name: Set up QEMU emulators

From 11ac3cde889de878114d4fd7f50c52cf6118bbbd Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Mon, 24 Mar 2025 17:58:42 -0400
Subject: [PATCH 118/184] Change single-quotes to double-quotes

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1e8ed9b9f9..cfd426e088 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -101,7 +101,7 @@ jobs:
           GIT_HASH=$(git describe --long --always --dirty --exclude='*' --abbrev=8)
           echo "GitHash: ${GIT_HASH}"
 
-          sed -i 's/HASH_HERE/$GIT_HASH/' Directory.Build.props
+          sed -i "s/HASH_HERE/$GIT_HASH/" Directory.Build.props
           cat Directory.Build.props
           exit 1
 

From b6cfcf12f6287ec095803ab3be14d52d8d004fc8 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Mon, 24 Mar 2025 18:05:02 -0400
Subject: [PATCH 119/184] Test full build

---
 .github/workflows/build.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index cfd426e088..73d082b9d8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -103,7 +103,6 @@ jobs:
 
           sed -i "s/HASH_HERE/$GIT_HASH/" Directory.Build.props
           cat Directory.Build.props
-          exit 1
 
       ########## Set up Docker ##########
       - name: Set up QEMU emulators

From 7ca10c4072d8229fd633d62a8189ddb58b1684ba Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Tue, 25 Mar 2025 10:00:10 -0400
Subject: [PATCH 120/184] Remove copy directive for git folder

---
 bitwarden_license/src/Scim/Dockerfile | 1 -
 bitwarden_license/src/Sso/Dockerfile  | 1 -
 src/Admin/Dockerfile                  | 1 -
 src/Api/Dockerfile                    | 1 -
 src/Billing/Dockerfile                | 1 -
 src/Events/Dockerfile                 | 1 -
 src/EventsProcessor/Dockerfile        | 1 -
 src/Icons/Dockerfile                  | 1 -
 src/Identity/Dockerfile               | 1 -
 src/Notifications/Dockerfile          | 1 -
 util/Attachments/Dockerfile           | 1 -
 util/MsSqlMigratorUtility/Dockerfile  | 1 -
 util/Setup/Dockerfile                 | 1 -
 13 files changed, 13 deletions(-)

diff --git a/bitwarden_license/src/Scim/Dockerfile b/bitwarden_license/src/Scim/Dockerfile
index 9aa08e880e..1d01ffa07c 100644
--- a/bitwarden_license/src/Scim/Dockerfile
+++ b/bitwarden_license/src/Scim/Dockerfile
@@ -38,7 +38,6 @@ COPY src/Core/. ./src/Core/
 COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
 COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
-COPY .git/. ./.git/
 
 # Build project
 WORKDIR /source/bitwarden_license/src/Scim
diff --git a/bitwarden_license/src/Sso/Dockerfile b/bitwarden_license/src/Sso/Dockerfile
index 9de0519605..fc58c334c4 100644
--- a/bitwarden_license/src/Sso/Dockerfile
+++ b/bitwarden_license/src/Sso/Dockerfile
@@ -55,7 +55,6 @@ COPY src/Core/. ./src/Core/
 COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
 COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
-COPY .git/. ./.git/
 
 # Build project
 WORKDIR /source/bitwarden_license/src/Sso
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 68a147b7cc..2e3b550387 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -74,7 +74,6 @@ COPY util/SqliteMigrations/. ./util/SqliteMigrations/
 COPY util/EfShared/. ./util/EfShared/
 COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
 COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
-COPY .git/. ./.git/
 
 # Build project
 WORKDIR /source/src/Admin
diff --git a/src/Api/Dockerfile b/src/Api/Dockerfile
index 53ef5e849c..63f5cdb1f8 100644
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@@ -42,7 +42,6 @@ COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
 COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
 COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
-COPY .git/. ./.git/
 
 # Build project
 WORKDIR /source/src/Api
diff --git a/src/Billing/Dockerfile b/src/Billing/Dockerfile
index 11b1539a11..cc327eaa64 100644
--- a/src/Billing/Dockerfile
+++ b/src/Billing/Dockerfile
@@ -38,7 +38,6 @@ COPY src/Core/. ./src/Core/
 COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
 COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
-COPY .git/. ./.git/
 
 # Build project
 WORKDIR /source/src/Billing
diff --git a/src/Events/Dockerfile b/src/Events/Dockerfile
index 3d2c119e11..9882c8dec0 100644
--- a/src/Events/Dockerfile
+++ b/src/Events/Dockerfile
@@ -38,7 +38,6 @@ COPY src/Core/. ./src/Core/
 COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
 COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
-COPY .git/. ./.git/
 
 # Build project
 WORKDIR /source/src/Events
diff --git a/src/EventsProcessor/Dockerfile b/src/EventsProcessor/Dockerfile
index 10de833d4e..47ef10edac 100644
--- a/src/EventsProcessor/Dockerfile
+++ b/src/EventsProcessor/Dockerfile
@@ -38,7 +38,6 @@ COPY src/Core/. ./src/Core/
 COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
 COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
-COPY .git/. ./.git/
 
 # Build project
 WORKDIR /source/src/EventsProcessor
diff --git a/src/Icons/Dockerfile b/src/Icons/Dockerfile
index 39dcb01059..7bfa526908 100644
--- a/src/Icons/Dockerfile
+++ b/src/Icons/Dockerfile
@@ -38,7 +38,6 @@ COPY src/Core/. ./src/Core/
 COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
 COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
-COPY .git/. ./.git/
 
 # Build project
 WORKDIR /source/src/Icons
diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile
index aa1d9e4a28..9ce6dc513a 100644
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@@ -38,7 +38,6 @@ COPY src/Core/. ./src/Core/
 COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
 COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
-COPY .git/. ./.git/
 
 # Build project
 WORKDIR /source/src/Identity
diff --git a/src/Notifications/Dockerfile b/src/Notifications/Dockerfile
index 6953e8f60c..9d3a0da449 100644
--- a/src/Notifications/Dockerfile
+++ b/src/Notifications/Dockerfile
@@ -38,7 +38,6 @@ COPY src/Notifications/. ./src/Notifications/
 COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
 COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
 COPY src/SharedWeb/. ./src/SharedWeb/
-COPY .git/. ./.git/
 
 # Build project
 WORKDIR /source/src/Notifications
diff --git a/util/Attachments/Dockerfile b/util/Attachments/Dockerfile
index 0b04dc88aa..d1c3575616 100644
--- a/util/Attachments/Dockerfile
+++ b/util/Attachments/Dockerfile
@@ -30,7 +30,6 @@ RUN . /tmp/rid.txt && dotnet restore -r $RID
 # Copy required project files
 WORKDIR /source
 COPY util/Server/. ./util/Server/
-COPY .git/. ./.git/
 
 # Build project
 WORKDIR /source/util/Server
diff --git a/util/MsSqlMigratorUtility/Dockerfile b/util/MsSqlMigratorUtility/Dockerfile
index 9efc0bbdf9..a7afa9f95e 100644
--- a/util/MsSqlMigratorUtility/Dockerfile
+++ b/util/MsSqlMigratorUtility/Dockerfile
@@ -35,7 +35,6 @@ WORKDIR /source
 COPY src/Core/. ./src/Core/
 COPY util/Migrator/. ./util/Migrator/
 COPY util/MsSqlMigratorUtility/. ./util/MsSqlMigratorUtility/
-COPY .git/. ./.git/
 
 # Build project
 WORKDIR /source/util/MsSqlMigratorUtility
diff --git a/util/Setup/Dockerfile b/util/Setup/Dockerfile
index a4d292565f..46b6b5916f 100644
--- a/util/Setup/Dockerfile
+++ b/util/Setup/Dockerfile
@@ -34,7 +34,6 @@ WORKDIR /source
 COPY src/Core/. ./src/Core/
 COPY util/Migrator/. ./util/Migrator/
 COPY util/Setup/. ./util/Setup/
-COPY .git/. ./.git/
 
 # Build project
 WORKDIR /source/util/Setup

From 55980e8038daadca5a2831ac7d086e742c393fef Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann <mail@quexten.com>
Date: Tue, 25 Mar 2025 15:23:01 +0100
Subject: [PATCH 121/184] [PM-16603] Add userkey rotation v2 (#5204)

* Implement userkey rotation v2

* Update request models

* Cleanup

* Update tests

* Improve test

* Add tests

* Fix formatting

* Fix test

* Remove whitespace

* Fix namespace

* Enable nullable on models

* Fix build

* Add tests and enable nullable on masterpasswordunlockdatamodel

* Fix test

* Remove rollback

* Add tests

* Make masterpassword hint optional

* Update user query

* Add EF test

* Improve test

* Cleanup

* Set masterpassword hint

* Remove connection close

* Add tests for invalid kdf types

* Update test/Core.Test/KeyManagement/UserKey/RotateUserAccountKeysCommandTests.cs

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Fix formatting

* Update src/Api/KeyManagement/Models/Requests/RotateAccountKeysAndDataRequestModel.cs

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Update src/Api/Auth/Models/Request/Accounts/MasterPasswordUnlockDataModel.cs

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Update src/Api/Auth/Models/Request/Accounts/MasterPasswordUnlockDataModel.cs

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Update src/Api/KeyManagement/Models/Requests/AccountKeysRequestModel.cs

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Fix imports

* Fix tests

* Remove null check

* Add rollback

---------

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>
---
 .../Auth/Controllers/AccountsController.cs    |   1 +
 .../Accounts/MasterPasswordUnlockDataModel.cs |  66 +++++++++
 .../AccountsKeyManagementController.cs        |  83 ++++++++++-
 .../Requests/AccountKeysRequestModel.cs       |  10 ++
 .../RotateAccountKeysAndDataRequestModel.cs   |  13 ++
 .../Models/Requests/UnlockDataRequestModel.cs |  16 +++
 .../Models/Requests/UserDataRequestModel.cs   |  12 ++
 .../UserServiceCollectionExtensions.cs        |   1 +
 src/Core/Constants.cs                         |   3 +
 .../Models/Data/MasterPasswordUnlockData.cs   |  34 +++++
 .../Models/Data/RotateUserAccountKeysData.cs  |  28 ++++
 .../UserKey/IRotateUserAccountKeysCommand.cs  |  20 +++
 .../RotateUserAccountkeysCommand.cs           | 134 ++++++++++++++++++
 src/Core/Repositories/IUserRepository.cs      |   2 +
 .../Repositories/UserRepository.cs            |  55 ++++++-
 .../Repositories/UserRepository.cs            |  47 ++++++
 .../AccountsKeyManagementControllerTests.cs   |  91 ++++++++++++
 .../AccountsKeyManagementControllerTests.cs   |  85 +++++++++++
 .../Request/MasterPasswordUnlockDataModel.cs  |  68 +++++++++
 .../RotateUserAccountKeysCommandTests.cs      | 120 ++++++++++++++++
 .../UserKey/RotateUserKeyCommandTests.cs      |   2 +-
 .../Repositories/UserRepositoryTests.cs       |  24 ++++
 22 files changed, 906 insertions(+), 9 deletions(-)
 create mode 100644 src/Api/Auth/Models/Request/Accounts/MasterPasswordUnlockDataModel.cs
 create mode 100644 src/Api/KeyManagement/Models/Requests/AccountKeysRequestModel.cs
 create mode 100644 src/Api/KeyManagement/Models/Requests/RotateAccountKeysAndDataRequestModel.cs
 create mode 100644 src/Api/KeyManagement/Models/Requests/UnlockDataRequestModel.cs
 create mode 100644 src/Api/KeyManagement/Models/Requests/UserDataRequestModel.cs
 create mode 100644 src/Core/KeyManagement/Models/Data/MasterPasswordUnlockData.cs
 create mode 100644 src/Core/KeyManagement/Models/Data/RotateUserAccountKeysData.cs
 create mode 100644 src/Core/KeyManagement/UserKey/IRotateUserAccountKeysCommand.cs
 create mode 100644 src/Core/KeyManagement/UserKey/Implementations/RotateUserAccountkeysCommand.cs
 create mode 100644 test/Api.Test/KeyManagement/Models/Request/MasterPasswordUnlockDataModel.cs
 create mode 100644 test/Core.Test/KeyManagement/UserKey/RotateUserAccountKeysCommandTests.cs

diff --git a/src/Api/Auth/Controllers/AccountsController.cs b/src/Api/Auth/Controllers/AccountsController.cs
index 6c19049c49..2555a6fe2d 100644
--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@@ -355,6 +355,7 @@ public class AccountsController : Controller
         throw new BadRequestException(ModelState);
     }
 
+    [Obsolete("Replaced by the safer rotate-user-account-keys endpoint.")]
     [HttpPost("key")]
     public async Task PostKey([FromBody] UpdateKeyRequestModel model)
     {
diff --git a/src/Api/Auth/Models/Request/Accounts/MasterPasswordUnlockDataModel.cs b/src/Api/Auth/Models/Request/Accounts/MasterPasswordUnlockDataModel.cs
new file mode 100644
index 0000000000..ba57788cec
--- /dev/null
+++ b/src/Api/Auth/Models/Request/Accounts/MasterPasswordUnlockDataModel.cs
@@ -0,0 +1,66 @@
+#nullable enable
+
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Enums;
+using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.Utilities;
+
+namespace Bit.Api.Auth.Models.Request.Accounts;
+
+public class MasterPasswordUnlockDataModel : IValidatableObject
+{
+    public required KdfType KdfType { get; set; }
+    public required int KdfIterations { get; set; }
+    public int? KdfMemory { get; set; }
+    public int? KdfParallelism { get; set; }
+
+    [StrictEmailAddress]
+    [StringLength(256)]
+    public required string Email { get; set; }
+    [StringLength(300)]
+    public required string MasterKeyAuthenticationHash { get; set; }
+    [EncryptedString] public required string MasterKeyEncryptedUserKey { get; set; }
+    [StringLength(50)]
+    public string? MasterPasswordHint { get; set; }
+
+    public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
+    {
+        if (KdfType == KdfType.PBKDF2_SHA256)
+        {
+            if (KdfMemory.HasValue || KdfParallelism.HasValue)
+            {
+                yield return new ValidationResult("KdfMemory and KdfParallelism must be null for PBKDF2_SHA256", new[] { nameof(KdfMemory), nameof(KdfParallelism) });
+            }
+        }
+        else if (KdfType == KdfType.Argon2id)
+        {
+            if (!KdfMemory.HasValue || !KdfParallelism.HasValue)
+            {
+                yield return new ValidationResult("KdfMemory and KdfParallelism must have values for Argon2id", new[] { nameof(KdfMemory), nameof(KdfParallelism) });
+            }
+        }
+        else
+        {
+            yield return new ValidationResult("Invalid KdfType", new[] { nameof(KdfType) });
+        }
+    }
+
+    public MasterPasswordUnlockData ToUnlockData()
+    {
+        var data = new MasterPasswordUnlockData
+        {
+            KdfType = KdfType,
+            KdfIterations = KdfIterations,
+            KdfMemory = KdfMemory,
+            KdfParallelism = KdfParallelism,
+
+            Email = Email,
+
+            MasterKeyAuthenticationHash = MasterKeyAuthenticationHash,
+            MasterKeyEncryptedUserKey = MasterKeyEncryptedUserKey,
+            MasterPasswordHint = MasterPasswordHint
+        };
+        return data;
+    }
+
+}
diff --git a/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs b/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs
index b8d5e30949..85e0981f22 100644
--- a/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs
+++ b/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs
@@ -1,10 +1,23 @@
 #nullable enable
+using Bit.Api.AdminConsole.Models.Request.Organizations;
+using Bit.Api.Auth.Models.Request;
+using Bit.Api.Auth.Models.Request.WebAuthn;
 using Bit.Api.KeyManagement.Models.Requests;
+using Bit.Api.KeyManagement.Validators;
+using Bit.Api.Tools.Models.Request;
+using Bit.Api.Vault.Models.Request;
 using Bit.Core;
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.KeyManagement.Commands.Interfaces;
+using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.KeyManagement.UserKey;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
+using Bit.Core.Tools.Entities;
+using Bit.Core.Vault.Entities;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
@@ -19,18 +32,45 @@ public class AccountsKeyManagementController : Controller
     private readonly IOrganizationUserRepository _organizationUserRepository;
     private readonly IRegenerateUserAsymmetricKeysCommand _regenerateUserAsymmetricKeysCommand;
     private readonly IUserService _userService;
+    private readonly IRotateUserAccountKeysCommand _rotateUserAccountKeysCommand;
+    private readonly IRotationValidator<IEnumerable<CipherWithIdRequestModel>, IEnumerable<Cipher>> _cipherValidator;
+    private readonly IRotationValidator<IEnumerable<FolderWithIdRequestModel>, IEnumerable<Folder>> _folderValidator;
+    private readonly IRotationValidator<IEnumerable<SendWithIdRequestModel>, IReadOnlyList<Send>> _sendValidator;
+    private readonly IRotationValidator<IEnumerable<EmergencyAccessWithIdRequestModel>, IEnumerable<EmergencyAccess>>
+        _emergencyAccessValidator;
+    private readonly IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>,
+            IReadOnlyList<OrganizationUser>>
+        _organizationUserValidator;
+    private readonly IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>>
+        _webauthnKeyValidator;
 
     public AccountsKeyManagementController(IUserService userService,
         IFeatureService featureService,
         IOrganizationUserRepository organizationUserRepository,
         IEmergencyAccessRepository emergencyAccessRepository,
-        IRegenerateUserAsymmetricKeysCommand regenerateUserAsymmetricKeysCommand)
+        IRegenerateUserAsymmetricKeysCommand regenerateUserAsymmetricKeysCommand,
+        IRotateUserAccountKeysCommand rotateUserKeyCommandV2,
+        IRotationValidator<IEnumerable<CipherWithIdRequestModel>, IEnumerable<Cipher>> cipherValidator,
+        IRotationValidator<IEnumerable<FolderWithIdRequestModel>, IEnumerable<Folder>> folderValidator,
+        IRotationValidator<IEnumerable<SendWithIdRequestModel>, IReadOnlyList<Send>> sendValidator,
+        IRotationValidator<IEnumerable<EmergencyAccessWithIdRequestModel>, IEnumerable<EmergencyAccess>>
+            emergencyAccessValidator,
+        IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>, IReadOnlyList<OrganizationUser>>
+            organizationUserValidator,
+        IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>> webAuthnKeyValidator)
     {
         _userService = userService;
         _featureService = featureService;
         _regenerateUserAsymmetricKeysCommand = regenerateUserAsymmetricKeysCommand;
         _organizationUserRepository = organizationUserRepository;
         _emergencyAccessRepository = emergencyAccessRepository;
+        _rotateUserAccountKeysCommand = rotateUserKeyCommandV2;
+        _cipherValidator = cipherValidator;
+        _folderValidator = folderValidator;
+        _sendValidator = sendValidator;
+        _emergencyAccessValidator = emergencyAccessValidator;
+        _organizationUserValidator = organizationUserValidator;
+        _webauthnKeyValidator = webAuthnKeyValidator;
     }
 
     [HttpPost("regenerate-keys")]
@@ -47,4 +87,45 @@ public class AccountsKeyManagementController : Controller
         await _regenerateUserAsymmetricKeysCommand.RegenerateKeysAsync(request.ToUserAsymmetricKeys(user.Id),
             usersOrganizationAccounts, designatedEmergencyAccess);
     }
+
+
+    [HttpPost("rotate-user-account-keys")]
+    public async Task RotateUserAccountKeysAsync([FromBody] RotateUserAccountKeysAndDataRequestModel model)
+    {
+        var user = await _userService.GetUserByPrincipalAsync(User);
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        var dataModel = new RotateUserAccountKeysData
+        {
+            OldMasterKeyAuthenticationHash = model.OldMasterKeyAuthenticationHash,
+
+            UserKeyEncryptedAccountPrivateKey = model.AccountKeys.UserKeyEncryptedAccountPrivateKey,
+            AccountPublicKey = model.AccountKeys.AccountPublicKey,
+
+            MasterPasswordUnlockData = model.AccountUnlockData.MasterPasswordUnlockData.ToUnlockData(),
+            EmergencyAccesses = await _emergencyAccessValidator.ValidateAsync(user, model.AccountUnlockData.EmergencyAccessUnlockData),
+            OrganizationUsers = await _organizationUserValidator.ValidateAsync(user, model.AccountUnlockData.OrganizationAccountRecoveryUnlockData),
+            WebAuthnKeys = await _webauthnKeyValidator.ValidateAsync(user, model.AccountUnlockData.PasskeyUnlockData),
+
+            Ciphers = await _cipherValidator.ValidateAsync(user, model.AccountData.Ciphers),
+            Folders = await _folderValidator.ValidateAsync(user, model.AccountData.Folders),
+            Sends = await _sendValidator.ValidateAsync(user, model.AccountData.Sends),
+        };
+
+        var result = await _rotateUserAccountKeysCommand.RotateUserAccountKeysAsync(user, dataModel);
+        if (result.Succeeded)
+        {
+            return;
+        }
+
+        foreach (var error in result.Errors)
+        {
+            ModelState.AddModelError(string.Empty, error.Description);
+        }
+
+        throw new BadRequestException(ModelState);
+    }
 }
diff --git a/src/Api/KeyManagement/Models/Requests/AccountKeysRequestModel.cs b/src/Api/KeyManagement/Models/Requests/AccountKeysRequestModel.cs
new file mode 100644
index 0000000000..7c7de4d210
--- /dev/null
+++ b/src/Api/KeyManagement/Models/Requests/AccountKeysRequestModel.cs
@@ -0,0 +1,10 @@
+#nullable enable
+using Bit.Core.Utilities;
+
+namespace Bit.Api.KeyManagement.Models.Requests;
+
+public class AccountKeysRequestModel
+{
+    [EncryptedString] public required string UserKeyEncryptedAccountPrivateKey { get; set; }
+    public required string AccountPublicKey { get; set; }
+}
diff --git a/src/Api/KeyManagement/Models/Requests/RotateAccountKeysAndDataRequestModel.cs b/src/Api/KeyManagement/Models/Requests/RotateAccountKeysAndDataRequestModel.cs
new file mode 100644
index 0000000000..b0b19e2bd3
--- /dev/null
+++ b/src/Api/KeyManagement/Models/Requests/RotateAccountKeysAndDataRequestModel.cs
@@ -0,0 +1,13 @@
+#nullable enable
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Api.KeyManagement.Models.Requests;
+
+public class RotateUserAccountKeysAndDataRequestModel
+{
+    [StringLength(300)]
+    public required string OldMasterKeyAuthenticationHash { get; set; }
+    public required UnlockDataRequestModel AccountUnlockData { get; set; }
+    public required AccountKeysRequestModel AccountKeys { get; set; }
+    public required AccountDataRequestModel AccountData { get; set; }
+}
diff --git a/src/Api/KeyManagement/Models/Requests/UnlockDataRequestModel.cs b/src/Api/KeyManagement/Models/Requests/UnlockDataRequestModel.cs
new file mode 100644
index 0000000000..5156e2a655
--- /dev/null
+++ b/src/Api/KeyManagement/Models/Requests/UnlockDataRequestModel.cs
@@ -0,0 +1,16 @@
+#nullable enable
+using Bit.Api.AdminConsole.Models.Request.Organizations;
+using Bit.Api.Auth.Models.Request;
+using Bit.Api.Auth.Models.Request.Accounts;
+using Bit.Api.Auth.Models.Request.WebAuthn;
+
+namespace Bit.Api.KeyManagement.Models.Requests;
+
+public class UnlockDataRequestModel
+{
+    // All methods to get to the userkey
+    public required MasterPasswordUnlockDataModel MasterPasswordUnlockData { get; set; }
+    public required IEnumerable<EmergencyAccessWithIdRequestModel> EmergencyAccessUnlockData { get; set; }
+    public required IEnumerable<ResetPasswordWithOrgIdRequestModel> OrganizationAccountRecoveryUnlockData { get; set; }
+    public required IEnumerable<WebAuthnLoginRotateKeyRequestModel> PasskeyUnlockData { get; set; }
+}
diff --git a/src/Api/KeyManagement/Models/Requests/UserDataRequestModel.cs b/src/Api/KeyManagement/Models/Requests/UserDataRequestModel.cs
new file mode 100644
index 0000000000..f854d82bcc
--- /dev/null
+++ b/src/Api/KeyManagement/Models/Requests/UserDataRequestModel.cs
@@ -0,0 +1,12 @@
+#nullable enable
+using Bit.Api.Tools.Models.Request;
+using Bit.Api.Vault.Models.Request;
+
+namespace Bit.Api.KeyManagement.Models.Requests;
+
+public class AccountDataRequestModel
+{
+    public required IEnumerable<CipherWithIdRequestModel> Ciphers { get; set; }
+    public required IEnumerable<FolderWithIdRequestModel> Folders { get; set; }
+    public required IEnumerable<SendWithIdRequestModel> Sends { get; set; }
+}
diff --git a/src/Core/Auth/UserFeatures/UserServiceCollectionExtensions.cs b/src/Core/Auth/UserFeatures/UserServiceCollectionExtensions.cs
index df102c855f..16a0ef9805 100644
--- a/src/Core/Auth/UserFeatures/UserServiceCollectionExtensions.cs
+++ b/src/Core/Auth/UserFeatures/UserServiceCollectionExtensions.cs
@@ -32,6 +32,7 @@ public static class UserServiceCollectionExtensions
     public static void AddUserKeyCommands(this IServiceCollection services, IGlobalSettings globalSettings)
     {
         services.AddScoped<IRotateUserKeyCommand, RotateUserKeyCommand>();
+        services.AddScoped<IRotateUserAccountKeysCommand, RotateUserAccountKeysCommand>();
     }
 
     private static void AddUserPasswordCommands(this IServiceCollection services)
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 0ae9f1d8d7..e41391b173 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -168,6 +168,9 @@ public static class FeatureFlagKeys
     public const string Argon2Default = "argon2-default";
     public const string UsePricingService = "use-pricing-service";
     public const string RecordInstallationLastActivityDate = "installation-last-activity-date";
+    public const string UserkeyRotationV2 = "userkey-rotation-v2";
+    public const string EnablePasswordManagerSyncAndroid = "enable-password-manager-sync-android";
+    public const string EnablePasswordManagerSynciOS = "enable-password-manager-sync-ios";
     public const string AccountDeprovisioningBanner = "pm-17120-account-deprovisioning-admin-console-banner";
     public const string SingleTapPasskeyCreation = "single-tap-passkey-creation";
     public const string SingleTapPasskeyAuthentication = "single-tap-passkey-authentication";
diff --git a/src/Core/KeyManagement/Models/Data/MasterPasswordUnlockData.cs b/src/Core/KeyManagement/Models/Data/MasterPasswordUnlockData.cs
new file mode 100644
index 0000000000..0ddfc03190
--- /dev/null
+++ b/src/Core/KeyManagement/Models/Data/MasterPasswordUnlockData.cs
@@ -0,0 +1,34 @@
+#nullable enable
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+
+namespace Bit.Core.KeyManagement.Models.Data;
+
+public class MasterPasswordUnlockData
+{
+    public KdfType KdfType { get; set; }
+    public int KdfIterations { get; set; }
+    public int? KdfMemory { get; set; }
+    public int? KdfParallelism { get; set; }
+
+    public required string Email { get; set; }
+    public required string MasterKeyAuthenticationHash { get; set; }
+    public required string MasterKeyEncryptedUserKey { get; set; }
+    public string? MasterPasswordHint { get; set; }
+
+    public bool ValidateForUser(User user)
+    {
+        if (KdfType != user.Kdf || KdfMemory != user.KdfMemory || KdfParallelism != user.KdfParallelism || KdfIterations != user.KdfIterations)
+        {
+            return false;
+        }
+        else if (Email != user.Email)
+        {
+            return false;
+        }
+        else
+        {
+            return true;
+        }
+    }
+}
diff --git a/src/Core/KeyManagement/Models/Data/RotateUserAccountKeysData.cs b/src/Core/KeyManagement/Models/Data/RotateUserAccountKeysData.cs
new file mode 100644
index 0000000000..7cb1c273a3
--- /dev/null
+++ b/src/Core/KeyManagement/Models/Data/RotateUserAccountKeysData.cs
@@ -0,0 +1,28 @@
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Entities;
+using Bit.Core.Tools.Entities;
+using Bit.Core.Vault.Entities;
+
+namespace Bit.Core.KeyManagement.Models.Data;
+
+public class RotateUserAccountKeysData
+{
+    // Authentication for this requests
+    public string OldMasterKeyAuthenticationHash { get; set; }
+
+    // Other keys encrypted by the userkey
+    public string UserKeyEncryptedAccountPrivateKey { get; set; }
+    public string AccountPublicKey { get; set; }
+
+    // All methods to get to the userkey
+    public MasterPasswordUnlockData MasterPasswordUnlockData { get; set; }
+    public IEnumerable<EmergencyAccess> EmergencyAccesses { get; set; }
+    public IReadOnlyList<OrganizationUser> OrganizationUsers { get; set; }
+    public IEnumerable<WebAuthnLoginRotateKeyData> WebAuthnKeys { get; set; }
+
+    // User vault data encrypted by the userkey
+    public IEnumerable<Cipher> Ciphers { get; set; }
+    public IEnumerable<Folder> Folders { get; set; }
+    public IReadOnlyList<Send> Sends { get; set; }
+}
diff --git a/src/Core/KeyManagement/UserKey/IRotateUserAccountKeysCommand.cs b/src/Core/KeyManagement/UserKey/IRotateUserAccountKeysCommand.cs
new file mode 100644
index 0000000000..ec40e7031d
--- /dev/null
+++ b/src/Core/KeyManagement/UserKey/IRotateUserAccountKeysCommand.cs
@@ -0,0 +1,20 @@
+using Bit.Core.Entities;
+using Bit.Core.KeyManagement.Models.Data;
+using Microsoft.AspNetCore.Identity;
+
+namespace Bit.Core.KeyManagement.UserKey;
+
+/// <summary>
+/// Responsible for rotation of a user key and updating database with re-encrypted data
+/// </summary>
+public interface IRotateUserAccountKeysCommand
+{
+    /// <summary>
+    /// Sets a new user key and updates all encrypted data.
+    /// </summary>
+    /// <param name="model">All necessary information for rotation. If data is not included, this will lead to the change being rejected.</param>
+    /// <returns>An IdentityResult for verification of the master password hash</returns>
+    /// <exception cref="ArgumentNullException">User must be provided.</exception>
+    /// <exception cref="InvalidOperationException">User KDF settings and email must match the model provided settings.</exception>
+    Task<IdentityResult> RotateUserAccountKeysAsync(User user, RotateUserAccountKeysData model);
+}
diff --git a/src/Core/KeyManagement/UserKey/Implementations/RotateUserAccountkeysCommand.cs b/src/Core/KeyManagement/UserKey/Implementations/RotateUserAccountkeysCommand.cs
new file mode 100644
index 0000000000..f4dcf31d5c
--- /dev/null
+++ b/src/Core/KeyManagement/UserKey/Implementations/RotateUserAccountkeysCommand.cs
@@ -0,0 +1,134 @@
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Entities;
+using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Tools.Repositories;
+using Bit.Core.Vault.Repositories;
+using Microsoft.AspNetCore.Identity;
+
+namespace Bit.Core.KeyManagement.UserKey.Implementations;
+
+/// <inheritdoc />
+public class RotateUserAccountKeysCommand : IRotateUserAccountKeysCommand
+{
+    private readonly IUserService _userService;
+    private readonly IUserRepository _userRepository;
+    private readonly ICipherRepository _cipherRepository;
+    private readonly IFolderRepository _folderRepository;
+    private readonly ISendRepository _sendRepository;
+    private readonly IEmergencyAccessRepository _emergencyAccessRepository;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IPushNotificationService _pushService;
+    private readonly IdentityErrorDescriber _identityErrorDescriber;
+    private readonly IWebAuthnCredentialRepository _credentialRepository;
+    private readonly IPasswordHasher<User> _passwordHasher;
+
+    /// <summary>
+    /// Instantiates a new <see cref="RotateUserAccountKeysCommand"/>
+    /// </summary>
+    /// <param name="userService">Master password hash validation</param>
+    /// <param name="userRepository">Updates user keys and re-encrypted data if needed</param>
+    /// <param name="cipherRepository">Provides a method to update re-encrypted cipher data</param>
+    /// <param name="folderRepository">Provides a method to update re-encrypted folder data</param>
+    /// <param name="sendRepository">Provides a method to update re-encrypted send data</param>
+    /// <param name="emergencyAccessRepository">Provides a method to update re-encrypted emergency access data</param>
+    /// <param name="organizationUserRepository">Provides a method to update re-encrypted organization user data</param>
+    /// <param name="passwordHasher">Hashes the new master password</param>
+    /// <param name="pushService">Logs out user from other devices after successful rotation</param>
+    /// <param name="errors">Provides a password mismatch error if master password hash validation fails</param>
+    /// <param name="credentialRepository">Provides a method to update re-encrypted WebAuthn keys</param>
+    public RotateUserAccountKeysCommand(IUserService userService, IUserRepository userRepository,
+        ICipherRepository cipherRepository, IFolderRepository folderRepository, ISendRepository sendRepository,
+        IEmergencyAccessRepository emergencyAccessRepository, IOrganizationUserRepository organizationUserRepository,
+        IPasswordHasher<User> passwordHasher,
+        IPushNotificationService pushService, IdentityErrorDescriber errors, IWebAuthnCredentialRepository credentialRepository)
+    {
+        _userService = userService;
+        _userRepository = userRepository;
+        _cipherRepository = cipherRepository;
+        _folderRepository = folderRepository;
+        _sendRepository = sendRepository;
+        _emergencyAccessRepository = emergencyAccessRepository;
+        _organizationUserRepository = organizationUserRepository;
+        _pushService = pushService;
+        _identityErrorDescriber = errors;
+        _credentialRepository = credentialRepository;
+        _passwordHasher = passwordHasher;
+    }
+
+    /// <inheritdoc />
+    public async Task<IdentityResult> RotateUserAccountKeysAsync(User user, RotateUserAccountKeysData model)
+    {
+        if (user == null)
+        {
+            throw new ArgumentNullException(nameof(user));
+        }
+
+        if (!await _userService.CheckPasswordAsync(user, model.OldMasterKeyAuthenticationHash))
+        {
+            return IdentityResult.Failed(_identityErrorDescriber.PasswordMismatch());
+        }
+
+        var now = DateTime.UtcNow;
+        user.RevisionDate = user.AccountRevisionDate = now;
+        user.LastKeyRotationDate = now;
+        user.SecurityStamp = Guid.NewGuid().ToString();
+
+        if (
+            !model.MasterPasswordUnlockData.ValidateForUser(user)
+        )
+        {
+            throw new InvalidOperationException("The provided master password unlock data is not valid for this user.");
+        }
+        if (
+            model.AccountPublicKey != user.PublicKey
+        )
+        {
+            throw new InvalidOperationException("The provided account public key does not match the user's current public key, and changing the account asymmetric keypair is currently not supported during key rotation.");
+        }
+
+        user.Key = model.MasterPasswordUnlockData.MasterKeyEncryptedUserKey;
+        user.PrivateKey = model.UserKeyEncryptedAccountPrivateKey;
+        user.MasterPassword = _passwordHasher.HashPassword(user, model.MasterPasswordUnlockData.MasterKeyAuthenticationHash);
+        user.MasterPasswordHint = model.MasterPasswordUnlockData.MasterPasswordHint;
+
+        List<UpdateEncryptedDataForKeyRotation> saveEncryptedDataActions = new();
+        if (model.Ciphers.Any())
+        {
+            saveEncryptedDataActions.Add(_cipherRepository.UpdateForKeyRotation(user.Id, model.Ciphers));
+        }
+
+        if (model.Folders.Any())
+        {
+            saveEncryptedDataActions.Add(_folderRepository.UpdateForKeyRotation(user.Id, model.Folders));
+        }
+
+        if (model.Sends.Any())
+        {
+            saveEncryptedDataActions.Add(_sendRepository.UpdateForKeyRotation(user.Id, model.Sends));
+        }
+
+        if (model.EmergencyAccesses.Any())
+        {
+            saveEncryptedDataActions.Add(
+                _emergencyAccessRepository.UpdateForKeyRotation(user.Id, model.EmergencyAccesses));
+        }
+
+        if (model.OrganizationUsers.Any())
+        {
+            saveEncryptedDataActions.Add(
+                _organizationUserRepository.UpdateForKeyRotation(user.Id, model.OrganizationUsers));
+        }
+
+        if (model.WebAuthnKeys.Any())
+        {
+            saveEncryptedDataActions.Add(_credentialRepository.UpdateKeysForRotationAsync(user.Id, model.WebAuthnKeys));
+        }
+
+        await _userRepository.UpdateUserKeyAndEncryptedDataV2Async(user, saveEncryptedDataActions);
+        await _pushService.PushLogOutAsync(user.Id);
+        return IdentityResult.Success;
+    }
+}
diff --git a/src/Core/Repositories/IUserRepository.cs b/src/Core/Repositories/IUserRepository.cs
index 040e6e1f49..0e59b9998f 100644
--- a/src/Core/Repositories/IUserRepository.cs
+++ b/src/Core/Repositories/IUserRepository.cs
@@ -32,5 +32,7 @@ public interface IUserRepository : IRepository<User, Guid>
     /// <param name="updateDataActions">Registered database calls to update re-encrypted data.</param>
     Task UpdateUserKeyAndEncryptedDataAsync(User user,
         IEnumerable<UpdateEncryptedDataForKeyRotation> updateDataActions);
+    Task UpdateUserKeyAndEncryptedDataV2Async(User user,
+        IEnumerable<UpdateEncryptedDataForKeyRotation> updateDataActions);
     Task DeleteManyAsync(IEnumerable<User> users);
 }
diff --git a/src/Infrastructure.Dapper/Repositories/UserRepository.cs b/src/Infrastructure.Dapper/Repositories/UserRepository.cs
index 227a7c03e5..28478a0c41 100644
--- a/src/Infrastructure.Dapper/Repositories/UserRepository.cs
+++ b/src/Infrastructure.Dapper/Repositories/UserRepository.cs
@@ -254,6 +254,42 @@ public class UserRepository : Repository<User, Guid>, IUserRepository
     }
 
 
+    public async Task UpdateUserKeyAndEncryptedDataV2Async(
+        User user,
+        IEnumerable<UpdateEncryptedDataForKeyRotation> updateDataActions)
+    {
+        await using var connection = new SqlConnection(ConnectionString);
+        connection.Open();
+
+        await using var transaction = connection.BeginTransaction();
+        try
+        {
+            user.AccountRevisionDate = user.RevisionDate;
+
+            ProtectData(user);
+            await connection.ExecuteAsync(
+                $"[{Schema}].[{Table}_Update]",
+                user,
+                transaction: transaction,
+                commandType: CommandType.StoredProcedure);
+
+            //  Update re-encrypted data
+            foreach (var action in updateDataActions)
+            {
+                await action(connection, transaction);
+            }
+            transaction.Commit();
+        }
+        catch
+        {
+            transaction.Rollback();
+            UnprotectData(user);
+            throw;
+        }
+        UnprotectData(user);
+    }
+
+
     public async Task<IEnumerable<User>> GetManyAsync(IEnumerable<Guid> ids)
     {
         using (var connection = new SqlConnection(ReadOnlyConnectionString))
@@ -295,6 +331,18 @@ public class UserRepository : Repository<User, Guid>, IUserRepository
         var originalKey = user.Key;
 
         // Protect values
+        ProtectData(user);
+
+        // Save
+        await saveTask();
+
+        // Restore original values
+        user.MasterPassword = originalMasterPassword;
+        user.Key = originalKey;
+    }
+
+    private void ProtectData(User user)
+    {
         if (!user.MasterPassword?.StartsWith(Constants.DatabaseFieldProtectedPrefix) ?? false)
         {
             user.MasterPassword = string.Concat(Constants.DatabaseFieldProtectedPrefix,
@@ -306,13 +354,6 @@ public class UserRepository : Repository<User, Guid>, IUserRepository
             user.Key = string.Concat(Constants.DatabaseFieldProtectedPrefix,
                 _dataProtector.Protect(user.Key!));
         }
-
-        // Save
-        await saveTask();
-
-        // Restore original values
-        user.MasterPassword = originalMasterPassword;
-        user.Key = originalKey;
     }
 
     private void UnprotectData(User? user)
diff --git a/src/Infrastructure.EntityFramework/Repositories/UserRepository.cs b/src/Infrastructure.EntityFramework/Repositories/UserRepository.cs
index cbfefb6483..127646ed59 100644
--- a/src/Infrastructure.EntityFramework/Repositories/UserRepository.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/UserRepository.cs
@@ -170,6 +170,7 @@ public class UserRepository : Repository<Core.Entities.User, User, Guid>, IUserR
 
             entity.SecurityStamp = user.SecurityStamp;
             entity.Key = user.Key;
+
             entity.PrivateKey = user.PrivateKey;
             entity.LastKeyRotationDate = user.LastKeyRotationDate;
             entity.AccountRevisionDate = user.AccountRevisionDate;
@@ -194,6 +195,52 @@ public class UserRepository : Repository<Core.Entities.User, User, Guid>, IUserR
 
     }
 
+
+    public async Task UpdateUserKeyAndEncryptedDataV2Async(Core.Entities.User user,
+        IEnumerable<UpdateEncryptedDataForKeyRotation> updateDataActions)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+
+        await using var transaction = await dbContext.Database.BeginTransactionAsync();
+
+        // Update user
+        var userEntity = await dbContext.Users.FindAsync(user.Id);
+        if (userEntity == null)
+        {
+            throw new ArgumentException("User not found", nameof(user));
+        }
+
+        userEntity.SecurityStamp = user.SecurityStamp;
+        userEntity.Key = user.Key;
+        userEntity.PrivateKey = user.PrivateKey;
+
+        userEntity.Kdf = user.Kdf;
+        userEntity.KdfIterations = user.KdfIterations;
+        userEntity.KdfMemory = user.KdfMemory;
+        userEntity.KdfParallelism = user.KdfParallelism;
+
+        userEntity.Email = user.Email;
+
+        userEntity.MasterPassword = user.MasterPassword;
+        userEntity.MasterPasswordHint = user.MasterPasswordHint;
+
+        userEntity.LastKeyRotationDate = user.LastKeyRotationDate;
+        userEntity.AccountRevisionDate = user.AccountRevisionDate;
+        userEntity.RevisionDate = user.RevisionDate;
+
+        await dbContext.SaveChangesAsync();
+
+        //  Update re-encrypted data
+        foreach (var action in updateDataActions)
+        {
+            // connection and transaction aren't used in EF
+            await action();
+        }
+
+        await transaction.CommitAsync();
+    }
+
     public async Task<IEnumerable<Core.Entities.User>> GetManyAsync(IEnumerable<Guid> ids)
     {
         using (var scope = ServiceScopeFactory.CreateScope())
diff --git a/test/Api.IntegrationTest/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs b/test/Api.IntegrationTest/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
index ec7ca37460..7c05e1d680 100644
--- a/test/Api.IntegrationTest/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
+++ b/test/Api.IntegrationTest/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
@@ -2,12 +2,18 @@
 using Bit.Api.IntegrationTest.Factories;
 using Bit.Api.IntegrationTest.Helpers;
 using Bit.Api.KeyManagement.Models.Requests;
+using Bit.Api.Tools.Models.Request;
+using Bit.Api.Vault.Models;
+using Bit.Api.Vault.Models.Request;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
+using Bit.Core.Vault.Enums;
 using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Identity;
 using Xunit;
 
 namespace Bit.Api.IntegrationTest.KeyManagement.Controllers;
@@ -23,6 +29,7 @@ public class AccountsKeyManagementControllerTests : IClassFixture<ApiApplication
     private readonly ApiApplicationFactory _factory;
     private readonly LoginHelper _loginHelper;
     private readonly IUserRepository _userRepository;
+    private readonly IPasswordHasher<User> _passwordHasher;
     private string _ownerEmail = null!;
 
     public AccountsKeyManagementControllerTests(ApiApplicationFactory factory)
@@ -35,6 +42,7 @@ public class AccountsKeyManagementControllerTests : IClassFixture<ApiApplication
         _userRepository = _factory.GetService<IUserRepository>();
         _emergencyAccessRepository = _factory.GetService<IEmergencyAccessRepository>();
         _organizationUserRepository = _factory.GetService<IOrganizationUserRepository>();
+        _passwordHasher = _factory.GetService<IPasswordHasher<User>>();
     }
 
     public async Task InitializeAsync()
@@ -161,4 +169,87 @@ public class AccountsKeyManagementControllerTests : IClassFixture<ApiApplication
         };
         await _emergencyAccessRepository.CreateAsync(emergencyAccess);
     }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RotateUserAccountKeysAsync_NotLoggedIn_Unauthorized(RotateUserAccountKeysAndDataRequestModel request)
+    {
+        var response = await _client.PostAsJsonAsync("/accounts/key-management/rotate-user-account-keys", request);
+
+        Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RotateUserAccountKeysAsync_Success(RotateUserAccountKeysAndDataRequestModel request)
+    {
+        await _loginHelper.LoginAsync(_ownerEmail);
+        var user = await _userRepository.GetByEmailAsync(_ownerEmail);
+        if (user == null)
+        {
+            throw new InvalidOperationException("User not found.");
+        }
+
+        var password = _passwordHasher.HashPassword(user, "newMasterPassword");
+        user.MasterPassword = password;
+        user.PublicKey = "publicKey";
+        await _userRepository.ReplaceAsync(user);
+
+        request.AccountUnlockData.MasterPasswordUnlockData.KdfType = user.Kdf;
+        request.AccountUnlockData.MasterPasswordUnlockData.KdfIterations = user.KdfIterations;
+        request.AccountUnlockData.MasterPasswordUnlockData.KdfMemory = user.KdfMemory;
+        request.AccountUnlockData.MasterPasswordUnlockData.KdfParallelism = user.KdfParallelism;
+        request.AccountUnlockData.MasterPasswordUnlockData.Email = user.Email;
+        request.AccountKeys.AccountPublicKey = "publicKey";
+        request.AccountKeys.UserKeyEncryptedAccountPrivateKey = _mockEncryptedString;
+
+        request.OldMasterKeyAuthenticationHash = "newMasterPassword";
+
+        request.AccountData.Ciphers =
+        [
+            new CipherWithIdRequestModel
+            {
+                Id = Guid.NewGuid(),
+                Type = CipherType.Login,
+                Name = _mockEncryptedString,
+                Login = new CipherLoginModel
+                {
+                    Username = _mockEncryptedString,
+                    Password = _mockEncryptedString,
+                },
+            },
+        ];
+        request.AccountData.Folders = [
+            new FolderWithIdRequestModel
+            {
+                Id = Guid.NewGuid(),
+                Name = _mockEncryptedString,
+            },
+        ];
+        request.AccountData.Sends = [
+            new SendWithIdRequestModel
+            {
+                Id = Guid.NewGuid(),
+                Name = _mockEncryptedString,
+                Key = _mockEncryptedString,
+                Disabled = false,
+                DeletionDate = DateTime.UtcNow.AddDays(1),
+            },
+        ];
+        request.AccountUnlockData.MasterPasswordUnlockData.MasterKeyEncryptedUserKey = _mockEncryptedString;
+        request.AccountUnlockData.PasskeyUnlockData = [];
+        request.AccountUnlockData.EmergencyAccessUnlockData = [];
+        request.AccountUnlockData.OrganizationAccountRecoveryUnlockData = [];
+
+        var response = await _client.PostAsJsonAsync("/accounts/key-management/rotate-user-account-keys", request);
+        response.EnsureSuccessStatusCode();
+
+        var userNewState = await _userRepository.GetByEmailAsync(_ownerEmail);
+        Assert.NotNull(userNewState);
+        Assert.Equal(request.AccountUnlockData.MasterPasswordUnlockData.Email, userNewState.Email);
+        Assert.Equal(request.AccountUnlockData.MasterPasswordUnlockData.KdfType, userNewState.Kdf);
+        Assert.Equal(request.AccountUnlockData.MasterPasswordUnlockData.KdfIterations, userNewState.KdfIterations);
+        Assert.Equal(request.AccountUnlockData.MasterPasswordUnlockData.KdfMemory, userNewState.KdfMemory);
+        Assert.Equal(request.AccountUnlockData.MasterPasswordUnlockData.KdfParallelism, userNewState.KdfParallelism);
+    }
 }
diff --git a/test/Api.Test/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs b/test/Api.Test/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
index 2615697ad3..49c4f88cb4 100644
--- a/test/Api.Test/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
+++ b/test/Api.Test/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
@@ -1,17 +1,28 @@
 #nullable enable
 using System.Security.Claims;
+using Bit.Api.AdminConsole.Models.Request.Organizations;
+using Bit.Api.Auth.Models.Request;
+using Bit.Api.Auth.Models.Request.WebAuthn;
 using Bit.Api.KeyManagement.Controllers;
 using Bit.Api.KeyManagement.Models.Requests;
+using Bit.Api.KeyManagement.Validators;
+using Bit.Api.Tools.Models.Request;
+using Bit.Api.Vault.Models.Request;
 using Bit.Core;
+using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.KeyManagement.Commands.Interfaces;
 using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.KeyManagement.UserKey;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
+using Bit.Core.Tools.Entities;
+using Bit.Core.Vault.Entities;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Identity;
 using NSubstitute;
 using NSubstitute.ReturnsExtensions;
 using Xunit;
@@ -93,4 +104,78 @@ public class AccountsKeyManagementControllerTests
                 Arg.Is(orgUsers),
                 Arg.Is(accessDetails));
     }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RotateUserAccountKeysSuccess(SutProvider<AccountsKeyManagementController> sutProvider,
+        RotateUserAccountKeysAndDataRequestModel data, User user)
+    {
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(user);
+        sutProvider.GetDependency<IRotateUserAccountKeysCommand>().RotateUserAccountKeysAsync(Arg.Any<User>(), Arg.Any<RotateUserAccountKeysData>())
+            .Returns(IdentityResult.Success);
+        await sutProvider.Sut.RotateUserAccountKeysAsync(data);
+
+        await sutProvider.GetDependency<IRotationValidator<IEnumerable<EmergencyAccessWithIdRequestModel>, IEnumerable<EmergencyAccess>>>().Received(1)
+            .ValidateAsync(Arg.Any<User>(), Arg.Is(data.AccountUnlockData.EmergencyAccessUnlockData));
+        await sutProvider.GetDependency<IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>, IReadOnlyList<OrganizationUser>>>().Received(1)
+            .ValidateAsync(Arg.Any<User>(), Arg.Is(data.AccountUnlockData.OrganizationAccountRecoveryUnlockData));
+        await sutProvider.GetDependency<IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>>>().Received(1)
+            .ValidateAsync(Arg.Any<User>(), Arg.Is(data.AccountUnlockData.PasskeyUnlockData));
+
+        await sutProvider.GetDependency<IRotationValidator<IEnumerable<CipherWithIdRequestModel>, IEnumerable<Cipher>>>().Received(1)
+            .ValidateAsync(Arg.Any<User>(), Arg.Is(data.AccountData.Ciphers));
+        await sutProvider.GetDependency<IRotationValidator<IEnumerable<FolderWithIdRequestModel>, IEnumerable<Folder>>>().Received(1)
+            .ValidateAsync(Arg.Any<User>(), Arg.Is(data.AccountData.Folders));
+        await sutProvider.GetDependency<IRotationValidator<IEnumerable<SendWithIdRequestModel>, IReadOnlyList<Send>>>().Received(1)
+            .ValidateAsync(Arg.Any<User>(), Arg.Is(data.AccountData.Sends));
+
+        await sutProvider.GetDependency<IRotateUserAccountKeysCommand>().Received(1)
+            .RotateUserAccountKeysAsync(Arg.Is(user), Arg.Is<RotateUserAccountKeysData>(d =>
+                d.OldMasterKeyAuthenticationHash == data.OldMasterKeyAuthenticationHash
+
+                && d.MasterPasswordUnlockData.KdfType == data.AccountUnlockData.MasterPasswordUnlockData.KdfType
+                && d.MasterPasswordUnlockData.KdfIterations == data.AccountUnlockData.MasterPasswordUnlockData.KdfIterations
+                && d.MasterPasswordUnlockData.KdfMemory == data.AccountUnlockData.MasterPasswordUnlockData.KdfMemory
+                && d.MasterPasswordUnlockData.KdfParallelism == data.AccountUnlockData.MasterPasswordUnlockData.KdfParallelism
+                && d.MasterPasswordUnlockData.Email == data.AccountUnlockData.MasterPasswordUnlockData.Email
+
+                && d.MasterPasswordUnlockData.MasterKeyAuthenticationHash == data.AccountUnlockData.MasterPasswordUnlockData.MasterKeyAuthenticationHash
+                && d.MasterPasswordUnlockData.MasterKeyEncryptedUserKey == data.AccountUnlockData.MasterPasswordUnlockData.MasterKeyEncryptedUserKey
+
+                && d.AccountPublicKey == data.AccountKeys.AccountPublicKey
+                && d.UserKeyEncryptedAccountPrivateKey == data.AccountKeys.UserKeyEncryptedAccountPrivateKey
+            ));
+    }
+
+
+    [Theory]
+    [BitAutoData]
+    public async Task RotateUserKeyNoUser_Throws(SutProvider<AccountsKeyManagementController> sutProvider,
+        RotateUserAccountKeysAndDataRequestModel data)
+    {
+        User? user = null;
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(user);
+        sutProvider.GetDependency<IRotateUserAccountKeysCommand>().RotateUserAccountKeysAsync(Arg.Any<User>(), Arg.Any<RotateUserAccountKeysData>())
+            .Returns(IdentityResult.Success);
+        await Assert.ThrowsAsync<UnauthorizedAccessException>(() => sutProvider.Sut.RotateUserAccountKeysAsync(data));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RotateUserKeyWrongData_Throws(SutProvider<AccountsKeyManagementController> sutProvider,
+        RotateUserAccountKeysAndDataRequestModel data, User user, IdentityErrorDescriber _identityErrorDescriber)
+    {
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(user);
+        sutProvider.GetDependency<IRotateUserAccountKeysCommand>().RotateUserAccountKeysAsync(Arg.Any<User>(), Arg.Any<RotateUserAccountKeysData>())
+            .Returns(IdentityResult.Failed(_identityErrorDescriber.PasswordMismatch()));
+        try
+        {
+            await sutProvider.Sut.RotateUserAccountKeysAsync(data);
+            Assert.Fail("Should have thrown");
+        }
+        catch (BadRequestException ex)
+        {
+            Assert.NotEmpty(ex.ModelState.Values);
+        }
+    }
 }
diff --git a/test/Api.Test/KeyManagement/Models/Request/MasterPasswordUnlockDataModel.cs b/test/Api.Test/KeyManagement/Models/Request/MasterPasswordUnlockDataModel.cs
new file mode 100644
index 0000000000..4c78c7015a
--- /dev/null
+++ b/test/Api.Test/KeyManagement/Models/Request/MasterPasswordUnlockDataModel.cs
@@ -0,0 +1,68 @@
+#nullable enable
+using System.ComponentModel.DataAnnotations;
+using Bit.Api.Auth.Models.Request.Accounts;
+using Bit.Core.Enums;
+using Xunit;
+
+namespace Bit.Api.Test.KeyManagement.Models.Request;
+
+public class MasterPasswordUnlockDataModelTests
+{
+
+    readonly string _mockEncryptedString = "2.3Uk+WNBIoU5xzmVFNcoWzz==|1MsPIYuRfdOHfu/0uY6H2Q==|/98sp4wb6pHP1VTZ9JcNCYgQjEUMFPlqJgCwRk1YXKg=";
+
+    [Theory]
+    [InlineData(KdfType.PBKDF2_SHA256, 5000, null, null)]
+    [InlineData(KdfType.PBKDF2_SHA256, 100000, null, null)]
+    [InlineData(KdfType.PBKDF2_SHA256, 600000, null, null)]
+    [InlineData(KdfType.Argon2id, 3, 64, 4)]
+    public void Validate_Success(KdfType kdfType, int kdfIterations, int? kdfMemory, int? kdfParallelism)
+    {
+        var model = new MasterPasswordUnlockDataModel
+        {
+            KdfType = kdfType,
+            KdfIterations = kdfIterations,
+            KdfMemory = kdfMemory,
+            KdfParallelism = kdfParallelism,
+            Email = "example@example.com",
+            MasterKeyAuthenticationHash = "hash",
+            MasterKeyEncryptedUserKey = _mockEncryptedString,
+            MasterPasswordHint = "hint"
+        };
+        var result = Validate(model);
+        Assert.Empty(result);
+    }
+
+    [Theory]
+    [InlineData(KdfType.Argon2id, 1, null, 1)]
+    [InlineData(KdfType.Argon2id, 1, 64, null)]
+    [InlineData(KdfType.PBKDF2_SHA256, 5000, 0, null)]
+    [InlineData(KdfType.PBKDF2_SHA256, 5000, null, 0)]
+    [InlineData(KdfType.PBKDF2_SHA256, 5000, 0, 0)]
+    [InlineData((KdfType)2, 100000, null, null)]
+    [InlineData((KdfType)2, 2, 64, 4)]
+    public void Validate_Failure(KdfType kdfType, int kdfIterations, int? kdfMemory, int? kdfParallelism)
+    {
+        var model = new MasterPasswordUnlockDataModel
+        {
+            KdfType = kdfType,
+            KdfIterations = kdfIterations,
+            KdfMemory = kdfMemory,
+            KdfParallelism = kdfParallelism,
+            Email = "example@example.com",
+            MasterKeyAuthenticationHash = "hash",
+            MasterKeyEncryptedUserKey = _mockEncryptedString,
+            MasterPasswordHint = "hint"
+        };
+        var result = Validate(model);
+        Assert.Single(result);
+        Assert.NotNull(result.First().ErrorMessage);
+    }
+
+    private static List<ValidationResult> Validate(MasterPasswordUnlockDataModel model)
+    {
+        var results = new List<ValidationResult>();
+        Validator.TryValidateObject(model, new ValidationContext(model), results, true);
+        return results;
+    }
+}
diff --git a/test/Core.Test/KeyManagement/UserKey/RotateUserAccountKeysCommandTests.cs b/test/Core.Test/KeyManagement/UserKey/RotateUserAccountKeysCommandTests.cs
new file mode 100644
index 0000000000..e677814fc1
--- /dev/null
+++ b/test/Core.Test/KeyManagement/UserKey/RotateUserAccountKeysCommandTests.cs
@@ -0,0 +1,120 @@
+using Bit.Core.Entities;
+using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.KeyManagement.UserKey.Implementations;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Identity;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.KeyManagement.UserKey;
+
+[SutProviderCustomize]
+public class RotateUserAccountKeysCommandTests
+{
+    [Theory, BitAutoData]
+    public async Task RejectsWrongOldMasterPassword(SutProvider<RotateUserAccountKeysCommand> sutProvider, User user,
+        RotateUserAccountKeysData model)
+    {
+        user.Email = model.MasterPasswordUnlockData.Email;
+        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(user, model.OldMasterKeyAuthenticationHash)
+            .Returns(false);
+
+        var result = await sutProvider.Sut.RotateUserAccountKeysAsync(user, model);
+
+        Assert.NotEqual(IdentityResult.Success, result);
+    }
+    [Theory, BitAutoData]
+    public async Task ThrowsWhenUserIsNull(SutProvider<RotateUserAccountKeysCommand> sutProvider,
+          RotateUserAccountKeysData model)
+    {
+        await Assert.ThrowsAsync<ArgumentNullException>(async () => await sutProvider.Sut.RotateUserAccountKeysAsync(null, model));
+    }
+    [Theory, BitAutoData]
+    public async Task RejectsEmailChange(SutProvider<RotateUserAccountKeysCommand> sutProvider, User user,
+        RotateUserAccountKeysData model)
+    {
+        user.Kdf = Enums.KdfType.Argon2id;
+        user.KdfIterations = 3;
+        user.KdfMemory = 64;
+        user.KdfParallelism = 4;
+
+        model.MasterPasswordUnlockData.Email = user.Email + ".different-domain";
+        model.MasterPasswordUnlockData.KdfType = Enums.KdfType.Argon2id;
+        model.MasterPasswordUnlockData.KdfIterations = 3;
+        model.MasterPasswordUnlockData.KdfMemory = 64;
+        model.MasterPasswordUnlockData.KdfParallelism = 4;
+        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(user, model.OldMasterKeyAuthenticationHash)
+            .Returns(true);
+        await Assert.ThrowsAsync<InvalidOperationException>(async () => await sutProvider.Sut.RotateUserAccountKeysAsync(user, model));
+    }
+
+    [Theory, BitAutoData]
+    public async Task RejectsKdfChange(SutProvider<RotateUserAccountKeysCommand> sutProvider, User user,
+        RotateUserAccountKeysData model)
+    {
+        user.Kdf = Enums.KdfType.Argon2id;
+        user.KdfIterations = 3;
+        user.KdfMemory = 64;
+        user.KdfParallelism = 4;
+
+        model.MasterPasswordUnlockData.Email = user.Email;
+        model.MasterPasswordUnlockData.KdfType = Enums.KdfType.PBKDF2_SHA256;
+        model.MasterPasswordUnlockData.KdfIterations = 600000;
+        model.MasterPasswordUnlockData.KdfMemory = null;
+        model.MasterPasswordUnlockData.KdfParallelism = null;
+        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(user, model.OldMasterKeyAuthenticationHash)
+            .Returns(true);
+        await Assert.ThrowsAsync<InvalidOperationException>(async () => await sutProvider.Sut.RotateUserAccountKeysAsync(user, model));
+    }
+
+
+    [Theory, BitAutoData]
+    public async Task RejectsPublicKeyChange(SutProvider<RotateUserAccountKeysCommand> sutProvider, User user,
+        RotateUserAccountKeysData model)
+    {
+        user.PublicKey = "old-public";
+        user.Kdf = Enums.KdfType.Argon2id;
+        user.KdfIterations = 3;
+        user.KdfMemory = 64;
+        user.KdfParallelism = 4;
+
+        model.AccountPublicKey = "new-public";
+        model.MasterPasswordUnlockData.Email = user.Email;
+        model.MasterPasswordUnlockData.KdfType = Enums.KdfType.Argon2id;
+        model.MasterPasswordUnlockData.KdfIterations = 3;
+        model.MasterPasswordUnlockData.KdfMemory = 64;
+        model.MasterPasswordUnlockData.KdfParallelism = 4;
+
+        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(user, model.OldMasterKeyAuthenticationHash)
+            .Returns(true);
+
+        await Assert.ThrowsAsync<InvalidOperationException>(async () => await sutProvider.Sut.RotateUserAccountKeysAsync(user, model));
+    }
+
+    [Theory, BitAutoData]
+    public async Task RotatesCorrectly(SutProvider<RotateUserAccountKeysCommand> sutProvider, User user,
+        RotateUserAccountKeysData model)
+    {
+        user.Kdf = Enums.KdfType.Argon2id;
+        user.KdfIterations = 3;
+        user.KdfMemory = 64;
+        user.KdfParallelism = 4;
+
+        model.MasterPasswordUnlockData.Email = user.Email;
+        model.MasterPasswordUnlockData.KdfType = Enums.KdfType.Argon2id;
+        model.MasterPasswordUnlockData.KdfIterations = 3;
+        model.MasterPasswordUnlockData.KdfMemory = 64;
+        model.MasterPasswordUnlockData.KdfParallelism = 4;
+
+        model.AccountPublicKey = user.PublicKey;
+
+        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(user, model.OldMasterKeyAuthenticationHash)
+            .Returns(true);
+
+        var result = await sutProvider.Sut.RotateUserAccountKeysAsync(user, model);
+
+        Assert.Equal(IdentityResult.Success, result);
+    }
+}
diff --git a/test/Core.Test/KeyManagement/UserKey/RotateUserKeyCommandTests.cs b/test/Core.Test/KeyManagement/UserKey/RotateUserKeyCommandTests.cs
index 53263d8805..000fa7e90c 100644
--- a/test/Core.Test/KeyManagement/UserKey/RotateUserKeyCommandTests.cs
+++ b/test/Core.Test/KeyManagement/UserKey/RotateUserKeyCommandTests.cs
@@ -11,7 +11,7 @@ using Microsoft.AspNetCore.Identity;
 using NSubstitute;
 using Xunit;
 
-namespace Bit.Core.Test.KeyManagement.UserFeatures.UserKey;
+namespace Bit.Core.Test.KeyManagement.UserKey;
 
 [SutProviderCustomize]
 public class RotateUserKeyCommandTests
diff --git a/test/Infrastructure.EFIntegration.Test/Repositories/UserRepositoryTests.cs b/test/Infrastructure.EFIntegration.Test/Repositories/UserRepositoryTests.cs
index 066a550fa8..151bd47c44 100644
--- a/test/Infrastructure.EFIntegration.Test/Repositories/UserRepositoryTests.cs
+++ b/test/Infrastructure.EFIntegration.Test/Repositories/UserRepositoryTests.cs
@@ -1,6 +1,7 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Entities;
+using Bit.Core.Enums;
 using Bit.Core.Models.Data;
 using Bit.Core.Test.AutoFixture.Attributes;
 using Bit.Infrastructure.EFIntegration.Test.AutoFixture;
@@ -289,4 +290,27 @@ public class UserRepositoryTests
         var distinctItems = returnedList.Distinct(equalityComparer);
         Assert.True(!distinctItems.Skip(1).Any());
     }
+
+    [CiSkippedTheory, EfUserAutoData]
+    public async Task UpdateUserKeyAndEncryptedDataAsync_Works_DataMatches(User user, SqlRepo.UserRepository sqlUserRepo)
+    {
+        var sqlUser = await sqlUserRepo.CreateAsync(user);
+        sqlUser.Kdf = KdfType.PBKDF2_SHA256;
+        sqlUser.KdfIterations = 6_000_000;
+        sqlUser.KdfMemory = 7_000_000;
+        sqlUser.KdfParallelism = 8_000_000;
+        sqlUser.MasterPassword = "masterPasswordHash";
+        sqlUser.MasterPasswordHint = "masterPasswordHint";
+        sqlUser.Email = "example@example.com";
+
+        await sqlUserRepo.UpdateUserKeyAndEncryptedDataV2Async(sqlUser, []);
+        var updatedUser = await sqlUserRepo.GetByIdAsync(sqlUser.Id);
+        Assert.Equal(sqlUser.Kdf, updatedUser.Kdf);
+        Assert.Equal(sqlUser.KdfIterations, updatedUser.KdfIterations);
+        Assert.Equal(sqlUser.KdfMemory, updatedUser.KdfMemory);
+        Assert.Equal(sqlUser.KdfParallelism, updatedUser.KdfParallelism);
+        Assert.Equal(sqlUser.MasterPassword, updatedUser.MasterPassword);
+        Assert.Equal(sqlUser.MasterPasswordHint, updatedUser.MasterPasswordHint);
+        Assert.Equal(sqlUser.Email, updatedUser.Email);
+    }
 }

From e811cd4bfedfbbff645b077058db32b1db2adffc Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Tue, 25 Mar 2025 10:54:49 -0400
Subject: [PATCH 122/184] Remove needs for lint before other jobs

---
 .github/workflows/build.yml | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 73d082b9d8..a990e56366 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -37,9 +37,7 @@ jobs:
   build-container:
     name: Build container images
     runs-on: ubuntu-24.04
-    needs:
-      - check-run
-      - lint
+    needs: check-run
     permissions:
       id-token: write
       security-events: write
@@ -399,9 +397,7 @@ jobs:
   build-mssqlmigratorutility:
     name: Build MSSQL migrator utility
     runs-on: ubuntu-24.04
-    needs:
-      - check-run
-      - lint
+    needs: check-run
     defaults:
       run:
         shell: bash

From d563f3f78ab14a04aded397245d0c02a24531da6 Mon Sep 17 00:00:00 2001
From: Nick Krantz <125900171+nick-livefront@users.noreply.github.com>
Date: Tue, 25 Mar 2025 10:16:06 -0500
Subject: [PATCH 123/184] Fix logic in text handlebars template (#5542)

---
 .../SecurityTasksNotification.text.hbs           | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs b/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs
index f5493e4503..f6c0921165 100644
--- a/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs
+++ b/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs
@@ -6,12 +6,14 @@ Launch the Bitwarden extension to review your at-risk passwords.
 
 Review at-risk passwords ({{{ReviewPasswordsUrl}}})
 
-{{#if (eq (length AdminOwnerEmails) 1)}}
-This request was initiated by {{AdminOwnerEmails.[0]}}.
-{{else}}
-This request was initiated by
-{{#each AdminOwnerEmails}}
-  {{#if @last}}and {{/if}}{{this}}{{#unless @last}}, {{/unless}}
-{{/each}}.
+{{#if AdminOwnerEmails.[0]}}
+  {{#if AdminOwnerEmails.[1]}}
+    This request was initiated by
+    {{#each AdminOwnerEmails}}
+      {{#if @last}}and {{/if}}{{this}}{{#unless @last}}, {{/unless}}
+    {{/each}}.
+  {{else}}
+    This request was initiated by {{AdminOwnerEmails.[0]}}.
+  {{/if}}
 {{/if}}
 {{/SecurityTasksHtmlLayout}}

From f04a3d638b05958957db4e5823d7fb8a511992fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Wed, 26 Mar 2025 09:40:13 +0000
Subject: [PATCH 124/184] [PM-18235] Add PersonalOwnershipPolicyRequirement
 (#5439)

* Add PersonalOwnershipPolicyRequirement for managing personal ownership policy

* Add tests for PersonalOwnershipPolicyRequirement

* Register PersonalOwnershipPolicyRequirement in policy requirement factory

* Update ImportCiphersCommand to check PersonalOwnershipPolicyRequirement if the PolicyRequirements flag is enabled

Update unit tests

* Update CipherService to support PersonalOwnershipPolicyRequirement with feature flag

- Add support for checking personal ownership policy using PolicyRequirementQuery when feature flag is enabled
- Update CipherService constructor to inject new dependencies
- Add tests for personal vault restrictions with and without feature flag

* Clean up redundant "Arrange", "Act", and "Assert" comments in test methods

* Refactor PersonalOwnershipPolicyRequirementTests method names for clarity

- Improve test method names to better describe their purpose and behavior
- Rename methods to follow a more descriptive naming convention
- No functional changes to the test logic

* Remove commented code explaining policy check

* Refactor PersonalOwnership Policy Requirement implementation

- Add PersonalOwnershipPolicyRequirementFactory to replace static Create method
- Simplify policy requirement creation logic
- Update PolicyServiceCollectionExtensions to register new factory
- Update ImportCiphersCommand to use correct user ID parameter
- Remove redundant PersonalOwnershipPolicyRequirementTests

* Remove redundant PersonalOwnershipPolicyRequirementTests

* Remove unnecessary tests from PersonalOwnershipPolicyRequirementFactoryTests
---
 .../PersonalOwnershipPolicyRequirement.cs     | 26 +++++
 .../PolicyServiceCollectionExtensions.cs      |  1 +
 .../ImportFeatures/ImportCiphersCommand.cs    | 20 +++-
 .../Services/Implementations/CipherService.cs | 18 +++-
 ...lOwnershipPolicyRequirementFactoryTests.cs | 31 ++++++
 .../ImportCiphersAsyncCommandTests.cs         | 58 ++++++++++-
 .../Vault/Services/CipherServiceTests.cs      | 96 +++++++++++++++++++
 7 files changed, 240 insertions(+), 10 deletions(-)
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PersonalOwnershipPolicyRequirement.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PersonalOwnershipPolicyRequirementFactoryTests.cs

diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PersonalOwnershipPolicyRequirement.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PersonalOwnershipPolicyRequirement.cs
new file mode 100644
index 0000000000..6f3f017bb9
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PersonalOwnershipPolicyRequirement.cs
@@ -0,0 +1,26 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+/// <summary>
+/// Policy requirements for the Disable Personal Ownership policy.
+/// </summary>
+public class PersonalOwnershipPolicyRequirement : IPolicyRequirement
+{
+    /// <summary>
+    /// Indicates whether Personal Ownership is disabled for the user. If true, members are required to save items to an organization.
+    /// </summary>
+    public bool DisablePersonalOwnership { get; init; }
+}
+
+public class PersonalOwnershipPolicyRequirementFactory : BasePolicyRequirementFactory<PersonalOwnershipPolicyRequirement>
+{
+    public override PolicyType PolicyType => PolicyType.PersonalOwnership;
+
+    public override PersonalOwnershipPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
+    {
+        var result = new PersonalOwnershipPolicyRequirement { DisablePersonalOwnership = policyDetails.Any() };
+        return result;
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
index d386006ad2..d330c57291 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
@@ -34,5 +34,6 @@ public static class PolicyServiceCollectionExtensions
         services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, DisableSendPolicyRequirementFactory>();
         services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, SendOptionsPolicyRequirementFactory>();
         services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, ResetPasswordPolicyRequirementFactory>();
+        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, PersonalOwnershipPolicyRequirementFactory>();
     }
 }
diff --git a/src/Core/Tools/ImportFeatures/ImportCiphersCommand.cs b/src/Core/Tools/ImportFeatures/ImportCiphersCommand.cs
index 59d3e5be34..3c58dca183 100644
--- a/src/Core/Tools/ImportFeatures/ImportCiphersCommand.cs
+++ b/src/Core/Tools/ImportFeatures/ImportCiphersCommand.cs
@@ -1,10 +1,13 @@
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Core.Tools.Enums;
 using Bit.Core.Tools.ImportFeatures.Interfaces;
 using Bit.Core.Tools.Models.Business;
@@ -26,7 +29,8 @@ public class ImportCiphersCommand : IImportCiphersCommand
     private readonly ICollectionRepository _collectionRepository;
     private readonly IReferenceEventService _referenceEventService;
     private readonly ICurrentContext _currentContext;
-
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;
+    private readonly IFeatureService _featureService;
 
     public ImportCiphersCommand(
         ICipherRepository cipherRepository,
@@ -37,7 +41,9 @@ public class ImportCiphersCommand : IImportCiphersCommand
         IPushNotificationService pushService,
         IPolicyService policyService,
         IReferenceEventService referenceEventService,
-        ICurrentContext currentContext)
+        ICurrentContext currentContext,
+        IPolicyRequirementQuery policyRequirementQuery,
+        IFeatureService featureService)
     {
         _cipherRepository = cipherRepository;
         _folderRepository = folderRepository;
@@ -48,9 +54,10 @@ public class ImportCiphersCommand : IImportCiphersCommand
         _policyService = policyService;
         _referenceEventService = referenceEventService;
         _currentContext = currentContext;
+        _policyRequirementQuery = policyRequirementQuery;
+        _featureService = featureService;
     }
 
-
     public async Task ImportIntoIndividualVaultAsync(
         List<Folder> folders,
         List<CipherDetails> ciphers,
@@ -58,8 +65,11 @@ public class ImportCiphersCommand : IImportCiphersCommand
         Guid importingUserId)
     {
         // Make sure the user can save new ciphers to their personal vault
-        var anyPersonalOwnershipPolicies = await _policyService.AnyPoliciesApplicableToUserAsync(importingUserId, PolicyType.PersonalOwnership);
-        if (anyPersonalOwnershipPolicies)
+        var isPersonalVaultRestricted = _featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements)
+            ? (await _policyRequirementQuery.GetAsync<PersonalOwnershipPolicyRequirement>(importingUserId)).DisablePersonalOwnership
+            : await _policyService.AnyPoliciesApplicableToUserAsync(importingUserId, PolicyType.PersonalOwnership);
+
+        if (isPersonalVaultRestricted)
         {
             throw new BadRequestException("You cannot import items into your personal vault because you are " +
                 "a member of an organization which forbids it.");
diff --git a/src/Core/Vault/Services/Implementations/CipherService.cs b/src/Core/Vault/Services/Implementations/CipherService.cs
index a315528e59..b9daafe599 100644
--- a/src/Core/Vault/Services/Implementations/CipherService.cs
+++ b/src/Core/Vault/Services/Implementations/CipherService.cs
@@ -1,5 +1,7 @@
 using System.Text.Json;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Context;
 using Bit.Core.Enums;
@@ -41,6 +43,8 @@ public class CipherService : ICipherService
     private readonly IReferenceEventService _referenceEventService;
     private readonly ICurrentContext _currentContext;
     private readonly IGetCipherPermissionsForUserQuery _getCipherPermissionsForUserQuery;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;
+    private readonly IFeatureService _featureService;
 
     public CipherService(
         ICipherRepository cipherRepository,
@@ -58,7 +62,9 @@ public class CipherService : ICipherService
         GlobalSettings globalSettings,
         IReferenceEventService referenceEventService,
         ICurrentContext currentContext,
-        IGetCipherPermissionsForUserQuery getCipherPermissionsForUserQuery)
+        IGetCipherPermissionsForUserQuery getCipherPermissionsForUserQuery,
+        IPolicyRequirementQuery policyRequirementQuery,
+        IFeatureService featureService)
     {
         _cipherRepository = cipherRepository;
         _folderRepository = folderRepository;
@@ -76,6 +82,8 @@ public class CipherService : ICipherService
         _referenceEventService = referenceEventService;
         _currentContext = currentContext;
         _getCipherPermissionsForUserQuery = getCipherPermissionsForUserQuery;
+        _policyRequirementQuery = policyRequirementQuery;
+        _featureService = featureService;
     }
 
     public async Task SaveAsync(Cipher cipher, Guid savingUserId, DateTime? lastKnownRevisionDate,
@@ -143,9 +151,11 @@ public class CipherService : ICipherService
             }
             else
             {
-                // Make sure the user can save new ciphers to their personal vault
-                var anyPersonalOwnershipPolicies = await _policyService.AnyPoliciesApplicableToUserAsync(savingUserId, PolicyType.PersonalOwnership);
-                if (anyPersonalOwnershipPolicies)
+                var isPersonalVaultRestricted = _featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements)
+                    ? (await _policyRequirementQuery.GetAsync<PersonalOwnershipPolicyRequirement>(savingUserId)).DisablePersonalOwnership
+                    : await _policyService.AnyPoliciesApplicableToUserAsync(savingUserId, PolicyType.PersonalOwnership);
+
+                if (isPersonalVaultRestricted)
                 {
                     throw new BadRequestException("Due to an Enterprise Policy, you are restricted from saving items to your personal vault.");
                 }
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PersonalOwnershipPolicyRequirementFactoryTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PersonalOwnershipPolicyRequirementFactoryTests.cs
new file mode 100644
index 0000000000..2ce75ca61e
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PersonalOwnershipPolicyRequirementFactoryTests.cs
@@ -0,0 +1,31 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+[SutProviderCustomize]
+public class PersonalOwnershipPolicyRequirementFactoryTests
+{
+    [Theory, BitAutoData]
+    public void DisablePersonalOwnership_WithNoPolicies_ReturnsFalse(SutProvider<PersonalOwnershipPolicyRequirementFactory> sutProvider)
+    {
+        var actual = sutProvider.Sut.Create([]);
+
+        Assert.False(actual.DisablePersonalOwnership);
+    }
+
+    [Theory, BitAutoData]
+    public void DisablePersonalOwnership_WithPersonalOwnershipPolicies_ReturnsTrue(
+        [PolicyDetails(PolicyType.PersonalOwnership)] PolicyDetails[] policies,
+        SutProvider<PersonalOwnershipPolicyRequirementFactory> sutProvider)
+    {
+        var actual = sutProvider.Sut.Create(policies);
+
+        Assert.True(actual.DisablePersonalOwnership);
+    }
+}
diff --git a/test/Core.Test/Tools/ImportFeatures/ImportCiphersAsyncCommandTests.cs b/test/Core.Test/Tools/ImportFeatures/ImportCiphersAsyncCommandTests.cs
index 5e7a30d814..89e6d152cc 100644
--- a/test/Core.Test/Tools/ImportFeatures/ImportCiphersAsyncCommandTests.cs
+++ b/test/Core.Test/Tools/ImportFeatures/ImportCiphersAsyncCommandTests.cs
@@ -1,10 +1,13 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Core.Test.AutoFixture.CipherFixtures;
 using Bit.Core.Tools.Enums;
 using Bit.Core.Tools.ImportFeatures;
@@ -18,7 +21,6 @@ using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
 using Xunit;
 
-
 namespace Bit.Core.Test.Tools.ImportFeatures;
 
 [UserCipherCustomize]
@@ -51,6 +53,34 @@ public class ImportCiphersAsyncCommandTests
         await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncVaultAsync(importingUserId);
     }
 
+    [Theory, BitAutoData]
+    public async Task ImportIntoIndividualVaultAsync_WithPolicyRequirementsEnabled_WithDisablePersonalOwnershipPolicyDisabled_Success(
+        Guid importingUserId,
+        List<CipherDetails> ciphers,
+        SutProvider<ImportCiphersCommand> sutProvider)
+    {
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.PolicyRequirements)
+            .Returns(true);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<PersonalOwnershipPolicyRequirement>(importingUserId)
+            .Returns(new PersonalOwnershipPolicyRequirement { DisablePersonalOwnership = false });
+
+        sutProvider.GetDependency<IFolderRepository>()
+            .GetManyByUserIdAsync(importingUserId)
+            .Returns(new List<Folder>());
+
+        var folders = new List<Folder> { new Folder { UserId = importingUserId } };
+
+        var folderRelationships = new List<KeyValuePair<int, int>>();
+
+        await sutProvider.Sut.ImportIntoIndividualVaultAsync(folders, ciphers, folderRelationships, importingUserId);
+
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).CreateAsync(ciphers, Arg.Any<List<Folder>>());
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncVaultAsync(importingUserId);
+    }
+
     [Theory, BitAutoData]
     public async Task ImportIntoIndividualVaultAsync_ThrowsBadRequestException(
         List<Folder> folders,
@@ -73,6 +103,32 @@ public class ImportCiphersAsyncCommandTests
         Assert.Equal("You cannot import items into your personal vault because you are a member of an organization which forbids it.", exception.Message);
     }
 
+    [Theory, BitAutoData]
+    public async Task ImportIntoIndividualVaultAsync_WithPolicyRequirementsEnabled_WithDisablePersonalOwnershipPolicyEnabled_ThrowsBadRequestException(
+        List<Folder> folders,
+        List<CipherDetails> ciphers,
+        SutProvider<ImportCiphersCommand> sutProvider)
+    {
+        var userId = Guid.NewGuid();
+        folders.ForEach(f => f.UserId = userId);
+        ciphers.ForEach(c => c.UserId = userId);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.PolicyRequirements)
+            .Returns(true);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<PersonalOwnershipPolicyRequirement>(userId)
+            .Returns(new PersonalOwnershipPolicyRequirement { DisablePersonalOwnership = true });
+
+        var folderRelationships = new List<KeyValuePair<int, int>>();
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.ImportIntoIndividualVaultAsync(folders, ciphers, folderRelationships, userId));
+
+        Assert.Equal("You cannot import items into your personal vault because you are a member of an organization which forbids it.", exception.Message);
+    }
+
     [Theory, BitAutoData]
     public async Task ImportIntoOrganizationalVaultAsync_Success(
         Organization organization,
diff --git a/test/Core.Test/Vault/Services/CipherServiceTests.cs b/test/Core.Test/Vault/Services/CipherServiceTests.cs
index 3ef29146c2..a7dcbddcea 100644
--- a/test/Core.Test/Vault/Services/CipherServiceTests.cs
+++ b/test/Core.Test/Vault/Services/CipherServiceTests.cs
@@ -1,5 +1,9 @@
 using System.Text.Json;
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.AdminConsole.Services;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -107,6 +111,98 @@ public class CipherServiceTests
         await sutProvider.GetDependency<ICipherRepository>().Received(1).ReplaceAsync(cipherDetails);
     }
 
+    [Theory]
+    [BitAutoData]
+    public async Task SaveDetailsAsync_PersonalVault_WithDisablePersonalOwnershipPolicyEnabled_Throws(
+        SutProvider<CipherService> sutProvider,
+        CipherDetails cipher,
+        Guid savingUserId)
+    {
+        cipher.Id = default;
+        cipher.UserId = savingUserId;
+        cipher.OrganizationId = null;
+
+        sutProvider.GetDependency<IPolicyService>()
+            .AnyPoliciesApplicableToUserAsync(savingUserId, PolicyType.PersonalOwnership)
+            .Returns(true);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.SaveDetailsAsync(cipher, savingUserId, null));
+        Assert.Contains("restricted from saving items to your personal vault", exception.Message);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SaveDetailsAsync_PersonalVault_WithDisablePersonalOwnershipPolicyDisabled_Succeeds(
+        SutProvider<CipherService> sutProvider,
+        CipherDetails cipher,
+        Guid savingUserId)
+    {
+        cipher.Id = default;
+        cipher.UserId = savingUserId;
+        cipher.OrganizationId = null;
+
+        sutProvider.GetDependency<IPolicyService>()
+            .AnyPoliciesApplicableToUserAsync(savingUserId, PolicyType.PersonalOwnership)
+            .Returns(false);
+
+        await sutProvider.Sut.SaveDetailsAsync(cipher, savingUserId, null);
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .CreateAsync(cipher);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SaveDetailsAsync_PersonalVault_WithPolicyRequirementsEnabled_WithDisablePersonalOwnershipPolicyEnabled_Throws(
+        SutProvider<CipherService> sutProvider,
+        CipherDetails cipher,
+        Guid savingUserId)
+    {
+        cipher.Id = default;
+        cipher.UserId = savingUserId;
+        cipher.OrganizationId = null;
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.PolicyRequirements)
+            .Returns(true);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<PersonalOwnershipPolicyRequirement>(savingUserId)
+            .Returns(new PersonalOwnershipPolicyRequirement { DisablePersonalOwnership = true });
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.SaveDetailsAsync(cipher, savingUserId, null));
+        Assert.Contains("restricted from saving items to your personal vault", exception.Message);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SaveDetailsAsync_PersonalVault_WithPolicyRequirementsEnabled_WithDisablePersonalOwnershipPolicyDisabled_Succeeds(
+        SutProvider<CipherService> sutProvider,
+        CipherDetails cipher,
+        Guid savingUserId)
+    {
+        cipher.Id = default;
+        cipher.UserId = savingUserId;
+        cipher.OrganizationId = null;
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.PolicyRequirements)
+            .Returns(true);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<PersonalOwnershipPolicyRequirement>(savingUserId)
+            .Returns(new PersonalOwnershipPolicyRequirement { DisablePersonalOwnership = false });
+
+        await sutProvider.Sut.SaveDetailsAsync(cipher, savingUserId, null);
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .CreateAsync(cipher);
+    }
+
     [Theory]
     [BitAutoData("")]
     [BitAutoData("Correct Time")]

From 6f227c31e2be364d0c147b454dd87c21e4179030 Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann <mail@quexten.com>
Date: Wed, 26 Mar 2025 15:10:35 +0100
Subject: [PATCH 125/184] Sort km feature flags (#5557)

---
 src/Core/Constants.cs | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index e41391b173..c629881458 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -129,19 +129,25 @@ public static class FeatureFlagKeys
     /* Auth Team */
     public const string PM9112DeviceApprovalPersistence = "pm-9112-device-approval-persistence";
 
+    /* Key Management Team */
+    public const string SSHKeyItemVaultItem = "ssh-key-vault-item";
+    public const string SSHAgent = "ssh-agent";
+    public const string SSHVersionCheckQAOverride = "ssh-version-check-qa-override";
+    public const string Argon2Default = "argon2-default";
+    public const string PM4154BulkEncryptionService = "PM-4154-bulk-encryption-service";
+    public const string PrivateKeyRegeneration = "pm-12241-private-key-regeneration";
+    public const string UserkeyRotationV2 = "userkey-rotation-v2";
+
+    /* Unsorted */
     public const string ReturnErrorOnExistingKeypair = "return-error-on-existing-keypair";
     public const string UseTreeWalkerApiForPageDetailsCollection = "use-tree-walker-api-for-page-details-collection";
     public const string DuoRedirect = "duo-redirect";
     public const string AC2101UpdateTrialInitiationEmail = "AC-2101-update-trial-initiation-email";
     public const string EmailVerification = "email-verification";
     public const string EmailVerificationDisableTimingDelays = "email-verification-disable-timing-delays";
-    public const string PM4154BulkEncryptionService = "PM-4154-bulk-encryption-service";
     public const string InlineMenuFieldQualification = "inline-menu-field-qualification";
     public const string InlineMenuPositioningImprovements = "inline-menu-positioning-improvements";
     public const string DeviceTrustLogging = "pm-8285-device-trust-logging";
-    public const string SSHKeyItemVaultItem = "ssh-key-vault-item";
-    public const string SSHAgent = "ssh-agent";
-    public const string SSHVersionCheckQAOverride = "ssh-version-check-qa-override";
     public const string AuthenticatorTwoFactorToken = "authenticator-2fa-token";
     public const string IdpAutoSubmitLogin = "idp-auto-submit-login";
     public const string UnauthenticatedExtensionUIRefresh = "unauth-ui-refresh";
@@ -162,13 +168,10 @@ public static class FeatureFlagKeys
     public const string NewDeviceVerification = "new-device-verification";
     public const string MacOsNativeCredentialSync = "macos-native-credential-sync";
     public const string InlineMenuTotp = "inline-menu-totp";
-    public const string PrivateKeyRegeneration = "pm-12241-private-key-regeneration";
     public const string AppReviewPrompt = "app-review-prompt";
     public const string ResellerManagedOrgAlert = "PM-15814-alert-owners-of-reseller-managed-orgs";
-    public const string Argon2Default = "argon2-default";
     public const string UsePricingService = "use-pricing-service";
     public const string RecordInstallationLastActivityDate = "installation-last-activity-date";
-    public const string UserkeyRotationV2 = "userkey-rotation-v2";
     public const string EnablePasswordManagerSyncAndroid = "enable-password-manager-sync-android";
     public const string EnablePasswordManagerSynciOS = "enable-password-manager-sync-ios";
     public const string AccountDeprovisioningBanner = "pm-17120-account-deprovisioning-admin-console-banner";

From d4b00583728f1e85de3ba8e0b62ee16767842855 Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Wed, 26 Mar 2025 11:44:05 -0400
Subject: [PATCH 126/184] Organization integrations and configuration database
 schemas (#5553)

* Organization integrations and configuration database schemas

* Format EF files
---
 .../Entities/OrganizationIntegration.cs       |   18 +
 .../OrganizationIntegrationConfiguration.cs   |   19 +
 .../AdminConsole/Enums/IntegrationType.cs     |    7 +
 ...ionConfigurationEntityTypeConfiguration.cs |   17 +
 ...ationIntegrationEntityTypeConfiguration.cs |   26 +
 .../Models/OrganizationIntegration.cs         |   16 +
 .../OrganizationIntegrationConfiguration.cs   |   16 +
 ...EventTypeOrganizationIdIntegrationType.sql |   22 +
 .../dbo/Tables/OrganizationIntegration.sql    |   20 +
 .../OrganizationIntegrationConfiguration.sql  |   13 +
 ...ganizationIntegrationConfigurationView.sql |    6 +
 .../dbo/Views/OrganizationIntegrationView.sql |    6 +
 ...2025-03-24_00_OrganizationIntegrations.sql |  101 +
 ...31708_OrganizationIntegrations.Designer.cs | 3101 ++++++++++++++++
 ...20250325231708_OrganizationIntegrations.cs |   89 +
 .../DatabaseContextModelSnapshot.cs           |   92 +-
 ...31701_OrganizationIntegrations.Designer.cs | 3107 +++++++++++++++++
 ...20250325231701_OrganizationIntegrations.cs |   84 +
 .../DatabaseContextModelSnapshot.cs           |   92 +-
 ...31714_OrganizationIntegrations.Designer.cs | 3090 ++++++++++++++++
 ...20250325231714_OrganizationIntegrations.cs |   84 +
 .../DatabaseContextModelSnapshot.cs           |   92 +-
 22 files changed, 10106 insertions(+), 12 deletions(-)
 create mode 100644 src/Core/AdminConsole/Entities/OrganizationIntegration.cs
 create mode 100644 src/Core/AdminConsole/Entities/OrganizationIntegrationConfiguration.cs
 create mode 100644 src/Core/AdminConsole/Enums/IntegrationType.cs
 create mode 100644 src/Infrastructure.EntityFramework/AdminConsole/Configurations/OrganizationIntegrationConfigurationEntityTypeConfiguration.cs
 create mode 100644 src/Infrastructure.EntityFramework/AdminConsole/Configurations/OrganizationIntegrationEntityTypeConfiguration.cs
 create mode 100644 src/Infrastructure.EntityFramework/AdminConsole/Models/OrganizationIntegration.cs
 create mode 100644 src/Infrastructure.EntityFramework/AdminConsole/Models/OrganizationIntegrationConfiguration.cs
 create mode 100644 src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_ReadManyByEventTypeOrganizationIdIntegrationType.sql
 create mode 100644 src/Sql/dbo/Tables/OrganizationIntegration.sql
 create mode 100644 src/Sql/dbo/Tables/OrganizationIntegrationConfiguration.sql
 create mode 100644 src/Sql/dbo/Views/OrganizationIntegrationConfigurationView.sql
 create mode 100644 src/Sql/dbo/Views/OrganizationIntegrationView.sql
 create mode 100644 util/Migrator/DbScripts/2025-03-24_00_OrganizationIntegrations.sql
 create mode 100644 util/MySqlMigrations/Migrations/20250325231708_OrganizationIntegrations.Designer.cs
 create mode 100644 util/MySqlMigrations/Migrations/20250325231708_OrganizationIntegrations.cs
 create mode 100644 util/PostgresMigrations/Migrations/20250325231701_OrganizationIntegrations.Designer.cs
 create mode 100644 util/PostgresMigrations/Migrations/20250325231701_OrganizationIntegrations.cs
 create mode 100644 util/SqliteMigrations/Migrations/20250325231714_OrganizationIntegrations.Designer.cs
 create mode 100644 util/SqliteMigrations/Migrations/20250325231714_OrganizationIntegrations.cs

diff --git a/src/Core/AdminConsole/Entities/OrganizationIntegration.cs b/src/Core/AdminConsole/Entities/OrganizationIntegration.cs
new file mode 100644
index 0000000000..18f8be8667
--- /dev/null
+++ b/src/Core/AdminConsole/Entities/OrganizationIntegration.cs
@@ -0,0 +1,18 @@
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Utilities;
+
+#nullable enable
+
+namespace Bit.Core.AdminConsole.Entities;
+
+public class OrganizationIntegration : ITableObject<Guid>
+{
+    public Guid Id { get; set; }
+    public Guid OrganizationId { get; set; }
+    public IntegrationType Type { get; set; }
+    public string? Configuration { get; set; }
+    public DateTime CreationDate { get; set; } = DateTime.UtcNow;
+    public DateTime RevisionDate { get; set; } = DateTime.UtcNow;
+    public void SetNewId() => Id = CoreHelpers.GenerateComb();
+}
diff --git a/src/Core/AdminConsole/Entities/OrganizationIntegrationConfiguration.cs b/src/Core/AdminConsole/Entities/OrganizationIntegrationConfiguration.cs
new file mode 100644
index 0000000000..7592d0c763
--- /dev/null
+++ b/src/Core/AdminConsole/Entities/OrganizationIntegrationConfiguration.cs
@@ -0,0 +1,19 @@
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Utilities;
+
+#nullable enable
+
+namespace Bit.Core.AdminConsole.Entities;
+
+public class OrganizationIntegrationConfiguration : ITableObject<Guid>
+{
+    public Guid Id { get; set; }
+    public Guid OrganizationIntegrationId { get; set; }
+    public EventType EventType { get; set; }
+    public string? Configuration { get; set; }
+    public string? Template { get; set; }
+    public DateTime CreationDate { get; set; } = DateTime.UtcNow;
+    public DateTime RevisionDate { get; set; } = DateTime.UtcNow;
+    public void SetNewId() => Id = CoreHelpers.GenerateComb();
+}
diff --git a/src/Core/AdminConsole/Enums/IntegrationType.cs b/src/Core/AdminConsole/Enums/IntegrationType.cs
new file mode 100644
index 0000000000..16c7818dee
--- /dev/null
+++ b/src/Core/AdminConsole/Enums/IntegrationType.cs
@@ -0,0 +1,7 @@
+namespace Bit.Core.Enums;
+
+public enum IntegrationType : int
+{
+    Slack = 1,
+    Webhook = 2,
+}
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Configurations/OrganizationIntegrationConfigurationEntityTypeConfiguration.cs b/src/Infrastructure.EntityFramework/AdminConsole/Configurations/OrganizationIntegrationConfigurationEntityTypeConfiguration.cs
new file mode 100644
index 0000000000..29712f5e38
--- /dev/null
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Configurations/OrganizationIntegrationConfigurationEntityTypeConfiguration.cs
@@ -0,0 +1,17 @@
+using Bit.Infrastructure.EntityFramework.AdminConsole.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Metadata.Builders;
+
+namespace Bit.Infrastructure.EntityFramework.AdminConsole.Configurations;
+
+public class OrganizationIntegrationConfigurationEntityTypeConfiguration : IEntityTypeConfiguration<OrganizationIntegrationConfiguration>
+{
+    public void Configure(EntityTypeBuilder<OrganizationIntegrationConfiguration> builder)
+    {
+        builder
+            .Property(p => p.Id)
+            .ValueGeneratedNever();
+
+        builder.ToTable(nameof(OrganizationIntegrationConfiguration));
+    }
+}
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Configurations/OrganizationIntegrationEntityTypeConfiguration.cs b/src/Infrastructure.EntityFramework/AdminConsole/Configurations/OrganizationIntegrationEntityTypeConfiguration.cs
new file mode 100644
index 0000000000..c2134c1b7d
--- /dev/null
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Configurations/OrganizationIntegrationEntityTypeConfiguration.cs
@@ -0,0 +1,26 @@
+using Bit.Infrastructure.EntityFramework.AdminConsole.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Metadata.Builders;
+
+namespace Bit.Infrastructure.EntityFramework.AdminConsole.Configurations;
+
+public class OrganizationIntegrationEntityTypeConfiguration : IEntityTypeConfiguration<OrganizationIntegration>
+{
+    public void Configure(EntityTypeBuilder<OrganizationIntegration> builder)
+    {
+        builder
+            .Property(p => p.Id)
+            .ValueGeneratedNever();
+
+        builder
+            .HasIndex(p => p.OrganizationId)
+            .IsClustered(false);
+
+        builder
+            .HasIndex(p => new { p.OrganizationId, p.Type })
+            .IsUnique()
+            .IsClustered(false);
+
+        builder.ToTable(nameof(OrganizationIntegration));
+    }
+}
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Models/OrganizationIntegration.cs b/src/Infrastructure.EntityFramework/AdminConsole/Models/OrganizationIntegration.cs
new file mode 100644
index 0000000000..db81b81166
--- /dev/null
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Models/OrganizationIntegration.cs
@@ -0,0 +1,16 @@
+using AutoMapper;
+
+namespace Bit.Infrastructure.EntityFramework.AdminConsole.Models;
+
+public class OrganizationIntegration : Core.AdminConsole.Entities.OrganizationIntegration
+{
+    public virtual Organization Organization { get; set; }
+}
+
+public class OrganizationIntegrationMapperProfile : Profile
+{
+    public OrganizationIntegrationMapperProfile()
+    {
+        CreateMap<Core.AdminConsole.Entities.OrganizationIntegration, OrganizationIntegration>().ReverseMap();
+    }
+}
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Models/OrganizationIntegrationConfiguration.cs b/src/Infrastructure.EntityFramework/AdminConsole/Models/OrganizationIntegrationConfiguration.cs
new file mode 100644
index 0000000000..465a49dc02
--- /dev/null
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Models/OrganizationIntegrationConfiguration.cs
@@ -0,0 +1,16 @@
+using AutoMapper;
+
+namespace Bit.Infrastructure.EntityFramework.AdminConsole.Models;
+
+public class OrganizationIntegrationConfiguration : Core.AdminConsole.Entities.OrganizationIntegrationConfiguration
+{
+    public virtual OrganizationIntegration OrganizationIntegration { get; set; }
+}
+
+public class OrganizationIntegrationConfigurationMapperProfile : Profile
+{
+    public OrganizationIntegrationConfigurationMapperProfile()
+    {
+        CreateMap<Core.AdminConsole.Entities.OrganizationIntegrationConfiguration, OrganizationIntegrationConfiguration>().ReverseMap();
+    }
+}
diff --git a/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_ReadManyByEventTypeOrganizationIdIntegrationType.sql b/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_ReadManyByEventTypeOrganizationIdIntegrationType.sql
new file mode 100644
index 0000000000..113aa2e529
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_ReadManyByEventTypeOrganizationIdIntegrationType.sql	
@@ -0,0 +1,22 @@
+CREATE PROCEDURE [dbo].[OrganizationIntegrationConfiguration_ReadManyByEventTypeOrganizationIdIntegrationType]
+    @EventType SMALLINT,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @IntegrationType SMALLINT
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        oic.*
+    FROM
+        [dbo].[OrganizationIntegrationConfigurationView] oic
+        INNER JOIN
+        [dbo].[OrganizationIntegration] oi ON oi.[Id] = oic.[OrganizationIntegrationId]
+    WHERE
+        oic.[EventType] = @EventType
+        AND
+        oi.[OrganizationId] = @OrganizationId
+        AND
+        oi.[Type] = @IntegrationType
+END
+GO
diff --git a/src/Sql/dbo/Tables/OrganizationIntegration.sql b/src/Sql/dbo/Tables/OrganizationIntegration.sql
new file mode 100644
index 0000000000..8ac289c303
--- /dev/null
+++ b/src/Sql/dbo/Tables/OrganizationIntegration.sql
@@ -0,0 +1,20 @@
+CREATE TABLE [dbo].[OrganizationIntegration]
+(
+    [Id] UNIQUEIDENTIFIER NOT NULL,
+    [OrganizationId] UNIQUEIDENTIFIER NOT NULL,
+    [Type] SMALLINT NOT NULL,
+    [Configuration] VARCHAR (MAX) NULL,
+    [CreationDate] DATETIME2 (7) NOT NULL,
+    [RevisionDate] DATETIME2 (7) NOT NULL,
+    CONSTRAINT [PK_OrganizationIntegration] PRIMARY KEY CLUSTERED ([Id] ASC),
+    CONSTRAINT [FK_OrganizationIntegration_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id])
+);
+GO
+
+CREATE NONCLUSTERED INDEX [IX_OrganizationIntegration_OrganizationId]
+    ON [dbo].[OrganizationIntegration]([OrganizationId] ASC);
+GO
+
+CREATE UNIQUE INDEX [IX_OrganizationIntegration_Organization_Type]
+    ON [dbo].[OrganizationIntegration]([OrganizationId], [Type]);
+GO
diff --git a/src/Sql/dbo/Tables/OrganizationIntegrationConfiguration.sql b/src/Sql/dbo/Tables/OrganizationIntegrationConfiguration.sql
new file mode 100644
index 0000000000..9dbb2341a7
--- /dev/null
+++ b/src/Sql/dbo/Tables/OrganizationIntegrationConfiguration.sql
@@ -0,0 +1,13 @@
+CREATE TABLE [dbo].[OrganizationIntegrationConfiguration]
+(
+    [Id] UNIQUEIDENTIFIER NOT NULL,
+    [OrganizationIntegrationId] UNIQUEIDENTIFIER NOT NULL,
+    [EventType] SMALLINT NOT NULL,
+    [Configuration] VARCHAR (MAX) NULL,
+    [Template] VARCHAR (MAX) NULL,
+    [CreationDate] DATETIME2 (7) NOT NULL,
+    [RevisionDate] DATETIME2 (7) NOT NULL,
+    CONSTRAINT [PK_OrganizationIntegrationConfiguration] PRIMARY KEY CLUSTERED ([Id] ASC),
+    CONSTRAINT [FK_OrganizationIntegrationConfiguration_OrganizationIntegration] FOREIGN KEY ([OrganizationIntegrationId]) REFERENCES [dbo].[OrganizationIntegration] ([Id])
+);
+GO
diff --git a/src/Sql/dbo/Views/OrganizationIntegrationConfigurationView.sql b/src/Sql/dbo/Views/OrganizationIntegrationConfigurationView.sql
new file mode 100644
index 0000000000..4f39fbc8f3
--- /dev/null
+++ b/src/Sql/dbo/Views/OrganizationIntegrationConfigurationView.sql
@@ -0,0 +1,6 @@
+CREATE VIEW [dbo].[OrganizationIntegrationConfigurationView]
+AS
+    SELECT
+        *
+    FROM
+        [dbo].[OrganizationIntegrationConfiguration]
diff --git a/src/Sql/dbo/Views/OrganizationIntegrationView.sql b/src/Sql/dbo/Views/OrganizationIntegrationView.sql
new file mode 100644
index 0000000000..31e005d5d2
--- /dev/null
+++ b/src/Sql/dbo/Views/OrganizationIntegrationView.sql
@@ -0,0 +1,6 @@
+CREATE VIEW [dbo].[OrganizationIntegrationView]
+AS
+    SELECT
+        *
+    FROM
+        [dbo].[OrganizationIntegration]
diff --git a/util/Migrator/DbScripts/2025-03-24_00_OrganizationIntegrations.sql b/util/Migrator/DbScripts/2025-03-24_00_OrganizationIntegrations.sql
new file mode 100644
index 0000000000..56d4d465d2
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-03-24_00_OrganizationIntegrations.sql
@@ -0,0 +1,101 @@
+-- OrganizationIntegration
+
+-- Table
+IF OBJECT_ID('[dbo].[OrganizationIntegration]') IS NULL
+BEGIN
+    CREATE TABLE [dbo].[OrganizationIntegration]
+    (
+        [Id] UNIQUEIDENTIFIER NOT NULL,
+        [OrganizationId] UNIQUEIDENTIFIER NOT NULL,
+        [Type] SMALLINT NOT NULL,
+        [Configuration] VARCHAR (MAX) NULL,
+        [CreationDate] DATETIME2 (7) NOT NULL,
+        [RevisionDate] DATETIME2 (7) NOT NULL,
+        CONSTRAINT [PK_OrganizationIntegration] PRIMARY KEY CLUSTERED ([Id] ASC),
+        CONSTRAINT [FK_OrganizationIntegration_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id])
+    );
+
+    CREATE NONCLUSTERED INDEX [IX_OrganizationIntegration_OrganizationId]
+    ON [dbo].[OrganizationIntegration]([OrganizationId] ASC);
+
+    CREATE UNIQUE INDEX [IX_OrganizationIntegration_Organization_Type]
+    ON [dbo].[OrganizationIntegration]([OrganizationId], [Type]);
+END
+GO
+
+-- View
+IF EXISTS(SELECT *
+FROM sys.views
+WHERE [Name] = 'OrganizationIntegrationView')
+BEGIN
+    DROP VIEW [dbo].[OrganizationIntegrationView];
+END
+GO
+
+CREATE VIEW [dbo].[OrganizationIntegrationView]
+AS
+    SELECT
+        *
+    FROM
+        [dbo].[OrganizationIntegration]
+GO
+
+-- OrganizationIntegrationConfiguration
+
+-- Table
+IF OBJECT_ID('[dbo].[OrganizationIntegrationConfiguration]') IS NULL
+BEGIN
+    CREATE TABLE [dbo].[OrganizationIntegrationConfiguration]
+    (
+        [Id] UNIQUEIDENTIFIER NOT NULL,
+        [OrganizationIntegrationId] UNIQUEIDENTIFIER NOT NULL,
+        [EventType] SMALLINT NOT NULL,
+        [Configuration] VARCHAR (MAX) NULL,
+        [Template] VARCHAR (MAX) NULL,
+        [CreationDate] DATETIME2 (7) NOT NULL,
+        [RevisionDate] DATETIME2 (7) NOT NULL,
+        CONSTRAINT [PK_OrganizationIntegrationConfiguration] PRIMARY KEY CLUSTERED ([Id] ASC),
+        CONSTRAINT [FK_OrganizationIntegrationConfiguration_OrganizationIntegration] FOREIGN KEY ([OrganizationIntegrationId]) REFERENCES [dbo].[OrganizationIntegration] ([Id])
+    );
+END
+GO
+
+-- View
+IF EXISTS(SELECT *
+FROM sys.views
+WHERE [Name] = 'OrganizationIntegrationConfigurationView')
+BEGIN
+    DROP VIEW [dbo].[OrganizationIntegrationConfigurationView];
+END
+GO
+
+CREATE VIEW [dbo].[OrganizationIntegrationConfigurationView]
+AS
+    SELECT
+        *
+    FROM
+        [dbo].[OrganizationIntegrationConfiguration]
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationIntegrationConfiguration_ReadManyByEventTypeOrganizationIdIntegrationType]
+    @EventType SMALLINT,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @IntegrationType SMALLINT
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        oic.*
+    FROM
+        [dbo].[OrganizationIntegrationConfigurationView] oic
+        INNER JOIN
+        [dbo].[OrganizationIntegration] oi ON oi.[Id] = oic.[OrganizationIntegrationId]
+    WHERE
+        oic.[EventType] = @EventType
+        AND
+        oi.[OrganizationId] = @OrganizationId
+        AND
+        oi.[Type] = @IntegrationType
+END
+GO
diff --git a/util/MySqlMigrations/Migrations/20250325231708_OrganizationIntegrations.Designer.cs b/util/MySqlMigrations/Migrations/20250325231708_OrganizationIntegrations.Designer.cs
new file mode 100644
index 0000000000..0968a87104
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20250325231708_OrganizationIntegrations.Designer.cs
@@ -0,0 +1,3101 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Metadata;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250325231708_OrganizationIntegrations")]
+    partial class OrganizationIntegrations
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 64);
+
+            MySqlModelBuilderExtensions.AutoIncrementColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegration", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Configuration")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationIntegration", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegrationConfiguration", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Configuration")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<int>("EventType")
+                        .HasColumnType("int");
+
+                    b.Property<Guid>("OrganizationIntegrationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Template")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationIntegrationId");
+
+                    b.ToTable("OrganizationIntegrationConfiguration", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("DiscountId")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("varchar(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("RequestCountryName")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("int");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("varchar(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("varchar(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("int");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("varchar(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("longblob");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("longtext");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("varchar(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("int");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("int");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("varchar(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("varchar(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("decimal(65,30)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("varchar(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("varchar(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("varchar(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("longtext");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("int");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("int");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("int");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("varchar(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("varchar(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("varchar(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("varchar(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Body")
+                        .HasMaxLength(3000)
+                        .HasColumnType("varchar(3000)");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid?>("TaskId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("TaskId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("varchar(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("varchar(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("varchar(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("tinyint(1)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("tinyint(1)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("varchar(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("varchar(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("tinyint unsigned");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("char(36)");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegration", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegrationConfiguration", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegration", "OrganizationIntegration")
+                        .WithMany()
+                        .HasForeignKey("OrganizationIntegrationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("OrganizationIntegration");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", "Task")
+                        .WithMany()
+                        .HasForeignKey("TaskId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Task");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/20250325231708_OrganizationIntegrations.cs b/util/MySqlMigrations/Migrations/20250325231708_OrganizationIntegrations.cs
new file mode 100644
index 0000000000..d488f3fc4a
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20250325231708_OrganizationIntegrations.cs
@@ -0,0 +1,89 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class OrganizationIntegrations : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.CreateTable(
+            name: "OrganizationIntegration",
+            columns: table => new
+            {
+                Id = table.Column<Guid>(type: "char(36)", nullable: false, collation: "ascii_general_ci"),
+                OrganizationId = table.Column<Guid>(type: "char(36)", nullable: false, collation: "ascii_general_ci"),
+                Type = table.Column<int>(type: "int", nullable: false),
+                Configuration = table.Column<string>(type: "longtext", nullable: true)
+                    .Annotation("MySql:CharSet", "utf8mb4"),
+                CreationDate = table.Column<DateTime>(type: "datetime(6)", nullable: false),
+                RevisionDate = table.Column<DateTime>(type: "datetime(6)", nullable: false)
+            },
+            constraints: table =>
+            {
+                table.PrimaryKey("PK_OrganizationIntegration", x => x.Id);
+                table.ForeignKey(
+                    name: "FK_OrganizationIntegration_Organization_OrganizationId",
+                    column: x => x.OrganizationId,
+                    principalTable: "Organization",
+                    principalColumn: "Id",
+                    onDelete: ReferentialAction.Cascade);
+            })
+            .Annotation("MySql:CharSet", "utf8mb4");
+
+        migrationBuilder.CreateTable(
+            name: "OrganizationIntegrationConfiguration",
+            columns: table => new
+            {
+                Id = table.Column<Guid>(type: "char(36)", nullable: false, collation: "ascii_general_ci"),
+                OrganizationIntegrationId = table.Column<Guid>(type: "char(36)", nullable: false, collation: "ascii_general_ci"),
+                EventType = table.Column<int>(type: "int", nullable: false),
+                Configuration = table.Column<string>(type: "longtext", nullable: true)
+                    .Annotation("MySql:CharSet", "utf8mb4"),
+                Template = table.Column<string>(type: "longtext", nullable: true)
+                    .Annotation("MySql:CharSet", "utf8mb4"),
+                CreationDate = table.Column<DateTime>(type: "datetime(6)", nullable: false),
+                RevisionDate = table.Column<DateTime>(type: "datetime(6)", nullable: false)
+            },
+            constraints: table =>
+            {
+                table.PrimaryKey("PK_OrganizationIntegrationConfiguration", x => x.Id);
+                table.ForeignKey(
+                    name: "FK_OrganizationIntegrationConfiguration_OrganizationIntegration~",
+                    column: x => x.OrganizationIntegrationId,
+                    principalTable: "OrganizationIntegration",
+                    principalColumn: "Id",
+                    onDelete: ReferentialAction.Cascade);
+            })
+            .Annotation("MySql:CharSet", "utf8mb4");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationIntegration_OrganizationId",
+            table: "OrganizationIntegration",
+            column: "OrganizationId");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationIntegration_OrganizationId_Type",
+            table: "OrganizationIntegration",
+            columns: new[] { "OrganizationId", "Type" },
+            unique: true);
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationIntegrationConfiguration_OrganizationIntegration~",
+            table: "OrganizationIntegrationConfiguration",
+            column: "OrganizationIntegrationId");
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropTable(
+            name: "OrganizationIntegrationConfiguration");
+
+        migrationBuilder.DropTable(
+            name: "OrganizationIntegration");
+    }
+}
diff --git a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
index dfd5d4a983..4b3f8934f3 100644
--- a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -217,6 +217,68 @@ namespace Bit.MySqlMigrations.Migrations
                     b.ToTable("Organization", (string)null);
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegration", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Configuration")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationIntegration", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegrationConfiguration", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("char(36)");
+
+                    b.Property<string>("Configuration")
+                        .HasColumnType("longtext");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<int>("EventType")
+                        .HasColumnType("int");
+
+                    b.Property<Guid>("OrganizationIntegrationId")
+                        .HasColumnType("char(36)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Template")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationIntegrationId");
+
+                    b.ToTable("OrganizationIntegrationConfiguration", (string)null);
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
                 {
                     b.Property<Guid>("Id")
@@ -407,10 +469,6 @@ namespace Bit.MySqlMigrations.Migrations
                     b.Property<DateTime?>("AuthenticationDate")
                         .HasColumnType("datetime(6)");
 
-                    b.Property<string>("RequestCountryName")
-                        .HasMaxLength(200)
-                        .HasColumnType("varchar(200)");
-
                     b.Property<DateTime>("CreationDate")
                         .HasColumnType("datetime(6)");
 
@@ -426,6 +484,10 @@ namespace Bit.MySqlMigrations.Migrations
                     b.Property<string>("PublicKey")
                         .HasColumnType("longtext");
 
+                    b.Property<string>("RequestCountryName")
+                        .HasMaxLength(200)
+                        .HasColumnType("varchar(200)");
+
                     b.Property<string>("RequestDeviceIdentifier")
                         .HasMaxLength(50)
                         .HasColumnType("varchar(50)");
@@ -2259,6 +2321,28 @@ namespace Bit.MySqlMigrations.Migrations
                     b.HasDiscriminator().HasValue("user_service_account");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegration", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegrationConfiguration", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegration", "OrganizationIntegration")
+                        .WithMany()
+                        .HasForeignKey("OrganizationIntegrationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("OrganizationIntegration");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
                 {
                     b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
diff --git a/util/PostgresMigrations/Migrations/20250325231701_OrganizationIntegrations.Designer.cs b/util/PostgresMigrations/Migrations/20250325231701_OrganizationIntegrations.Designer.cs
new file mode 100644
index 0000000000..3639a6449e
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20250325231701_OrganizationIntegrations.Designer.cs
@@ -0,0 +1,3107 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250325231701_OrganizationIntegrations")]
+    partial class OrganizationIntegrations
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("Npgsql:CollationDefinition:postgresIndetermanisticCollation", "en-u-ks-primary,en-u-ks-primary,icu,False")
+                .HasAnnotation("ProductVersion", "8.0.8")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("smallint");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("boolean");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled");
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("Id", "Enabled"), new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegration", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Configuration")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationIntegration", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegrationConfiguration", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Configuration")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int>("EventType")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid>("OrganizationIntegrationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Template")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationIntegrationId");
+
+                    b.ToTable("OrganizationIntegrationConfiguration", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("DiscountId")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("character varying(25)");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("RequestCountryName")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("bigint");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<long>("Id"));
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("OrganizationId", "ExternalId"), new[] { "UserId" });
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("character varying(20)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("numeric");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("character varying(449)");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("bigint");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("character varying(255)");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("character varying(40)");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("numeric");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("character varying(2)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("numeric");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("boolean");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("numeric");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("character varying(30)");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("character varying(7)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)")
+                        .UseCollation("postgresIndetermanisticCollation");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("text");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("boolean");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("smallint");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("integer");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("character varying(100)");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("character varying(300)");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("smallint");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("character varying(50)");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("bigint");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Body")
+                        .HasMaxLength(3000)
+                        .HasColumnType("character varying(3000)");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("TaskId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("TaskId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("character varying(150)");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("character varying(34)");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("smallint");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("smallint");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("smallint");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegration", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegrationConfiguration", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegration", "OrganizationIntegration")
+                        .WithMany()
+                        .HasForeignKey("OrganizationIntegrationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("OrganizationIntegration");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", "Task")
+                        .WithMany()
+                        .HasForeignKey("TaskId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Task");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/20250325231701_OrganizationIntegrations.cs b/util/PostgresMigrations/Migrations/20250325231701_OrganizationIntegrations.cs
new file mode 100644
index 0000000000..72b8572abf
--- /dev/null
+++ b/util/PostgresMigrations/Migrations/20250325231701_OrganizationIntegrations.cs
@@ -0,0 +1,84 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class OrganizationIntegrations : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.CreateTable(
+            name: "OrganizationIntegration",
+            columns: table => new
+            {
+                Id = table.Column<Guid>(type: "uuid", nullable: false),
+                OrganizationId = table.Column<Guid>(type: "uuid", nullable: false),
+                Type = table.Column<int>(type: "integer", nullable: false),
+                Configuration = table.Column<string>(type: "text", nullable: true),
+                CreationDate = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
+                RevisionDate = table.Column<DateTime>(type: "timestamp with time zone", nullable: false)
+            },
+            constraints: table =>
+            {
+                table.PrimaryKey("PK_OrganizationIntegration", x => x.Id);
+                table.ForeignKey(
+                    name: "FK_OrganizationIntegration_Organization_OrganizationId",
+                    column: x => x.OrganizationId,
+                    principalTable: "Organization",
+                    principalColumn: "Id",
+                    onDelete: ReferentialAction.Cascade);
+            });
+
+        migrationBuilder.CreateTable(
+            name: "OrganizationIntegrationConfiguration",
+            columns: table => new
+            {
+                Id = table.Column<Guid>(type: "uuid", nullable: false),
+                OrganizationIntegrationId = table.Column<Guid>(type: "uuid", nullable: false),
+                EventType = table.Column<int>(type: "integer", nullable: false),
+                Configuration = table.Column<string>(type: "text", nullable: true),
+                Template = table.Column<string>(type: "text", nullable: true),
+                CreationDate = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
+                RevisionDate = table.Column<DateTime>(type: "timestamp with time zone", nullable: false)
+            },
+            constraints: table =>
+            {
+                table.PrimaryKey("PK_OrganizationIntegrationConfiguration", x => x.Id);
+                table.ForeignKey(
+                    name: "FK_OrganizationIntegrationConfiguration_OrganizationIntegratio~",
+                    column: x => x.OrganizationIntegrationId,
+                    principalTable: "OrganizationIntegration",
+                    principalColumn: "Id",
+                    onDelete: ReferentialAction.Cascade);
+            });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationIntegration_OrganizationId",
+            table: "OrganizationIntegration",
+            column: "OrganizationId");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationIntegration_OrganizationId_Type",
+            table: "OrganizationIntegration",
+            columns: new[] { "OrganizationId", "Type" },
+            unique: true);
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationIntegrationConfiguration_OrganizationIntegratio~",
+            table: "OrganizationIntegrationConfiguration",
+            column: "OrganizationIntegrationId");
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropTable(
+            name: "OrganizationIntegrationConfiguration");
+
+        migrationBuilder.DropTable(
+            name: "OrganizationIntegration");
+    }
+}
diff --git a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
index a54bc6bddf..ebb8fa470f 100644
--- a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -220,6 +220,68 @@ namespace Bit.PostgresMigrations.Migrations
                     b.ToTable("Organization", (string)null);
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegration", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Configuration")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationIntegration", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegrationConfiguration", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Configuration")
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int>("EventType")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid>("OrganizationIntegrationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Template")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationIntegrationId");
+
+                    b.ToTable("OrganizationIntegrationConfiguration", (string)null);
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
                 {
                     b.Property<Guid>("Id")
@@ -410,10 +472,6 @@ namespace Bit.PostgresMigrations.Migrations
                     b.Property<DateTime?>("AuthenticationDate")
                         .HasColumnType("timestamp with time zone");
 
-                    b.Property<string>("RequestCountryName")
-                        .HasMaxLength(200)
-                        .HasColumnType("character varying(200)");
-
                     b.Property<DateTime>("CreationDate")
                         .HasColumnType("timestamp with time zone");
 
@@ -429,6 +487,10 @@ namespace Bit.PostgresMigrations.Migrations
                     b.Property<string>("PublicKey")
                         .HasColumnType("text");
 
+                    b.Property<string>("RequestCountryName")
+                        .HasMaxLength(200)
+                        .HasColumnType("character varying(200)");
+
                     b.Property<string>("RequestDeviceIdentifier")
                         .HasMaxLength(50)
                         .HasColumnType("character varying(50)");
@@ -2265,6 +2327,28 @@ namespace Bit.PostgresMigrations.Migrations
                     b.HasDiscriminator().HasValue("user_service_account");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegration", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegrationConfiguration", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegration", "OrganizationIntegration")
+                        .WithMany()
+                        .HasForeignKey("OrganizationIntegrationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("OrganizationIntegration");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
                 {
                     b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
diff --git a/util/SqliteMigrations/Migrations/20250325231714_OrganizationIntegrations.Designer.cs b/util/SqliteMigrations/Migrations/20250325231714_OrganizationIntegrations.Designer.cs
new file mode 100644
index 0000000000..279dd87331
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20250325231714_OrganizationIntegrations.Designer.cs
@@ -0,0 +1,3090 @@
+// <auto-generated />
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations
+{
+    [DbContext(typeof(DatabaseContext))]
+    [Migration("20250325231714_OrganizationIntegrations")]
+    partial class OrganizationIntegrations
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder.HasAnnotation("ProductVersion", "8.0.8");
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AllowAdminAccessToAllCollectionItems")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BillingEmail")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("LimitCollectionCreation")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitCollectionDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("LimitItemDeletion")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("MaxAutoscaleSmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxCollections")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("OwnersNotifiedOfAutoscaling")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Plan")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("SelfHost")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SmServiceAccounts")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Use2fa")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseApi")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseCustomPermissions")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseDirectory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseGroups")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePasswordManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsePolicies")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseResetPassword")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseRiskInsights")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseScim")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseSso")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseTotp")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UsersGetPremium")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+                    b.ToTable("Organization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegration", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Configuration")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationIntegration", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegrationConfiguration", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Configuration")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("EventType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationIntegrationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Template")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationIntegrationId");
+
+                    b.ToTable("OrganizationIntegrationConfiguration", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Policy", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingEmail")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BillingPhone")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress1")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress2")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessAddress3")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessCountry")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("BusinessTaxNumber")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("DiscountId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("UseEvents")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Provider", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Settings")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderOrganization", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("ProviderUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AccessCode")
+                        .HasMaxLength(25)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Approved")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("AuthenticationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHash")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("RequestCountryName")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("RequestDeviceIdentifier")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("RequestDeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("RequestIpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ResponseDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ResponseDeviceId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ResponseDeviceId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("AuthRequest", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GranteeId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GrantorId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("KeyEncrypted")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastNotificationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RecoveryInitiatedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("WaitTimeDays")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("GranteeId");
+
+                    b.HasIndex("GrantorId");
+
+                    b.ToTable("EmergencyAccess", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ConsumedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SessionId")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SubjectId")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasName("PK_Grant")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpirationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("Grant", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("SsoConfig", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.Property<long>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("OrganizationId", "ExternalId")
+                        .IsUnique()
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "UserId")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SsoUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("AaGuid")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Counter")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("CredentialId")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasMaxLength(2000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("SupportsPrf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Type")
+                        .HasMaxLength(20)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("WebAuthnCredential", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAutoscaleSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Seats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId", "OrganizationId")
+                        .IsUnique();
+
+                    b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("InstallationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationInstallation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AssignedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ClientId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceId")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("InvoiceNumber")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PlanName")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Total")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("UsedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.ToTable("ProviderInvoiceItem", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("AllocatedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("PlanType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("PurchasedSeats")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("SeatMinimum")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("Id", "PlanType")
+                        .IsUnique();
+
+                    b.ToTable("ProviderPlan", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Cache", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(449)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("AbsoluteExpiration")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("ExpiresAtTime")
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("SlidingExpirationInSeconds")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte[]>("Value")
+                        .IsRequired()
+                        .HasColumnType("BLOB");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ExpiresAtTime")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Cache", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Collection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("CollectionId", "CipherId");
+
+                    b.HasIndex("CipherId");
+
+                    b.ToTable("CollectionCipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "GroupId");
+
+                    b.HasIndex("GroupId");
+
+                    b.ToTable("CollectionGroups");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.Property<Guid>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("HidePasswords")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("Manage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ReadOnly")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("CollectionId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER")
+                        .HasDefaultValue(true);
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedUserKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Identifier")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PushToken")
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Device", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Event", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ActingUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CollectionId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("Date")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("DeviceType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("DomainName")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("InstallationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("IpAddress")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("PolicyId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ProviderUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SecretId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("SystemUser")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Event", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("Group", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.Property<Guid>("GroupId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("GroupId", "OrganizationUserId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.ToTable("GroupUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Config")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationConnection", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("DomainName")
+                        .IsRequired()
+                        .HasMaxLength(255)
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("JobRunCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("LastCheckedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("NextRunDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Txt")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("VerifiedDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.ToTable("OrganizationDomain", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("FriendlyName")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastSyncDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("OfferedToEmail")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PlanSponsorshipType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("SponsoredOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("SponsoringOrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SponsoringOrganizationUserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("ToDelete")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ValidUntil")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SponsoredOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationId");
+
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationSponsorship", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("AccessSecretsManager")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExternalId")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Permissions")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ResetPasswordKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<short>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationUser", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("AccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("DeletionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Disabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("ExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("HideEmail")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int?>("MaxAccessCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Password")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Send", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.TaxRate", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(40)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Active")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Country")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PostalCode")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Rate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("State")
+                        .HasMaxLength(2)
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("TaxRate", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<decimal>("Amount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Details")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("PaymentMethodType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("ProviderId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool?>("Refunded")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<decimal?>("RefundedAmount")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("ProviderId");
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Transaction", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("AccountRevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ApiKey")
+                        .IsRequired()
+                        .HasMaxLength(30)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("AvatarColor")
+                        .HasMaxLength(7)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Culture")
+                        .IsRequired()
+                        .HasMaxLength(10)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("EmailVerified")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("EquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ExcludedGlobalEquivalentDomains")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("FailedLoginCount")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("ForcePasswordReset")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte?>("Gateway")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("GatewayCustomerId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("GatewaySubscriptionId")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Kdf")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int>("KdfIterations")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfMemory")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<int?>("KdfParallelism")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastEmailChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastFailedLoginDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKdfChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastKeyRotationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastPasswordChangeDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("LicenseKey")
+                        .HasMaxLength(100)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPassword")
+                        .HasMaxLength(300)
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("MasterPasswordHint")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<short?>("MaxStorageGb")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Name")
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Premium")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime?>("PremiumExpirationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PrivateKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("PublicKey")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ReferenceData")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("RenewalReminderDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("SecurityStamp")
+                        .IsRequired()
+                        .HasMaxLength(50)
+                        .HasColumnType("TEXT");
+
+                    b.Property<long?>("Storage")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("TwoFactorProviders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("TwoFactorRecoveryCode")
+                        .HasMaxLength(32)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("UsesKeyConnector")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<bool>("VerifyDevices")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("User", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Body")
+                        .HasMaxLength(3000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("ClientType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Global")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Priority")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("TaskId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Title")
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("TaskId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("ClientType", "Global", "UserId", "OrganizationId", "Priority", "CreationDate")
+                        .IsDescending(false, false, false, false, true, true)
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Notification", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("NotificationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ReadDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("UserId", "NotificationId")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("NotificationId");
+
+                    b.ToTable("NotificationStatus", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Platform.Installation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(150)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("LastActivityDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Installation", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Discriminator")
+                        .IsRequired()
+                        .HasMaxLength(34)
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Read")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<bool>("Write")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.ToTable("AccessPolicy", (string)null);
+
+                    b.HasDiscriminator().HasValue("AccessPolicy");
+
+                    b.UseTphMappingStrategy();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("ClientSecretHash")
+                        .HasMaxLength(128)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("EncryptedPayload")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("ExpireAt")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(4000)
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("ServiceAccountId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ApiKey", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Project", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Note")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Value")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("DeletedDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("Secret", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("ServiceAccount", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Uri")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("PasswordHealthReportApplication", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Attachments")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Data")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime?>("DeletedDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Favorites")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Folders")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte?>("Reprompt")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Cipher", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Name")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Folder", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid?>("CipherId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<byte>("Status")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<byte>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id")
+                        .HasAnnotation("SqlServer:Clustered", true);
+
+                    b.HasIndex("CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("SecurityTask", (string)null);
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.Property<Guid>("ProjectsId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("SecretsId")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("ProjectsId", "SecretsId");
+
+                    b.HasIndex("SecretsId");
+
+                    b.ToTable("ProjectSecret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedProjectId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedProjectId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedProjectId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_project");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedServiceAccountId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedServiceAccountId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_service_account");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegration", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegrationConfiguration", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegration", "OrganizationIntegration")
+                        .WithMany()
+                        .HasForeignKey("OrganizationIntegrationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("OrganizationIntegration");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Policies")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
+                        .WithMany()
+                        .HasForeignKey("ResponseDeviceId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("ResponseDevice");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantee")
+                        .WithMany()
+                        .HasForeignKey("GranteeId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "Grantor")
+                        .WithMany()
+                        .HasForeignKey("GrantorId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Grantee");
+
+                    b.Navigation("Grantor");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoConfigs")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("SsoUsers")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Platform.Installation", "Installation")
+                        .WithMany()
+                        .HasForeignKey("InstallationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Installation");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Provider");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Collections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionCipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CipherId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionCiphers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Collection");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionGroup", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionGroups")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.CollectionUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Collection", "Collection")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("CollectionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("CollectionUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Collection");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Device", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Groups")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.GroupUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany("GroupUsers")
+                        .HasForeignKey("OrganizationUserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Group");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationConnection", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Connections")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationDomain", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Domains")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationSponsorship", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoredOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoredOrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "SponsoringOrganization")
+                        .WithMany()
+                        .HasForeignKey("SponsoringOrganizationId");
+
+                    b.Navigation("SponsoredOrganization");
+
+                    b.Navigation("SponsoringOrganization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("OrganizationUsers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Send", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Transaction", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Transactions")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", "Provider")
+                        .WithMany()
+                        .HasForeignKey("ProviderId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Transactions")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Provider");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", "Task")
+                        .WithMany()
+                        .HasForeignKey("TaskId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("Task");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.NotificationStatus", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.NotificationCenter.Models.Notification", "Notification")
+                        .WithMany()
+                        .HasForeignKey("NotificationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Notification");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ApiKey", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ApiKeys")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Tools.Models.PasswordHealthReportApplication", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("OrganizationId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Ciphers")
+                        .HasForeignKey("UserId");
+
+                    b.Navigation("Organization");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Folder", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.User", "User")
+                        .WithMany("Folders")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.SecurityTask", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", "Cipher")
+                        .WithMany()
+                        .HasForeignKey("CipherId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Cipher");
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("ProjectSecret", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", null)
+                        .WithMany()
+                        .HasForeignKey("ProjectsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", null)
+                        .WithMany()
+                        .HasForeignKey("SecretsId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("Group");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany("ProjectAccessPolicies")
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedProjectId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedProject");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedServiceAccountId");
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedServiceAccount");
+
+                    b.Navigation("OrganizationUser");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Collections");
+
+                    b.Navigation("Connections");
+
+                    b.Navigation("Domains");
+
+                    b.Navigation("Groups");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("Policies");
+
+                    b.Navigation("SsoConfigs");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Collection", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+
+                    b.Navigation("CollectionGroups");
+
+                    b.Navigation("CollectionUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.Group", b =>
+                {
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", b =>
+                {
+                    b.Navigation("CollectionUsers");
+
+                    b.Navigation("GroupUsers");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Models.User", b =>
+                {
+                    b.Navigation("Ciphers");
+
+                    b.Navigation("Folders");
+
+                    b.Navigation("OrganizationUsers");
+
+                    b.Navigation("SsoUsers");
+
+                    b.Navigation("Transactions");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
+                {
+                    b.Navigation("ApiKeys");
+
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ProjectAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Vault.Models.Cipher", b =>
+                {
+                    b.Navigation("CollectionCiphers");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/20250325231714_OrganizationIntegrations.cs b/util/SqliteMigrations/Migrations/20250325231714_OrganizationIntegrations.cs
new file mode 100644
index 0000000000..53550ea3e2
--- /dev/null
+++ b/util/SqliteMigrations/Migrations/20250325231714_OrganizationIntegrations.cs
@@ -0,0 +1,84 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class OrganizationIntegrations : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.CreateTable(
+            name: "OrganizationIntegration",
+            columns: table => new
+            {
+                Id = table.Column<Guid>(type: "TEXT", nullable: false),
+                OrganizationId = table.Column<Guid>(type: "TEXT", nullable: false),
+                Type = table.Column<int>(type: "INTEGER", nullable: false),
+                Configuration = table.Column<string>(type: "TEXT", nullable: true),
+                CreationDate = table.Column<DateTime>(type: "TEXT", nullable: false),
+                RevisionDate = table.Column<DateTime>(type: "TEXT", nullable: false)
+            },
+            constraints: table =>
+            {
+                table.PrimaryKey("PK_OrganizationIntegration", x => x.Id);
+                table.ForeignKey(
+                    name: "FK_OrganizationIntegration_Organization_OrganizationId",
+                    column: x => x.OrganizationId,
+                    principalTable: "Organization",
+                    principalColumn: "Id",
+                    onDelete: ReferentialAction.Cascade);
+            });
+
+        migrationBuilder.CreateTable(
+            name: "OrganizationIntegrationConfiguration",
+            columns: table => new
+            {
+                Id = table.Column<Guid>(type: "TEXT", nullable: false),
+                OrganizationIntegrationId = table.Column<Guid>(type: "TEXT", nullable: false),
+                EventType = table.Column<int>(type: "INTEGER", nullable: false),
+                Configuration = table.Column<string>(type: "TEXT", nullable: true),
+                Template = table.Column<string>(type: "TEXT", nullable: true),
+                CreationDate = table.Column<DateTime>(type: "TEXT", nullable: false),
+                RevisionDate = table.Column<DateTime>(type: "TEXT", nullable: false)
+            },
+            constraints: table =>
+            {
+                table.PrimaryKey("PK_OrganizationIntegrationConfiguration", x => x.Id);
+                table.ForeignKey(
+                    name: "FK_OrganizationIntegrationConfiguration_OrganizationIntegration_OrganizationIntegrationId",
+                    column: x => x.OrganizationIntegrationId,
+                    principalTable: "OrganizationIntegration",
+                    principalColumn: "Id",
+                    onDelete: ReferentialAction.Cascade);
+            });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationIntegration_OrganizationId",
+            table: "OrganizationIntegration",
+            column: "OrganizationId");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationIntegration_OrganizationId_Type",
+            table: "OrganizationIntegration",
+            columns: new[] { "OrganizationId", "Type" },
+            unique: true);
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationIntegrationConfiguration_OrganizationIntegrationId",
+            table: "OrganizationIntegrationConfiguration",
+            column: "OrganizationIntegrationId");
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropTable(
+            name: "OrganizationIntegrationConfiguration");
+
+        migrationBuilder.DropTable(
+            name: "OrganizationIntegration");
+    }
+}
diff --git a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
index 824f2ffec5..753c049651 100644
--- a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
@@ -212,6 +212,68 @@ namespace Bit.SqliteMigrations.Migrations
                     b.ToTable("Organization", (string)null);
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegration", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Configuration")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<Guid>("OrganizationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("Type")
+                        .HasColumnType("INTEGER");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.ToTable("OrganizationIntegration", (string)null);
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegrationConfiguration", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Configuration")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("CreationDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<int>("EventType")
+                        .HasColumnType("INTEGER");
+
+                    b.Property<Guid>("OrganizationIntegrationId")
+                        .HasColumnType("TEXT");
+
+                    b.Property<DateTime>("RevisionDate")
+                        .HasColumnType("TEXT");
+
+                    b.Property<string>("Template")
+                        .HasColumnType("TEXT");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OrganizationIntegrationId");
+
+                    b.ToTable("OrganizationIntegrationConfiguration", (string)null);
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
                 {
                     b.Property<Guid>("Id")
@@ -402,10 +464,6 @@ namespace Bit.SqliteMigrations.Migrations
                     b.Property<DateTime?>("AuthenticationDate")
                         .HasColumnType("TEXT");
 
-                    b.Property<string>("RequestCountryName")
-                        .HasMaxLength(200)
-                        .HasColumnType("TEXT");
-
                     b.Property<DateTime>("CreationDate")
                         .HasColumnType("TEXT");
 
@@ -421,6 +479,10 @@ namespace Bit.SqliteMigrations.Migrations
                     b.Property<string>("PublicKey")
                         .HasColumnType("TEXT");
 
+                    b.Property<string>("RequestCountryName")
+                        .HasMaxLength(200)
+                        .HasColumnType("TEXT");
+
                     b.Property<string>("RequestDeviceIdentifier")
                         .HasMaxLength(50)
                         .HasColumnType("TEXT");
@@ -2248,6 +2310,28 @@ namespace Bit.SqliteMigrations.Migrations
                     b.HasDiscriminator().HasValue("user_service_account");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegration", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Organization");
+                });
+
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegrationConfiguration", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.OrganizationIntegration", "OrganizationIntegration")
+                        .WithMany()
+                        .HasForeignKey("OrganizationIntegrationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("OrganizationIntegration");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
                 {
                     b.HasOne("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", "Organization")

From 6178bb2db183614edfd300acb0da0c5f8171e40e Mon Sep 17 00:00:00 2001
From: Nick Krantz <125900171+nick-livefront@users.noreply.github.com>
Date: Wed, 26 Mar 2025 13:08:19 -0500
Subject: [PATCH 127/184] only create security tasks when a task doesn't exist
 for the submitted cipher (#5558)

---
 .../Controllers/SecurityTaskController.cs     | 24 ++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/Api/Vault/Controllers/SecurityTaskController.cs b/src/Api/Vault/Controllers/SecurityTaskController.cs
index 2693d60825..2fe1025ba7 100644
--- a/src/Api/Vault/Controllers/SecurityTaskController.cs
+++ b/src/Api/Vault/Controllers/SecurityTaskController.cs
@@ -5,6 +5,7 @@ using Bit.Core;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
 using Bit.Core.Vault.Commands.Interfaces;
+using Bit.Core.Vault.Entities;
 using Bit.Core.Vault.Enums;
 using Bit.Core.Vault.Queries;
 using Microsoft.AspNetCore.Authorization;
@@ -89,11 +90,28 @@ public class SecurityTaskController : Controller
     public async Task<ListResponseModel<SecurityTasksResponseModel>> BulkCreateTasks(Guid orgId,
         [FromBody] BulkCreateSecurityTasksRequestModel model)
     {
-        var securityTasks = await _createManyTasksCommand.CreateAsync(orgId, model.Tasks);
+        // Retrieve existing pending security tasks for the organization
+        var pendingSecurityTasks = await _getTasksForOrganizationQuery.GetTasksAsync(orgId, SecurityTaskStatus.Pending);
 
-        await _createManyTaskNotificationsCommand.CreateAsync(orgId, securityTasks);
+        // Get the security tasks that are already associated with a cipher within the submitted model
+        var existingTasks = pendingSecurityTasks.Where(x => model.Tasks.Any(y => y.CipherId == x.CipherId)).ToList();
 
-        var response = securityTasks.Select(x => new SecurityTasksResponseModel(x)).ToList();
+        // Get tasks that need to be created
+        var tasksToCreateFromModel = model.Tasks.Where(x => !existingTasks.Any(y => y.CipherId == x.CipherId)).ToList();
+
+        ICollection<SecurityTask> newSecurityTasks = new List<SecurityTask>();
+
+        if (tasksToCreateFromModel.Count != 0)
+        {
+            newSecurityTasks = await _createManyTasksCommand.CreateAsync(orgId, tasksToCreateFromModel);
+        }
+
+        // Combine existing tasks and newly created tasks
+        var allTasks = existingTasks.Concat(newSecurityTasks);
+
+        await _createManyTaskNotificationsCommand.CreateAsync(orgId, allTasks);
+
+        var response = allTasks.Select(x => new SecurityTasksResponseModel(x)).ToList();
         return new ListResponseModel<SecurityTasksResponseModel>(response);
     }
 }

From 54f4ba945ef9194e9131bdf2667de78e544d14b7 Mon Sep 17 00:00:00 2001
From: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
Date: Fri, 28 Mar 2025 00:13:56 +1000
Subject: [PATCH 128/184] [PM-17558] Remove ShortcutDuplicatePatchRequests
 feature flag (#5551)

* Delete old command and feature flag switch

* Rename vNext command

* Remove feature flag
---
 .../Scim/Controllers/v2/GroupsController.cs   |  28 +-
 .../Groups/Interfaces/IPatchGroupCommand.cs   |   2 +-
 .../Interfaces/IPatchGroupCommandvNext.cs     |   9 -
 .../src/Scim/Groups/PatchGroupCommand.cs      | 177 ++++----
 .../src/Scim/Groups/PatchGroupCommandvNext.cs | 170 --------
 .../ScimServiceCollectionExtensions.cs        |   1 -
 .../v2/GroupsControllerPatchTests.cs          |   1 +
 .../v2/GroupsControllerPatchTestsvNext.cs     | 251 ------------
 .../Groups/PatchGroupCommandTests.cs          | 356 +++++++++++-----
 .../Groups/PatchGroupCommandvNextTests.cs     | 381 ------------------
 src/Core/Constants.cs                         |   1 -
 11 files changed, 368 insertions(+), 1009 deletions(-)
 delete mode 100644 bitwarden_license/src/Scim/Groups/Interfaces/IPatchGroupCommandvNext.cs
 delete mode 100644 bitwarden_license/src/Scim/Groups/PatchGroupCommandvNext.cs
 delete mode 100644 bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerPatchTestsvNext.cs
 delete mode 100644 bitwarden_license/test/Scim.Test/Groups/PatchGroupCommandvNextTests.cs

diff --git a/bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs b/bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs
index 8c21793a9d..6da4001753 100644
--- a/bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs
+++ b/bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs
@@ -1,10 +1,8 @@
-using Bit.Core;
-using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Scim.Groups.Interfaces;
 using Bit.Scim.Models;
 using Bit.Scim.Utilities;
@@ -24,10 +22,8 @@ public class GroupsController : Controller
     private readonly IGetGroupsListQuery _getGroupsListQuery;
     private readonly IDeleteGroupCommand _deleteGroupCommand;
     private readonly IPatchGroupCommand _patchGroupCommand;
-    private readonly IPatchGroupCommandvNext _patchGroupCommandvNext;
     private readonly IPostGroupCommand _postGroupCommand;
     private readonly IPutGroupCommand _putGroupCommand;
-    private readonly IFeatureService _featureService;
 
     public GroupsController(
         IGroupRepository groupRepository,
@@ -35,10 +31,8 @@ public class GroupsController : Controller
         IGetGroupsListQuery getGroupsListQuery,
         IDeleteGroupCommand deleteGroupCommand,
         IPatchGroupCommand patchGroupCommand,
-        IPatchGroupCommandvNext patchGroupCommandvNext,
         IPostGroupCommand postGroupCommand,
-        IPutGroupCommand putGroupCommand,
-        IFeatureService featureService
+        IPutGroupCommand putGroupCommand
         )
     {
         _groupRepository = groupRepository;
@@ -46,10 +40,8 @@ public class GroupsController : Controller
         _getGroupsListQuery = getGroupsListQuery;
         _deleteGroupCommand = deleteGroupCommand;
         _patchGroupCommand = patchGroupCommand;
-        _patchGroupCommandvNext = patchGroupCommandvNext;
         _postGroupCommand = postGroupCommand;
         _putGroupCommand = putGroupCommand;
-        _featureService = featureService;
     }
 
     [HttpGet("{id}")]
@@ -103,21 +95,13 @@ public class GroupsController : Controller
     [HttpPatch("{id}")]
     public async Task<IActionResult> Patch(Guid organizationId, Guid id, [FromBody] ScimPatchModel model)
     {
-        if (_featureService.IsEnabled(FeatureFlagKeys.ShortcutDuplicatePatchRequests))
+        var group = await _groupRepository.GetByIdAsync(id);
+        if (group == null || group.OrganizationId != organizationId)
         {
-            var group = await _groupRepository.GetByIdAsync(id);
-            if (group == null || group.OrganizationId != organizationId)
-            {
-                throw new NotFoundException("Group not found.");
-            }
-
-            await _patchGroupCommandvNext.PatchGroupAsync(group, model);
-            return new NoContentResult();
+            throw new NotFoundException("Group not found.");
         }
 
-        var organization = await _organizationRepository.GetByIdAsync(organizationId);
-        await _patchGroupCommand.PatchGroupAsync(organization, id, model);
-
+        await _patchGroupCommand.PatchGroupAsync(group, model);
         return new NoContentResult();
     }
 
diff --git a/bitwarden_license/src/Scim/Groups/Interfaces/IPatchGroupCommand.cs b/bitwarden_license/src/Scim/Groups/Interfaces/IPatchGroupCommand.cs
index b9516cf706..2856eaa860 100644
--- a/bitwarden_license/src/Scim/Groups/Interfaces/IPatchGroupCommand.cs
+++ b/bitwarden_license/src/Scim/Groups/Interfaces/IPatchGroupCommand.cs
@@ -5,5 +5,5 @@ namespace Bit.Scim.Groups.Interfaces;
 
 public interface IPatchGroupCommand
 {
-    Task PatchGroupAsync(Organization organization, Guid id, ScimPatchModel model);
+    Task PatchGroupAsync(Group group, ScimPatchModel model);
 }
diff --git a/bitwarden_license/src/Scim/Groups/Interfaces/IPatchGroupCommandvNext.cs b/bitwarden_license/src/Scim/Groups/Interfaces/IPatchGroupCommandvNext.cs
deleted file mode 100644
index f51cc54079..0000000000
--- a/bitwarden_license/src/Scim/Groups/Interfaces/IPatchGroupCommandvNext.cs
+++ /dev/null
@@ -1,9 +0,0 @@
-using Bit.Core.AdminConsole.Entities;
-using Bit.Scim.Models;
-
-namespace Bit.Scim.Groups.Interfaces;
-
-public interface IPatchGroupCommandvNext
-{
-    Task PatchGroupAsync(Group group, ScimPatchModel model);
-}
diff --git a/bitwarden_license/src/Scim/Groups/PatchGroupCommand.cs b/bitwarden_license/src/Scim/Groups/PatchGroupCommand.cs
index 94d9b7a4c2..ab082fc2a6 100644
--- a/bitwarden_license/src/Scim/Groups/PatchGroupCommand.cs
+++ b/bitwarden_license/src/Scim/Groups/PatchGroupCommand.cs
@@ -5,8 +5,10 @@ using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
 using Bit.Scim.Groups.Interfaces;
 using Bit.Scim.Models;
+using Bit.Scim.Utilities;
 
 namespace Bit.Scim.Groups;
 
@@ -16,118 +18,137 @@ public class PatchGroupCommand : IPatchGroupCommand
     private readonly IGroupService _groupService;
     private readonly IUpdateGroupCommand _updateGroupCommand;
     private readonly ILogger<PatchGroupCommand> _logger;
+    private readonly IOrganizationRepository _organizationRepository;
 
     public PatchGroupCommand(
         IGroupRepository groupRepository,
         IGroupService groupService,
         IUpdateGroupCommand updateGroupCommand,
-        ILogger<PatchGroupCommand> logger)
+        ILogger<PatchGroupCommand> logger,
+        IOrganizationRepository organizationRepository)
     {
         _groupRepository = groupRepository;
         _groupService = groupService;
         _updateGroupCommand = updateGroupCommand;
         _logger = logger;
+        _organizationRepository = organizationRepository;
     }
 
-    public async Task PatchGroupAsync(Organization organization, Guid id, ScimPatchModel model)
+    public async Task PatchGroupAsync(Group group, ScimPatchModel model)
     {
-        var group = await _groupRepository.GetByIdAsync(id);
-        if (group == null || group.OrganizationId != organization.Id)
-        {
-            throw new NotFoundException("Group not found.");
-        }
-
-        var operationHandled = false;
         foreach (var operation in model.Operations)
         {
-            // Replace operations
-            if (operation.Op?.ToLowerInvariant() == "replace")
-            {
-                // Replace a list of members
-                if (operation.Path?.ToLowerInvariant() == "members")
+            await HandleOperationAsync(group, operation);
+        }
+    }
+
+    private async Task HandleOperationAsync(Group group, ScimPatchModel.OperationModel operation)
+    {
+        switch (operation.Op?.ToLowerInvariant())
+        {
+            // Replace a list of members
+            case PatchOps.Replace when operation.Path?.ToLowerInvariant() == PatchPaths.Members:
                 {
                     var ids = GetOperationValueIds(operation.Value);
                     await _groupRepository.UpdateUsersAsync(group.Id, ids);
-                    operationHandled = true;
+                    break;
                 }
-                // Replace group name from path
-                else if (operation.Path?.ToLowerInvariant() == "displayname")
+
+            // Replace group name from path
+            case PatchOps.Replace when operation.Path?.ToLowerInvariant() == PatchPaths.DisplayName:
                 {
                     group.Name = operation.Value.GetString();
+                    var organization = await _organizationRepository.GetByIdAsync(group.OrganizationId);
+                    if (organization == null)
+                    {
+                        throw new NotFoundException();
+                    }
                     await _updateGroupCommand.UpdateGroupAsync(group, organization, EventSystemUser.SCIM);
-                    operationHandled = true;
+                    break;
                 }
-                // Replace group name from value object
-                else if (string.IsNullOrWhiteSpace(operation.Path) &&
-                    operation.Value.TryGetProperty("displayName", out var displayNameProperty))
+
+            // Replace group name from value object
+            case PatchOps.Replace when
+                string.IsNullOrWhiteSpace(operation.Path) &&
+                operation.Value.TryGetProperty("displayName", out var displayNameProperty):
                 {
                     group.Name = displayNameProperty.GetString();
+                    var organization = await _organizationRepository.GetByIdAsync(group.OrganizationId);
+                    if (organization == null)
+                    {
+                        throw new NotFoundException();
+                    }
                     await _updateGroupCommand.UpdateGroupAsync(group, organization, EventSystemUser.SCIM);
-                    operationHandled = true;
+                    break;
                 }
-            }
+
             // Add a single member
-            else if (operation.Op?.ToLowerInvariant() == "add" &&
+            case PatchOps.Add when
                 !string.IsNullOrWhiteSpace(operation.Path) &&
-                operation.Path.ToLowerInvariant().StartsWith("members[value eq "))
-            {
-                var addId = GetOperationPathId(operation.Path);
-                if (addId.HasValue)
+                operation.Path.StartsWith("members[value eq ", StringComparison.OrdinalIgnoreCase) &&
+                TryGetOperationPathId(operation.Path, out var addId):
+                {
+                    await AddMembersAsync(group, [addId]);
+                    break;
+                }
+
+            // Add a list of members
+            case PatchOps.Add when
+                operation.Path?.ToLowerInvariant() == PatchPaths.Members:
+                {
+                    await AddMembersAsync(group, GetOperationValueIds(operation.Value));
+                    break;
+                }
+
+            // Remove a single member
+            case PatchOps.Remove when
+                !string.IsNullOrWhiteSpace(operation.Path) &&
+                operation.Path.StartsWith("members[value eq ", StringComparison.OrdinalIgnoreCase) &&
+                TryGetOperationPathId(operation.Path, out var removeId):
+                {
+                    await _groupService.DeleteUserAsync(group, removeId, EventSystemUser.SCIM);
+                    break;
+                }
+
+            // Remove a list of members
+            case PatchOps.Remove when
+                operation.Path?.ToLowerInvariant() == PatchPaths.Members:
                 {
                     var orgUserIds = (await _groupRepository.GetManyUserIdsByIdAsync(group.Id)).ToHashSet();
-                    orgUserIds.Add(addId.Value);
+                    foreach (var v in GetOperationValueIds(operation.Value))
+                    {
+                        orgUserIds.Remove(v);
+                    }
                     await _groupRepository.UpdateUsersAsync(group.Id, orgUserIds);
-                    operationHandled = true;
+                    break;
                 }
-            }
-            // Add a list of members
-            else if (operation.Op?.ToLowerInvariant() == "add" &&
-                operation.Path?.ToLowerInvariant() == "members")
-            {
-                var orgUserIds = (await _groupRepository.GetManyUserIdsByIdAsync(group.Id)).ToHashSet();
-                foreach (var v in GetOperationValueIds(operation.Value))
-                {
-                    orgUserIds.Add(v);
-                }
-                await _groupRepository.UpdateUsersAsync(group.Id, orgUserIds);
-                operationHandled = true;
-            }
-            // Remove a single member
-            else if (operation.Op?.ToLowerInvariant() == "remove" &&
-                !string.IsNullOrWhiteSpace(operation.Path) &&
-                operation.Path.ToLowerInvariant().StartsWith("members[value eq "))
-            {
-                var removeId = GetOperationPathId(operation.Path);
-                if (removeId.HasValue)
-                {
-                    await _groupService.DeleteUserAsync(group, removeId.Value, EventSystemUser.SCIM);
-                    operationHandled = true;
-                }
-            }
-            // Remove a list of members
-            else if (operation.Op?.ToLowerInvariant() == "remove" &&
-                operation.Path?.ToLowerInvariant() == "members")
-            {
-                var orgUserIds = (await _groupRepository.GetManyUserIdsByIdAsync(group.Id)).ToHashSet();
-                foreach (var v in GetOperationValueIds(operation.Value))
-                {
-                    orgUserIds.Remove(v);
-                }
-                await _groupRepository.UpdateUsersAsync(group.Id, orgUserIds);
-                operationHandled = true;
-            }
-        }
 
-        if (!operationHandled)
-        {
-            _logger.LogWarning("Group patch operation not handled: {0} : ",
-                string.Join(", ", model.Operations.Select(o => $"{o.Op}:{o.Path}")));
+            default:
+                {
+                    _logger.LogWarning("Group patch operation not handled: {OperationOp}:{OperationPath}", operation.Op, operation.Path);
+                    break;
+                }
         }
     }
 
-    private List<Guid> GetOperationValueIds(JsonElement objArray)
+    private async Task AddMembersAsync(Group group, HashSet<Guid> usersToAdd)
     {
-        var ids = new List<Guid>();
+        // Azure Entra ID is known to send redundant "add" requests for each existing member every time any member
+        // is removed. To avoid excessive load on the database, we check against the high availability replica and
+        // return early if they already exist.
+        var groupMembers = await _groupRepository.GetManyUserIdsByIdAsync(group.Id, useReadOnlyReplica: true);
+        if (usersToAdd.IsSubsetOf(groupMembers))
+        {
+            _logger.LogDebug("Ignoring duplicate SCIM request to add members {Members} to group {Group}", usersToAdd, group.Id);
+            return;
+        }
+
+        await _groupRepository.AddGroupUsersByIdAsync(group.Id, usersToAdd);
+    }
+
+    private static HashSet<Guid> GetOperationValueIds(JsonElement objArray)
+    {
+        var ids = new HashSet<Guid>();
         foreach (var obj in objArray.EnumerateArray())
         {
             if (obj.TryGetProperty("value", out var valueProperty))
@@ -141,13 +162,9 @@ public class PatchGroupCommand : IPatchGroupCommand
         return ids;
     }
 
-    private Guid? GetOperationPathId(string path)
+    private static bool TryGetOperationPathId(string path, out Guid pathId)
     {
         // Parse Guid from string like: members[value eq "{GUID}"}]
-        if (Guid.TryParse(path.Substring(18).Replace("\"]", string.Empty), out var id))
-        {
-            return id;
-        }
-        return null;
+        return Guid.TryParse(path.Substring(18).Replace("\"]", string.Empty), out pathId);
     }
 }
diff --git a/bitwarden_license/src/Scim/Groups/PatchGroupCommandvNext.cs b/bitwarden_license/src/Scim/Groups/PatchGroupCommandvNext.cs
deleted file mode 100644
index 359df4bc94..0000000000
--- a/bitwarden_license/src/Scim/Groups/PatchGroupCommandvNext.cs
+++ /dev/null
@@ -1,170 +0,0 @@
-using System.Text.Json;
-using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
-using Bit.Core.AdminConsole.Repositories;
-using Bit.Core.AdminConsole.Services;
-using Bit.Core.Enums;
-using Bit.Core.Exceptions;
-using Bit.Core.Repositories;
-using Bit.Scim.Groups.Interfaces;
-using Bit.Scim.Models;
-using Bit.Scim.Utilities;
-
-namespace Bit.Scim.Groups;
-
-public class PatchGroupCommandvNext : IPatchGroupCommandvNext
-{
-    private readonly IGroupRepository _groupRepository;
-    private readonly IGroupService _groupService;
-    private readonly IUpdateGroupCommand _updateGroupCommand;
-    private readonly ILogger<PatchGroupCommandvNext> _logger;
-    private readonly IOrganizationRepository _organizationRepository;
-
-    public PatchGroupCommandvNext(
-        IGroupRepository groupRepository,
-        IGroupService groupService,
-        IUpdateGroupCommand updateGroupCommand,
-        ILogger<PatchGroupCommandvNext> logger,
-        IOrganizationRepository organizationRepository)
-    {
-        _groupRepository = groupRepository;
-        _groupService = groupService;
-        _updateGroupCommand = updateGroupCommand;
-        _logger = logger;
-        _organizationRepository = organizationRepository;
-    }
-
-    public async Task PatchGroupAsync(Group group, ScimPatchModel model)
-    {
-        foreach (var operation in model.Operations)
-        {
-            await HandleOperationAsync(group, operation);
-        }
-    }
-
-    private async Task HandleOperationAsync(Group group, ScimPatchModel.OperationModel operation)
-    {
-        switch (operation.Op?.ToLowerInvariant())
-        {
-            // Replace a list of members
-            case PatchOps.Replace when operation.Path?.ToLowerInvariant() == PatchPaths.Members:
-                {
-                    var ids = GetOperationValueIds(operation.Value);
-                    await _groupRepository.UpdateUsersAsync(group.Id, ids);
-                    break;
-                }
-
-            // Replace group name from path
-            case PatchOps.Replace when operation.Path?.ToLowerInvariant() == PatchPaths.DisplayName:
-                {
-                    group.Name = operation.Value.GetString();
-                    var organization = await _organizationRepository.GetByIdAsync(group.OrganizationId);
-                    if (organization == null)
-                    {
-                        throw new NotFoundException();
-                    }
-                    await _updateGroupCommand.UpdateGroupAsync(group, organization, EventSystemUser.SCIM);
-                    break;
-                }
-
-            // Replace group name from value object
-            case PatchOps.Replace when
-                string.IsNullOrWhiteSpace(operation.Path) &&
-                operation.Value.TryGetProperty("displayName", out var displayNameProperty):
-                {
-                    group.Name = displayNameProperty.GetString();
-                    var organization = await _organizationRepository.GetByIdAsync(group.OrganizationId);
-                    if (organization == null)
-                    {
-                        throw new NotFoundException();
-                    }
-                    await _updateGroupCommand.UpdateGroupAsync(group, organization, EventSystemUser.SCIM);
-                    break;
-                }
-
-            // Add a single member
-            case PatchOps.Add when
-                !string.IsNullOrWhiteSpace(operation.Path) &&
-                operation.Path.StartsWith("members[value eq ", StringComparison.OrdinalIgnoreCase) &&
-                TryGetOperationPathId(operation.Path, out var addId):
-                {
-                    await AddMembersAsync(group, [addId]);
-                    break;
-                }
-
-            // Add a list of members
-            case PatchOps.Add when
-                operation.Path?.ToLowerInvariant() == PatchPaths.Members:
-                {
-                    await AddMembersAsync(group, GetOperationValueIds(operation.Value));
-                    break;
-                }
-
-            // Remove a single member
-            case PatchOps.Remove when
-                !string.IsNullOrWhiteSpace(operation.Path) &&
-                operation.Path.StartsWith("members[value eq ", StringComparison.OrdinalIgnoreCase) &&
-                TryGetOperationPathId(operation.Path, out var removeId):
-                {
-                    await _groupService.DeleteUserAsync(group, removeId, EventSystemUser.SCIM);
-                    break;
-                }
-
-            // Remove a list of members
-            case PatchOps.Remove when
-                operation.Path?.ToLowerInvariant() == PatchPaths.Members:
-                {
-                    var orgUserIds = (await _groupRepository.GetManyUserIdsByIdAsync(group.Id)).ToHashSet();
-                    foreach (var v in GetOperationValueIds(operation.Value))
-                    {
-                        orgUserIds.Remove(v);
-                    }
-                    await _groupRepository.UpdateUsersAsync(group.Id, orgUserIds);
-                    break;
-                }
-
-            default:
-                {
-                    _logger.LogWarning("Group patch operation not handled: {OperationOp}:{OperationPath}", operation.Op, operation.Path);
-                    break;
-                }
-        }
-    }
-
-    private async Task AddMembersAsync(Group group, HashSet<Guid> usersToAdd)
-    {
-        // Azure Entra ID is known to send redundant "add" requests for each existing member every time any member
-        // is removed. To avoid excessive load on the database, we check against the high availability replica and
-        // return early if they already exist.
-        var groupMembers = await _groupRepository.GetManyUserIdsByIdAsync(group.Id, useReadOnlyReplica: true);
-        if (usersToAdd.IsSubsetOf(groupMembers))
-        {
-            _logger.LogDebug("Ignoring duplicate SCIM request to add members {Members} to group {Group}", usersToAdd, group.Id);
-            return;
-        }
-
-        await _groupRepository.AddGroupUsersByIdAsync(group.Id, usersToAdd);
-    }
-
-    private static HashSet<Guid> GetOperationValueIds(JsonElement objArray)
-    {
-        var ids = new HashSet<Guid>();
-        foreach (var obj in objArray.EnumerateArray())
-        {
-            if (obj.TryGetProperty("value", out var valueProperty))
-            {
-                if (valueProperty.TryGetGuid(out var guid))
-                {
-                    ids.Add(guid);
-                }
-            }
-        }
-        return ids;
-    }
-
-    private static bool TryGetOperationPathId(string path, out Guid pathId)
-    {
-        // Parse Guid from string like: members[value eq "{GUID}"}]
-        return Guid.TryParse(path.Substring(18).Replace("\"]", string.Empty), out pathId);
-    }
-}
diff --git a/bitwarden_license/src/Scim/Utilities/ScimServiceCollectionExtensions.cs b/bitwarden_license/src/Scim/Utilities/ScimServiceCollectionExtensions.cs
index b5d866524a..75b60a71fc 100644
--- a/bitwarden_license/src/Scim/Utilities/ScimServiceCollectionExtensions.cs
+++ b/bitwarden_license/src/Scim/Utilities/ScimServiceCollectionExtensions.cs
@@ -10,7 +10,6 @@ public static class ScimServiceCollectionExtensions
     public static void AddScimGroupCommands(this IServiceCollection services)
     {
         services.AddScoped<IPatchGroupCommand, PatchGroupCommand>();
-        services.AddScoped<IPatchGroupCommandvNext, PatchGroupCommandvNext>();
         services.AddScoped<IPostGroupCommand, PostGroupCommand>();
         services.AddScoped<IPutGroupCommand, PutGroupCommand>();
     }
diff --git a/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerPatchTests.cs b/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerPatchTests.cs
index eaa5b3dcd7..66ce386d07 100644
--- a/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerPatchTests.cs
+++ b/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerPatchTests.cs
@@ -20,6 +20,7 @@ public class GroupsControllerPatchTests : IClassFixture<ScimApplicationFactory>,
     {
         var databaseContext = _factory.GetDatabaseContext();
         _factory.ReinitializeDbForTests(databaseContext);
+
         return Task.CompletedTask;
     }
 
diff --git a/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerPatchTestsvNext.cs b/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerPatchTestsvNext.cs
deleted file mode 100644
index f66184a8a2..0000000000
--- a/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerPatchTestsvNext.cs
+++ /dev/null
@@ -1,251 +0,0 @@
-using System.Text.Json;
-using Bit.Core;
-using Bit.Core.AdminConsole.Entities;
-using Bit.Core.Services;
-using Bit.Scim.Groups.Interfaces;
-using Bit.Scim.IntegrationTest.Factories;
-using Bit.Scim.Models;
-using Bit.Scim.Utilities;
-using Bit.Test.Common.Helpers;
-using NSubstitute;
-using NSubstitute.ExceptionExtensions;
-using Xunit;
-
-namespace Bit.Scim.IntegrationTest.Controllers.v2;
-
-public class GroupsControllerPatchTestsvNext : IClassFixture<ScimApplicationFactory>, IAsyncLifetime
-{
-    private readonly ScimApplicationFactory _factory;
-
-    public GroupsControllerPatchTestsvNext(ScimApplicationFactory factory)
-    {
-        _factory = factory;
-
-        // Enable the feature flag for new PatchGroupsCommand and stub out the old command to be safe
-        _factory.SubstituteService((IFeatureService featureService)
-            => featureService.IsEnabled(FeatureFlagKeys.ShortcutDuplicatePatchRequests).Returns(true));
-        _factory.SubstituteService((IPatchGroupCommand patchGroupCommand)
-            => patchGroupCommand.PatchGroupAsync(Arg.Any<Organization>(), Arg.Any<Guid>(), Arg.Any<ScimPatchModel>())
-                .ThrowsAsync(new Exception("This test suite should be testing the vNext command, but the existing command was called.")));
-    }
-
-    public Task InitializeAsync()
-    {
-        var databaseContext = _factory.GetDatabaseContext();
-        _factory.ReinitializeDbForTests(databaseContext);
-
-        return Task.CompletedTask;
-    }
-
-    Task IAsyncLifetime.DisposeAsync() => Task.CompletedTask;
-
-    [Fact]
-    public async Task Patch_ReplaceDisplayName_Success()
-    {
-        var organizationId = ScimApplicationFactory.TestOrganizationId1;
-        var groupId = ScimApplicationFactory.TestGroupId1;
-        var newDisplayName = "Patch Display Name";
-        var inputModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>()
-            {
-                new ScimPatchModel.OperationModel
-                {
-                    Op = "replace",
-                    Value = JsonDocument.Parse($"{{\"displayName\":\"{newDisplayName}\"}}").RootElement
-                }
-            },
-            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
-        };
-
-        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
-
-        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
-
-        var databaseContext = _factory.GetDatabaseContext();
-        var group = databaseContext.Groups.FirstOrDefault(g => g.Id == groupId);
-        Assert.Equal(newDisplayName, group.Name);
-
-        Assert.Equal(ScimApplicationFactory.InitialGroupUsersCount, databaseContext.GroupUsers.Count());
-        Assert.True(databaseContext.GroupUsers.Any(gu => gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId1));
-        Assert.True(databaseContext.GroupUsers.Any(gu => gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId4));
-    }
-
-    [Fact]
-    public async Task Patch_ReplaceMembers_Success()
-    {
-        var organizationId = ScimApplicationFactory.TestOrganizationId1;
-        var groupId = ScimApplicationFactory.TestGroupId1;
-        var inputModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>()
-            {
-                new ScimPatchModel.OperationModel
-                {
-                    Op = "replace",
-                    Path = "members",
-                    Value = JsonDocument.Parse($"[{{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId2}\"}}]").RootElement
-                }
-            },
-            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
-        };
-
-        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
-
-        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
-
-        var databaseContext = _factory.GetDatabaseContext();
-        Assert.Single(databaseContext.GroupUsers);
-
-        Assert.Equal(ScimApplicationFactory.InitialGroupUsersCount - 1, databaseContext.GroupUsers.Count());
-        var groupUser = databaseContext.GroupUsers.FirstOrDefault();
-        Assert.Equal(ScimApplicationFactory.TestOrganizationUserId2, groupUser.OrganizationUserId);
-    }
-
-    [Fact]
-    public async Task Patch_AddSingleMember_Success()
-    {
-        var organizationId = ScimApplicationFactory.TestOrganizationId1;
-        var groupId = ScimApplicationFactory.TestGroupId1;
-        var inputModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>()
-            {
-                new ScimPatchModel.OperationModel
-                {
-                    Op = "add",
-                    Path = $"members[value eq \"{ScimApplicationFactory.TestOrganizationUserId2}\"]",
-                    Value = JsonDocument.Parse("{}").RootElement
-                }
-            },
-            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
-        };
-
-        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
-
-        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
-
-        var databaseContext = _factory.GetDatabaseContext();
-        Assert.Equal(ScimApplicationFactory.InitialGroupUsersCount + 1, databaseContext.GroupUsers.Count());
-        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId1));
-        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId2));
-        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId4));
-    }
-
-    [Fact]
-    public async Task Patch_AddListMembers_Success()
-    {
-        var organizationId = ScimApplicationFactory.TestOrganizationId1;
-        var groupId = ScimApplicationFactory.TestGroupId2;
-        var inputModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>()
-            {
-                new ScimPatchModel.OperationModel
-                {
-                    Op = "add",
-                    Path = "members",
-                    Value = JsonDocument.Parse($"[{{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId2}\"}},{{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId3}\"}}]").RootElement
-                }
-            },
-            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
-        };
-
-        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
-
-        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
-
-        var databaseContext = _factory.GetDatabaseContext();
-        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId2));
-        Assert.True(databaseContext.GroupUsers.Any(gu => gu.GroupId == groupId && gu.OrganizationUserId == ScimApplicationFactory.TestOrganizationUserId3));
-    }
-
-    [Fact]
-    public async Task Patch_RemoveSingleMember_ReplaceDisplayName_Success()
-    {
-        var organizationId = ScimApplicationFactory.TestOrganizationId1;
-        var groupId = ScimApplicationFactory.TestGroupId1;
-        var newDisplayName = "Patch Display Name";
-        var inputModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>()
-            {
-                new ScimPatchModel.OperationModel
-                {
-                    Op = "remove",
-                    Path = $"members[value eq \"{ScimApplicationFactory.TestOrganizationUserId1}\"]",
-                    Value = JsonDocument.Parse("{}").RootElement
-                },
-                new ScimPatchModel.OperationModel
-                {
-                    Op = "replace",
-                    Value = JsonDocument.Parse($"{{\"displayName\":\"{newDisplayName}\"}}").RootElement
-                }
-            },
-            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
-        };
-
-        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
-
-        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
-
-        var databaseContext = _factory.GetDatabaseContext();
-        Assert.Equal(ScimApplicationFactory.InitialGroupUsersCount - 1, databaseContext.GroupUsers.Count());
-        Assert.Equal(ScimApplicationFactory.InitialGroupCount, databaseContext.Groups.Count());
-
-        var group = databaseContext.Groups.FirstOrDefault(g => g.Id == groupId);
-        Assert.Equal(newDisplayName, group.Name);
-    }
-
-    [Fact]
-    public async Task Patch_RemoveListMembers_Success()
-    {
-        var organizationId = ScimApplicationFactory.TestOrganizationId1;
-        var groupId = ScimApplicationFactory.TestGroupId1;
-        var inputModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>()
-            {
-                new ScimPatchModel.OperationModel
-                {
-                    Op = "remove",
-                    Path = "members",
-                    Value = JsonDocument.Parse($"[{{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId1}\"}}, {{\"value\":\"{ScimApplicationFactory.TestOrganizationUserId4}\"}}]").RootElement
-                }
-            },
-            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
-        };
-
-        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
-
-        Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
-
-        var databaseContext = _factory.GetDatabaseContext();
-        Assert.Empty(databaseContext.GroupUsers);
-    }
-
-    [Fact]
-    public async Task Patch_NotFound()
-    {
-        var organizationId = ScimApplicationFactory.TestOrganizationId1;
-        var groupId = Guid.NewGuid();
-        var inputModel = new Models.ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>(),
-            Schemas = new List<string>() { ScimConstants.Scim2SchemaGroup }
-        };
-        var expectedResponse = new ScimErrorResponseModel
-        {
-            Status = StatusCodes.Status404NotFound,
-            Detail = "Group not found.",
-            Schemas = new List<string> { ScimConstants.Scim2SchemaError }
-        };
-
-        var context = await _factory.GroupsPatchAsync(organizationId, groupId, inputModel);
-
-        Assert.Equal(StatusCodes.Status404NotFound, context.Response.StatusCode);
-
-        var responseModel = JsonSerializer.Deserialize<ScimErrorResponseModel>(context.Response.Body, new JsonSerializerOptions { PropertyNamingPolicy = JsonNamingPolicy.CamelCase });
-        AssertHelper.AssertPropertyEqual(expectedResponse, responseModel);
-    }
-}
diff --git a/bitwarden_license/test/Scim.Test/Groups/PatchGroupCommandTests.cs b/bitwarden_license/test/Scim.Test/Groups/PatchGroupCommandTests.cs
index ff8cb3b546..1b02e62970 100644
--- a/bitwarden_license/test/Scim.Test/Groups/PatchGroupCommandTests.cs
+++ b/bitwarden_license/test/Scim.Test/Groups/PatchGroupCommandTests.cs
@@ -1,15 +1,18 @@
 using System.Text.Json;
+using AutoFixture;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
 using Bit.Scim.Groups;
 using Bit.Scim.Models;
 using Bit.Scim.Utilities;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.Extensions.Logging;
 using NSubstitute;
 using Xunit;
 
@@ -20,19 +23,16 @@ public class PatchGroupCommandTests
 {
     [Theory]
     [BitAutoData]
-    public async Task PatchGroup_ReplaceListMembers_Success(SutProvider<PatchGroupCommand> sutProvider, Organization organization, Group group, IEnumerable<Guid> userIds)
+    public async Task PatchGroup_ReplaceListMembers_Success(SutProvider<PatchGroupCommand> sutProvider,
+        Organization organization, Group group, IEnumerable<Guid> userIds)
     {
         group.OrganizationId = organization.Id;
 
-        sutProvider.GetDependency<IGroupRepository>()
-            .GetByIdAsync(group.Id)
-            .Returns(group);
-
-        var scimPatchModel = new Models.ScimPatchModel
+        var scimPatchModel = new ScimPatchModel
         {
             Operations = new List<ScimPatchModel.OperationModel>
             {
-                new ScimPatchModel.OperationModel
+                new()
                 {
                     Op = "replace",
                     Path = "members",
@@ -42,26 +42,31 @@ public class PatchGroupCommandTests
             Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
         };
 
-        await sutProvider.Sut.PatchGroupAsync(organization, group.Id, scimPatchModel);
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
 
-        await sutProvider.GetDependency<IGroupRepository>().Received(1).UpdateUsersAsync(group.Id, Arg.Is<IEnumerable<Guid>>(arg => arg.All(id => userIds.Contains(id))));
+        await sutProvider.GetDependency<IGroupRepository>().Received(1).UpdateUsersAsync(
+            group.Id,
+            Arg.Is<IEnumerable<Guid>>(arg =>
+                arg.Count() == userIds.Count() &&
+                arg.ToHashSet().SetEquals(userIds)));
     }
 
     [Theory]
     [BitAutoData]
-    public async Task PatchGroup_ReplaceDisplayNameFromPath_Success(SutProvider<PatchGroupCommand> sutProvider, Organization organization, Group group, string displayName)
+    public async Task PatchGroup_ReplaceDisplayNameFromPath_Success(
+        SutProvider<PatchGroupCommand> sutProvider, Organization organization, Group group, string displayName)
     {
         group.OrganizationId = organization.Id;
 
-        sutProvider.GetDependency<IGroupRepository>()
-            .GetByIdAsync(group.Id)
-            .Returns(group);
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
 
-        var scimPatchModel = new Models.ScimPatchModel
+        var scimPatchModel = new ScimPatchModel
         {
             Operations = new List<ScimPatchModel.OperationModel>
             {
-                new ScimPatchModel.OperationModel
+                new()
                 {
                     Op = "replace",
                     Path = "displayname",
@@ -71,27 +76,55 @@ public class PatchGroupCommandTests
             Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
         };
 
-        await sutProvider.Sut.PatchGroupAsync(organization, group.Id, scimPatchModel);
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
 
         await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(group, organization, EventSystemUser.SCIM);
         Assert.Equal(displayName, group.Name);
     }
 
+    [Theory]
+    [BitAutoData]
+    public async Task PatchGroup_ReplaceDisplayNameFromPath_MissingOrganization_Throws(
+        SutProvider<PatchGroupCommand> sutProvider, Organization organization, Group group, string displayName)
+    {
+        group.OrganizationId = organization.Id;
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns((Organization)null);
+
+        var scimPatchModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>
+            {
+                new()
+                {
+                    Op = "replace",
+                    Path = "displayname",
+                    Value = JsonDocument.Parse($"\"{displayName}\"").RootElement
+                }
+            },
+            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
+        };
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PatchGroupAsync(group, scimPatchModel));
+    }
+
     [Theory]
     [BitAutoData]
     public async Task PatchGroup_ReplaceDisplayNameFromValueObject_Success(SutProvider<PatchGroupCommand> sutProvider, Organization organization, Group group, string displayName)
     {
         group.OrganizationId = organization.Id;
 
-        sutProvider.GetDependency<IGroupRepository>()
-            .GetByIdAsync(group.Id)
-            .Returns(group);
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
 
-        var scimPatchModel = new Models.ScimPatchModel
+        var scimPatchModel = new ScimPatchModel
         {
             Operations = new List<ScimPatchModel.OperationModel>
             {
-                new ScimPatchModel.OperationModel
+                new()
                 {
                     Op = "replace",
                     Value = JsonDocument.Parse($"{{\"displayName\":\"{displayName}\"}}").RootElement
@@ -100,12 +133,39 @@ public class PatchGroupCommandTests
             Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
         };
 
-        await sutProvider.Sut.PatchGroupAsync(organization, group.Id, scimPatchModel);
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
 
         await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(group, organization, EventSystemUser.SCIM);
         Assert.Equal(displayName, group.Name);
     }
 
+    [Theory]
+    [BitAutoData]
+    public async Task PatchGroup_ReplaceDisplayNameFromValueObject_MissingOrganization_Throws(
+        SutProvider<PatchGroupCommand> sutProvider, Organization organization, Group group, string displayName)
+    {
+        group.OrganizationId = organization.Id;
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns((Organization)null);
+
+        var scimPatchModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>
+            {
+                new()
+                {
+                    Op = "replace",
+                    Value = JsonDocument.Parse($"{{\"displayName\":\"{displayName}\"}}").RootElement
+                }
+            },
+            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
+        };
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PatchGroupAsync(group, scimPatchModel));
+    }
+
     [Theory]
     [BitAutoData]
     public async Task PatchGroup_AddSingleMember_Success(SutProvider<PatchGroupCommand> sutProvider, Organization organization, Group group, ICollection<Guid> existingMembers, Guid userId)
@@ -113,18 +173,14 @@ public class PatchGroupCommandTests
         group.OrganizationId = organization.Id;
 
         sutProvider.GetDependency<IGroupRepository>()
-            .GetByIdAsync(group.Id)
-            .Returns(group);
-
-        sutProvider.GetDependency<IGroupRepository>()
-            .GetManyUserIdsByIdAsync(group.Id)
+            .GetManyUserIdsByIdAsync(group.Id, true)
             .Returns(existingMembers);
 
-        var scimPatchModel = new Models.ScimPatchModel
+        var scimPatchModel = new ScimPatchModel
         {
             Operations = new List<ScimPatchModel.OperationModel>
             {
-                new ScimPatchModel.OperationModel
+                new()
                 {
                     Op = "add",
                     Path = $"members[value eq \"{userId}\"]",
@@ -133,9 +189,47 @@ public class PatchGroupCommandTests
             Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
         };
 
-        await sutProvider.Sut.PatchGroupAsync(organization, group.Id, scimPatchModel);
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
 
-        await sutProvider.GetDependency<IGroupRepository>().Received(1).UpdateUsersAsync(group.Id, Arg.Is<IEnumerable<Guid>>(arg => arg.All(id => existingMembers.Append(userId).Contains(id))));
+        await sutProvider.GetDependency<IGroupRepository>().Received(1).AddGroupUsersByIdAsync(
+            group.Id,
+            Arg.Is<IEnumerable<Guid>>(arg => arg.Single() == userId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PatchGroup_AddSingleMember_ReturnsEarlyIfAlreadyInGroup(
+        SutProvider<PatchGroupCommand> sutProvider,
+        Organization organization,
+        Group group,
+        ICollection<Guid> existingMembers)
+    {
+        // User being added is already in group
+        var userId = existingMembers.First();
+        group.OrganizationId = organization.Id;
+
+        sutProvider.GetDependency<IGroupRepository>()
+            .GetManyUserIdsByIdAsync(group.Id, true)
+            .Returns(existingMembers);
+
+        var scimPatchModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>
+            {
+                new()
+                {
+                    Op = "add",
+                    Path = $"members[value eq \"{userId}\"]",
+                }
+            },
+            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
+        };
+
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
+
+        await sutProvider.GetDependency<IGroupRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .AddGroupUsersByIdAsync(default, default);
     }
 
     [Theory]
@@ -145,18 +239,14 @@ public class PatchGroupCommandTests
         group.OrganizationId = organization.Id;
 
         sutProvider.GetDependency<IGroupRepository>()
-            .GetByIdAsync(group.Id)
-            .Returns(group);
-
-        sutProvider.GetDependency<IGroupRepository>()
-            .GetManyUserIdsByIdAsync(group.Id)
+            .GetManyUserIdsByIdAsync(group.Id, true)
             .Returns(existingMembers);
 
-        var scimPatchModel = new Models.ScimPatchModel
+        var scimPatchModel = new ScimPatchModel
         {
             Operations = new List<ScimPatchModel.OperationModel>
             {
-                new ScimPatchModel.OperationModel
+                new()
                 {
                     Op = "add",
                     Path = $"members",
@@ -166,9 +256,101 @@ public class PatchGroupCommandTests
             Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
         };
 
-        await sutProvider.Sut.PatchGroupAsync(organization, group.Id, scimPatchModel);
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
 
-        await sutProvider.GetDependency<IGroupRepository>().Received(1).UpdateUsersAsync(group.Id, Arg.Is<IEnumerable<Guid>>(arg => arg.All(id => existingMembers.Concat(userIds).Contains(id))));
+        await sutProvider.GetDependency<IGroupRepository>().Received(1).AddGroupUsersByIdAsync(
+            group.Id,
+            Arg.Is<IEnumerable<Guid>>(arg =>
+                arg.Count() == userIds.Count &&
+                arg.ToHashSet().SetEquals(userIds)));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PatchGroup_AddListMembers_IgnoresDuplicatesInRequest(
+        SutProvider<PatchGroupCommand> sutProvider, Organization organization, Group group,
+        ICollection<Guid> existingMembers)
+    {
+        // Create 3 userIds
+        var fixture = new Fixture { RepeatCount = 3 };
+        var userIds = fixture.CreateMany<Guid>().ToList();
+
+        // Copy the list and add a duplicate
+        var userIdsWithDuplicate = userIds.Append(userIds.First()).ToList();
+        Assert.Equal(4, userIdsWithDuplicate.Count);
+
+        group.OrganizationId = organization.Id;
+
+        sutProvider.GetDependency<IGroupRepository>()
+            .GetManyUserIdsByIdAsync(group.Id, true)
+            .Returns(existingMembers);
+
+        var scimPatchModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>
+            {
+                new()
+                {
+                    Op = "add",
+                    Path = $"members",
+                    Value = JsonDocument.Parse(JsonSerializer
+                        .Serialize(userIdsWithDuplicate
+                            .Select(uid => new { value = uid })
+                            .ToArray())).RootElement
+                }
+            },
+            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
+        };
+
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
+
+        await sutProvider.GetDependency<IGroupRepository>().Received(1).AddGroupUsersByIdAsync(
+            group.Id,
+            Arg.Is<IEnumerable<Guid>>(arg =>
+                arg.Count() == 3 &&
+                arg.ToHashSet().SetEquals(userIds)));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PatchGroup_AddListMembers_SuccessIfOnlySomeUsersAreInGroup(
+        SutProvider<PatchGroupCommand> sutProvider,
+        Organization organization, Group group,
+        ICollection<Guid> existingMembers,
+        ICollection<Guid> userIds)
+    {
+        // A user is already in the group, but some still need to be added
+        userIds.Add(existingMembers.First());
+
+        group.OrganizationId = organization.Id;
+
+        sutProvider.GetDependency<IGroupRepository>()
+            .GetManyUserIdsByIdAsync(group.Id, true)
+            .Returns(existingMembers);
+
+        var scimPatchModel = new ScimPatchModel
+        {
+            Operations = new List<ScimPatchModel.OperationModel>
+            {
+                new()
+                {
+                    Op = "add",
+                    Path = $"members",
+                    Value = JsonDocument.Parse(JsonSerializer.Serialize(userIds.Select(uid => new { value = uid }).ToArray())).RootElement
+                }
+            },
+            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
+        };
+
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
+
+        await sutProvider.GetDependency<IGroupRepository>()
+            .Received(1)
+            .AddGroupUsersByIdAsync(
+                group.Id,
+                Arg.Is<IEnumerable<Guid>>(arg =>
+                    arg.Count() == userIds.Count &&
+                    arg.ToHashSet().SetEquals(userIds)));
     }
 
     [Theory]
@@ -177,10 +359,6 @@ public class PatchGroupCommandTests
     {
         group.OrganizationId = organization.Id;
 
-        sutProvider.GetDependency<IGroupRepository>()
-            .GetByIdAsync(group.Id)
-            .Returns(group);
-
         var scimPatchModel = new Models.ScimPatchModel
         {
             Operations = new List<ScimPatchModel.OperationModel>
@@ -194,21 +372,19 @@ public class PatchGroupCommandTests
             Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
         };
 
-        await sutProvider.Sut.PatchGroupAsync(organization, group.Id, scimPatchModel);
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
 
         await sutProvider.GetDependency<IGroupService>().Received(1).DeleteUserAsync(group, userId, EventSystemUser.SCIM);
     }
 
     [Theory]
     [BitAutoData]
-    public async Task PatchGroup_RemoveListMembers_Success(SutProvider<PatchGroupCommand> sutProvider, Organization organization, Group group, ICollection<Guid> existingMembers)
+    public async Task PatchGroup_RemoveListMembers_Success(SutProvider<PatchGroupCommand> sutProvider,
+        Organization organization, Group group, ICollection<Guid> existingMembers)
     {
+        List<Guid> usersToRemove = [existingMembers.First(), existingMembers.Skip(1).First()];
         group.OrganizationId = organization.Id;
 
-        sutProvider.GetDependency<IGroupRepository>()
-            .GetByIdAsync(group.Id)
-            .Returns(group);
-
         sutProvider.GetDependency<IGroupRepository>()
             .GetManyUserIdsByIdAsync(group.Id)
             .Returns(existingMembers);
@@ -217,30 +393,58 @@ public class PatchGroupCommandTests
         {
             Operations = new List<ScimPatchModel.OperationModel>
             {
-                new ScimPatchModel.OperationModel
+                new()
                 {
                     Op = "remove",
                     Path = $"members",
-                    Value = JsonDocument.Parse(JsonSerializer.Serialize(existingMembers.Select(uid => new { value = uid }).ToArray())).RootElement
+                    Value = JsonDocument.Parse(JsonSerializer.Serialize(usersToRemove.Select(uid => new { value = uid }).ToArray())).RootElement
                 }
             },
             Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
         };
 
-        await sutProvider.Sut.PatchGroupAsync(organization, group.Id, scimPatchModel);
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
 
-        await sutProvider.GetDependency<IGroupRepository>().Received(1).UpdateUsersAsync(group.Id, Arg.Is<IEnumerable<Guid>>(arg => arg.All(id => existingMembers.Contains(id))));
+        var expectedRemainingUsers = existingMembers.Skip(2).ToList();
+        await sutProvider.GetDependency<IGroupRepository>()
+            .Received(1)
+            .UpdateUsersAsync(
+                group.Id,
+                Arg.Is<IEnumerable<Guid>>(arg =>
+                    arg.Count() == expectedRemainingUsers.Count &&
+                    arg.ToHashSet().SetEquals(expectedRemainingUsers)));
     }
 
     [Theory]
     [BitAutoData]
-    public async Task PatchGroup_NoAction_Success(SutProvider<PatchGroupCommand> sutProvider, Organization organization, Group group)
+    public async Task PatchGroup_InvalidOperation_Success(SutProvider<PatchGroupCommand> sutProvider, Organization organization, Group group)
     {
         group.OrganizationId = organization.Id;
 
-        sutProvider.GetDependency<IGroupRepository>()
-            .GetByIdAsync(group.Id)
-            .Returns(group);
+        var scimPatchModel = new Models.ScimPatchModel
+        {
+            Operations = [new ScimPatchModel.OperationModel { Op = "invalid operation" }],
+            Schemas = [ScimConstants.Scim2SchemaUser]
+        };
+
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
+
+        // Assert: no operation performed
+        await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().UpdateUsersAsync(default, default);
+        await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().GetManyUserIdsByIdAsync(default);
+        await sutProvider.GetDependency<IUpdateGroupCommand>().DidNotReceiveWithAnyArgs().UpdateGroupAsync(default, default);
+        await sutProvider.GetDependency<IGroupService>().DidNotReceiveWithAnyArgs().DeleteUserAsync(default, default);
+
+        // Assert: logging
+        sutProvider.GetDependency<ILogger<PatchGroupCommand>>().ReceivedWithAnyArgs().LogWarning(default);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PatchGroup_NoOperation_Success(
+        SutProvider<PatchGroupCommand> sutProvider, Organization organization, Group group)
+    {
+        group.OrganizationId = organization.Id;
 
         var scimPatchModel = new Models.ScimPatchModel
         {
@@ -248,45 +452,11 @@ public class PatchGroupCommandTests
             Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
         };
 
-        await sutProvider.Sut.PatchGroupAsync(organization, group.Id, scimPatchModel);
+        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
 
         await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().UpdateUsersAsync(default, default);
         await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().GetManyUserIdsByIdAsync(default);
         await sutProvider.GetDependency<IUpdateGroupCommand>().DidNotReceiveWithAnyArgs().UpdateGroupAsync(default, default);
         await sutProvider.GetDependency<IGroupService>().DidNotReceiveWithAnyArgs().DeleteUserAsync(default, default);
     }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PatchGroup_NotFound_Throws(SutProvider<PatchGroupCommand> sutProvider, Organization organization, Guid groupId)
-    {
-        var scimPatchModel = new Models.ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>(),
-            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
-        };
-
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.PatchGroupAsync(organization, groupId, scimPatchModel));
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PatchGroup_MismatchingOrganizationId_Throws(SutProvider<PatchGroupCommand> sutProvider, Organization organization, Guid groupId)
-    {
-        var scimPatchModel = new Models.ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>(),
-            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
-        };
-
-        sutProvider.GetDependency<IGroupRepository>()
-            .GetByIdAsync(groupId)
-            .Returns(new Group
-            {
-                Id = groupId,
-                OrganizationId = Guid.NewGuid()
-            });
-
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.PatchGroupAsync(organization, groupId, scimPatchModel));
-    }
 }
diff --git a/bitwarden_license/test/Scim.Test/Groups/PatchGroupCommandvNextTests.cs b/bitwarden_license/test/Scim.Test/Groups/PatchGroupCommandvNextTests.cs
deleted file mode 100644
index b9877f0b71..0000000000
--- a/bitwarden_license/test/Scim.Test/Groups/PatchGroupCommandvNextTests.cs
+++ /dev/null
@@ -1,381 +0,0 @@
-using System.Text.Json;
-using AutoFixture;
-using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
-using Bit.Core.AdminConsole.Repositories;
-using Bit.Core.AdminConsole.Services;
-using Bit.Core.Enums;
-using Bit.Core.Repositories;
-using Bit.Scim.Groups;
-using Bit.Scim.Models;
-using Bit.Scim.Utilities;
-using Bit.Test.Common.AutoFixture;
-using Bit.Test.Common.AutoFixture.Attributes;
-using NSubstitute;
-using Xunit;
-
-namespace Bit.Scim.Test.Groups;
-
-[SutProviderCustomize]
-public class PatchGroupCommandvNextTests
-{
-    [Theory]
-    [BitAutoData]
-    public async Task PatchGroup_ReplaceListMembers_Success(SutProvider<PatchGroupCommandvNext> sutProvider,
-        Organization organization, Group group, IEnumerable<Guid> userIds)
-    {
-        group.OrganizationId = organization.Id;
-
-        var scimPatchModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>
-            {
-                new()
-                {
-                    Op = "replace",
-                    Path = "members",
-                    Value = JsonDocument.Parse(JsonSerializer.Serialize(userIds.Select(uid => new { value = uid }).ToArray())).RootElement
-                }
-            },
-            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
-        };
-
-        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
-
-        await sutProvider.GetDependency<IGroupRepository>().Received(1).UpdateUsersAsync(
-            group.Id,
-            Arg.Is<IEnumerable<Guid>>(arg =>
-                arg.Count() == userIds.Count() &&
-                arg.ToHashSet().SetEquals(userIds)));
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PatchGroup_ReplaceDisplayNameFromPath_Success(
-        SutProvider<PatchGroupCommandvNext> sutProvider, Organization organization, Group group, string displayName)
-    {
-        group.OrganizationId = organization.Id;
-
-        sutProvider.GetDependency<IOrganizationRepository>()
-            .GetByIdAsync(organization.Id)
-            .Returns(organization);
-
-        var scimPatchModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>
-            {
-                new()
-                {
-                    Op = "replace",
-                    Path = "displayname",
-                    Value = JsonDocument.Parse($"\"{displayName}\"").RootElement
-                }
-            },
-            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
-        };
-
-        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
-
-        await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(group, organization, EventSystemUser.SCIM);
-        Assert.Equal(displayName, group.Name);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PatchGroup_ReplaceDisplayNameFromValueObject_Success(SutProvider<PatchGroupCommandvNext> sutProvider, Organization organization, Group group, string displayName)
-    {
-        group.OrganizationId = organization.Id;
-
-        sutProvider.GetDependency<IOrganizationRepository>()
-            .GetByIdAsync(organization.Id)
-            .Returns(organization);
-
-        var scimPatchModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>
-            {
-                new()
-                {
-                    Op = "replace",
-                    Value = JsonDocument.Parse($"{{\"displayName\":\"{displayName}\"}}").RootElement
-                }
-            },
-            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
-        };
-
-        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
-
-        await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(group, organization, EventSystemUser.SCIM);
-        Assert.Equal(displayName, group.Name);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PatchGroup_AddSingleMember_Success(SutProvider<PatchGroupCommandvNext> sutProvider, Organization organization, Group group, ICollection<Guid> existingMembers, Guid userId)
-    {
-        group.OrganizationId = organization.Id;
-
-        sutProvider.GetDependency<IGroupRepository>()
-            .GetManyUserIdsByIdAsync(group.Id, true)
-            .Returns(existingMembers);
-
-        var scimPatchModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>
-            {
-                new()
-                {
-                    Op = "add",
-                    Path = $"members[value eq \"{userId}\"]",
-                }
-            },
-            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
-        };
-
-        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
-
-        await sutProvider.GetDependency<IGroupRepository>().Received(1).AddGroupUsersByIdAsync(
-            group.Id,
-            Arg.Is<IEnumerable<Guid>>(arg => arg.Single() == userId));
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PatchGroup_AddSingleMember_ReturnsEarlyIfAlreadyInGroup(
-        SutProvider<PatchGroupCommandvNext> sutProvider,
-        Organization organization,
-        Group group,
-        ICollection<Guid> existingMembers)
-    {
-        // User being added is already in group
-        var userId = existingMembers.First();
-        group.OrganizationId = organization.Id;
-
-        sutProvider.GetDependency<IGroupRepository>()
-            .GetManyUserIdsByIdAsync(group.Id, true)
-            .Returns(existingMembers);
-
-        var scimPatchModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>
-            {
-                new()
-                {
-                    Op = "add",
-                    Path = $"members[value eq \"{userId}\"]",
-                }
-            },
-            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
-        };
-
-        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
-
-        await sutProvider.GetDependency<IGroupRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .AddGroupUsersByIdAsync(default, default);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PatchGroup_AddListMembers_Success(SutProvider<PatchGroupCommandvNext> sutProvider, Organization organization, Group group, ICollection<Guid> existingMembers, ICollection<Guid> userIds)
-    {
-        group.OrganizationId = organization.Id;
-
-        sutProvider.GetDependency<IGroupRepository>()
-            .GetManyUserIdsByIdAsync(group.Id, true)
-            .Returns(existingMembers);
-
-        var scimPatchModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>
-            {
-                new()
-                {
-                    Op = "add",
-                    Path = $"members",
-                    Value = JsonDocument.Parse(JsonSerializer.Serialize(userIds.Select(uid => new { value = uid }).ToArray())).RootElement
-                }
-            },
-            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
-        };
-
-        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
-
-        await sutProvider.GetDependency<IGroupRepository>().Received(1).AddGroupUsersByIdAsync(
-            group.Id,
-            Arg.Is<IEnumerable<Guid>>(arg =>
-                arg.Count() == userIds.Count &&
-                arg.ToHashSet().SetEquals(userIds)));
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PatchGroup_AddListMembers_IgnoresDuplicatesInRequest(
-        SutProvider<PatchGroupCommandvNext> sutProvider, Organization organization, Group group,
-        ICollection<Guid> existingMembers)
-    {
-        // Create 3 userIds
-        var fixture = new Fixture { RepeatCount = 3 };
-        var userIds = fixture.CreateMany<Guid>().ToList();
-
-        // Copy the list and add a duplicate
-        var userIdsWithDuplicate = userIds.Append(userIds.First()).ToList();
-        Assert.Equal(4, userIdsWithDuplicate.Count);
-
-        group.OrganizationId = organization.Id;
-
-        sutProvider.GetDependency<IGroupRepository>()
-            .GetManyUserIdsByIdAsync(group.Id, true)
-            .Returns(existingMembers);
-
-        var scimPatchModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>
-            {
-                new()
-                {
-                    Op = "add",
-                    Path = $"members",
-                    Value = JsonDocument.Parse(JsonSerializer
-                        .Serialize(userIdsWithDuplicate
-                            .Select(uid => new { value = uid })
-                            .ToArray())).RootElement
-                }
-            },
-            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
-        };
-
-        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
-
-        await sutProvider.GetDependency<IGroupRepository>().Received(1).AddGroupUsersByIdAsync(
-            group.Id,
-            Arg.Is<IEnumerable<Guid>>(arg =>
-                arg.Count() == 3 &&
-                arg.ToHashSet().SetEquals(userIds)));
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PatchGroup_AddListMembers_SuccessIfOnlySomeUsersAreInGroup(
-        SutProvider<PatchGroupCommandvNext> sutProvider,
-        Organization organization, Group group,
-        ICollection<Guid> existingMembers,
-        ICollection<Guid> userIds)
-    {
-        // A user is already in the group, but some still need to be added
-        userIds.Add(existingMembers.First());
-
-        group.OrganizationId = organization.Id;
-
-        sutProvider.GetDependency<IGroupRepository>()
-            .GetManyUserIdsByIdAsync(group.Id, true)
-            .Returns(existingMembers);
-
-        var scimPatchModel = new ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>
-            {
-                new()
-                {
-                    Op = "add",
-                    Path = $"members",
-                    Value = JsonDocument.Parse(JsonSerializer.Serialize(userIds.Select(uid => new { value = uid }).ToArray())).RootElement
-                }
-            },
-            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
-        };
-
-        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
-
-        await sutProvider.GetDependency<IGroupRepository>()
-            .Received(1)
-            .AddGroupUsersByIdAsync(
-                group.Id,
-                Arg.Is<IEnumerable<Guid>>(arg =>
-                    arg.Count() == userIds.Count &&
-                    arg.ToHashSet().SetEquals(userIds)));
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PatchGroup_RemoveSingleMember_Success(SutProvider<PatchGroupCommandvNext> sutProvider, Organization organization, Group group, Guid userId)
-    {
-        group.OrganizationId = organization.Id;
-
-        var scimPatchModel = new Models.ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>
-            {
-                new ScimPatchModel.OperationModel
-                {
-                    Op = "remove",
-                    Path = $"members[value eq \"{userId}\"]",
-                }
-            },
-            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
-        };
-
-        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
-
-        await sutProvider.GetDependency<IGroupService>().Received(1).DeleteUserAsync(group, userId, EventSystemUser.SCIM);
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PatchGroup_RemoveListMembers_Success(SutProvider<PatchGroupCommandvNext> sutProvider,
-        Organization organization, Group group, ICollection<Guid> existingMembers)
-    {
-        List<Guid> usersToRemove = [existingMembers.First(), existingMembers.Skip(1).First()];
-        group.OrganizationId = organization.Id;
-
-        sutProvider.GetDependency<IGroupRepository>()
-            .GetManyUserIdsByIdAsync(group.Id)
-            .Returns(existingMembers);
-
-        var scimPatchModel = new Models.ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>
-            {
-                new()
-                {
-                    Op = "remove",
-                    Path = $"members",
-                    Value = JsonDocument.Parse(JsonSerializer.Serialize(usersToRemove.Select(uid => new { value = uid }).ToArray())).RootElement
-                }
-            },
-            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
-        };
-
-        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
-
-        var expectedRemainingUsers = existingMembers.Skip(2).ToList();
-        await sutProvider.GetDependency<IGroupRepository>()
-            .Received(1)
-            .UpdateUsersAsync(
-                group.Id,
-                Arg.Is<IEnumerable<Guid>>(arg =>
-                    arg.Count() == expectedRemainingUsers.Count &&
-                    arg.ToHashSet().SetEquals(expectedRemainingUsers)));
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task PatchGroup_NoAction_Success(
-        SutProvider<PatchGroupCommandvNext> sutProvider, Organization organization, Group group)
-    {
-        group.OrganizationId = organization.Id;
-
-        var scimPatchModel = new Models.ScimPatchModel
-        {
-            Operations = new List<ScimPatchModel.OperationModel>(),
-            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
-        };
-
-        await sutProvider.Sut.PatchGroupAsync(group, scimPatchModel);
-
-        await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().UpdateUsersAsync(default, default);
-        await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().GetManyUserIdsByIdAsync(default);
-        await sutProvider.GetDependency<IUpdateGroupCommand>().DidNotReceiveWithAnyArgs().UpdateGroupAsync(default, default);
-        await sutProvider.GetDependency<IGroupService>().DidNotReceiveWithAnyArgs().DeleteUserAsync(default, default);
-    }
-}
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index c629881458..379915c37d 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -106,7 +106,6 @@ public static class FeatureFlagKeys
     public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";
     public const string DeviceApprovalRequestAdminNotifications = "pm-15637-device-approval-request-admin-notifications";
     public const string LimitItemDeletion = "pm-15493-restrict-item-deletion-to-can-manage-permission";
-    public const string ShortcutDuplicatePatchRequests = "pm-16812-shortcut-duplicate-patch-requests";
     public const string PushSyncOrgKeysOnRevokeRestore = "pm-17168-push-sync-org-keys-on-revoke-restore";
     public const string PolicyRequirements = "pm-14439-policy-requirements";
 

From fb0567b45ec2cbdc1c4bf43b0a2bbf3ad93cdf31 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Thu, 27 Mar 2025 14:49:38 +0000
Subject: [PATCH 129/184] [PM-18523] Add SSO external ID visibility feature
 flag (#5559)

---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 379915c37d..3a4d3b2e13 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -108,6 +108,7 @@ public static class FeatureFlagKeys
     public const string LimitItemDeletion = "pm-15493-restrict-item-deletion-to-can-manage-permission";
     public const string PushSyncOrgKeysOnRevokeRestore = "pm-17168-push-sync-org-keys-on-revoke-restore";
     public const string PolicyRequirements = "pm-14439-policy-requirements";
+    public const string SsoExternalIdVisibility = "pm-18630-sso-external-id-visibility";
 
     /* Tools Team */
     public const string ItemShare = "item-share";

From 6e81cee22160ec17ba79cdd13e0380c2f0b897ad Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Fri, 28 Mar 2025 09:20:35 -0700
Subject: [PATCH 130/184] Introduce organization integration configuration
 details (#5568)

---
 ...EventTypeOrganizationIdIntegrationType.sql | 20 ++++++++
 ...EventTypeOrganizationIdIntegrationType.sql | 22 ---------
 ...ionIntegrationConfigurationDetailsView.sql | 13 +++++
 ...izationIntegrationConfigurationDetails.sql | 49 +++++++++++++++++++
 4 files changed, 82 insertions(+), 22 deletions(-)
 create mode 100644 src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfigurationDetails_ReadManyByEventTypeOrganizationIdIntegrationType.sql
 delete mode 100644 src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_ReadManyByEventTypeOrganizationIdIntegrationType.sql
 create mode 100644 src/Sql/dbo/Views/OrganizationIntegrationConfigurationDetailsView.sql
 create mode 100644 util/Migrator/DbScripts/2025-03-27_00_OrganizationIntegrationConfigurationDetails.sql

diff --git a/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfigurationDetails_ReadManyByEventTypeOrganizationIdIntegrationType.sql b/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfigurationDetails_ReadManyByEventTypeOrganizationIdIntegrationType.sql
new file mode 100644
index 0000000000..3240402916
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfigurationDetails_ReadManyByEventTypeOrganizationIdIntegrationType.sql	
@@ -0,0 +1,20 @@
+CREATE PROCEDURE [dbo].[OrganizationIntegrationConfigurationDetails_ReadManyByEventTypeOrganizationIdIntegrationType]
+    @EventType SMALLINT,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @IntegrationType SMALLINT
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        oic.*
+    FROM
+        [dbo].[OrganizationIntegrationConfigurationDetailsView] oic
+    WHERE
+        oic.[EventType] = @EventType
+        AND
+        oic.[OrganizationId] = @OrganizationId
+        AND
+        oic.[IntegrationType] = @IntegrationType
+END
+GO
diff --git a/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_ReadManyByEventTypeOrganizationIdIntegrationType.sql b/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_ReadManyByEventTypeOrganizationIdIntegrationType.sql
deleted file mode 100644
index 113aa2e529..0000000000
--- a/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_ReadManyByEventTypeOrganizationIdIntegrationType.sql	
+++ /dev/null
@@ -1,22 +0,0 @@
-CREATE PROCEDURE [dbo].[OrganizationIntegrationConfiguration_ReadManyByEventTypeOrganizationIdIntegrationType]
-    @EventType SMALLINT,
-    @OrganizationId UNIQUEIDENTIFIER,
-    @IntegrationType SMALLINT
-AS
-BEGIN
-    SET NOCOUNT ON
-
-    SELECT
-        oic.*
-    FROM
-        [dbo].[OrganizationIntegrationConfigurationView] oic
-        INNER JOIN
-        [dbo].[OrganizationIntegration] oi ON oi.[Id] = oic.[OrganizationIntegrationId]
-    WHERE
-        oic.[EventType] = @EventType
-        AND
-        oi.[OrganizationId] = @OrganizationId
-        AND
-        oi.[Type] = @IntegrationType
-END
-GO
diff --git a/src/Sql/dbo/Views/OrganizationIntegrationConfigurationDetailsView.sql b/src/Sql/dbo/Views/OrganizationIntegrationConfigurationDetailsView.sql
new file mode 100644
index 0000000000..45609da551
--- /dev/null
+++ b/src/Sql/dbo/Views/OrganizationIntegrationConfigurationDetailsView.sql
@@ -0,0 +1,13 @@
+CREATE VIEW [dbo].[OrganizationIntegrationConfigurationDetailsView]
+AS
+    SELECT
+        oi.[OrganizationId],
+        oi.[Type] AS [IntegrationType],
+        oic.[EventType],
+        oic.[Configuration],
+        oi.[Configuration] AS [IntegrationConfiguration],
+        oic.[Template]
+    FROM
+        [dbo].[OrganizationIntegrationConfiguration] oic
+        INNER JOIN
+        [dbo].[OrganizationIntegration] oi ON oi.[Id] = oic.[OrganizationIntegrationId]
diff --git a/util/Migrator/DbScripts/2025-03-27_00_OrganizationIntegrationConfigurationDetails.sql b/util/Migrator/DbScripts/2025-03-27_00_OrganizationIntegrationConfigurationDetails.sql
new file mode 100644
index 0000000000..233afa7e3e
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-03-27_00_OrganizationIntegrationConfigurationDetails.sql
@@ -0,0 +1,49 @@
+IF EXISTS(SELECT *
+FROM sys.views
+WHERE [Name] = 'OrganizationIntegrationConfigurationDetailsView')
+BEGIN
+    DROP VIEW [dbo].[OrganizationIntegrationConfigurationDetailsView];
+END
+GO
+
+CREATE VIEW [dbo].[OrganizationIntegrationConfigurationDetailsView]
+AS
+    SELECT
+        oi.[OrganizationId],
+        oi.[Type] AS [IntegrationType],
+        oic.[EventType],
+        oic.[Configuration],
+        oi.[Configuration] AS [IntegrationConfiguration],
+        oic.[Template]
+    FROM
+        [dbo].[OrganizationIntegrationConfiguration] oic
+        INNER JOIN
+        [dbo].[OrganizationIntegration] oi ON oi.[Id] = oic.[OrganizationIntegrationId]
+GO
+
+IF OBJECT_ID('[dbo].[OrganizationIntegrationConfiguration_ReadManyByEventTypeOrganizationIdIntegrationType]') IS NOT NULL
+    BEGIN
+    DROP PROCEDURE [dbo].[OrganizationIntegrationConfiguration_ReadManyByEventTypeOrganizationIdIntegrationType]
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationIntegrationConfigurationDetails_ReadManyByEventTypeOrganizationIdIntegrationType]
+    @EventType SMALLINT,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @IntegrationType SMALLINT
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        oic.*
+    FROM
+        [dbo].[OrganizationIntegrationConfigurationDetailsView] oic
+    WHERE
+        oic.[EventType] = @EventType
+        AND
+        oic.[OrganizationId] = @OrganizationId
+        AND
+        oic.[IntegrationType] = @IntegrationType
+END
+GO

From c154b6ad9b2db705834affcaf5c4c2ad3c4f125f Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Sun, 30 Mar 2025 12:57:05 -0400
Subject: [PATCH 131/184] Clean up remove-server-version-header	feature flag
 (#5573)

* Removed feature flag.

* Linting.
---
 src/Core/Constants.cs                               |  1 -
 src/SharedWeb/Utilities/RequestLoggingMiddleware.cs | 10 ----------
 2 files changed, 11 deletions(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 3a4d3b2e13..7e39a586f4 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -163,7 +163,6 @@ public static class FeatureFlagKeys
     public const string EnableNewCardCombinedExpiryAutofill = "enable-new-card-combined-expiry-autofill";
     public const string StorageReseedRefactor = "storage-reseed-refactor";
     public const string TrialPayment = "PM-8163-trial-payment";
-    public const string RemoveServerVersionHeader = "remove-server-version-header";
     public const string GeneratorToolsModernization = "generator-tools-modernization";
     public const string NewDeviceVerification = "new-device-verification";
     public const string MacOsNativeCredentialSync = "macos-native-credential-sync";
diff --git a/src/SharedWeb/Utilities/RequestLoggingMiddleware.cs b/src/SharedWeb/Utilities/RequestLoggingMiddleware.cs
index 77efdbfcf0..7f2db27eec 100644
--- a/src/SharedWeb/Utilities/RequestLoggingMiddleware.cs
+++ b/src/SharedWeb/Utilities/RequestLoggingMiddleware.cs
@@ -1,5 +1,4 @@
 using System.Collections;
-using Bit.Core;
 using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
@@ -25,15 +24,6 @@ public sealed class RequestLoggingMiddleware
 
     public Task Invoke(HttpContext context, IFeatureService featureService)
     {
-        if (!featureService.IsEnabled(FeatureFlagKeys.RemoveServerVersionHeader))
-        {
-            context.Response.OnStarting(() =>
-            {
-                context.Response.Headers.Append("Server-Version", AssemblyHelpers.GetVersion());
-                return Task.CompletedTask;
-            });
-        }
-
         using (_logger.BeginScope(
           new RequestLogScope(context.GetIpAddress(_globalSettings),
             GetHeaderValue(context, "user-agent"),

From ad05e3f9e157786c201e068971f79ca7dc6079df Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Sun, 30 Mar 2025 16:03:09 -0400
Subject: [PATCH 132/184] Complete feature flag grouping by team (#5574)

* Completed grouping of feature flags by team.

* Completed grouping feature flags by team.

* Linting

* Moved flag.

* Moved ssh-key-vault-item to KM.
---
 src/Core/Constants.cs | 129 ++++++++++++++++++++++--------------------
 1 file changed, 67 insertions(+), 62 deletions(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 7e39a586f4..ea360eb744 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -110,12 +110,79 @@ public static class FeatureFlagKeys
     public const string PolicyRequirements = "pm-14439-policy-requirements";
     public const string SsoExternalIdVisibility = "pm-18630-sso-external-id-visibility";
 
+    /* Auth Team */
+    public const string PM9112DeviceApprovalPersistence = "pm-9112-device-approval-persistence";
+    public const string DuoRedirect = "duo-redirect";
+    public const string EmailVerification = "email-verification";
+    public const string EmailVerificationDisableTimingDelays = "email-verification-disable-timing-delays";
+    public const string DeviceTrustLogging = "pm-8285-device-trust-logging";
+    public const string AuthenticatorTwoFactorToken = "authenticator-2fa-token";
+    public const string UnauthenticatedExtensionUIRefresh = "unauth-ui-refresh";
+    public const string NewDeviceVerification = "new-device-verification";
+    public const string SetInitialPasswordRefactor = "pm-16117-set-initial-password-refactor";
+    public const string ChangeExistingPasswordRefactor = "pm-16117-change-existing-password-refactor";
+    public const string RecoveryCodeLogin = "pm-17128-recovery-code-login";
+
+    /* Autofill Team */
+    public const string IdpAutoSubmitLogin = "idp-auto-submit-login";
+    public const string UseTreeWalkerApiForPageDetailsCollection = "use-tree-walker-api-for-page-details-collection";
+    public const string InlineMenuFieldQualification = "inline-menu-field-qualification";
+    public const string InlineMenuPositioningImprovements = "inline-menu-positioning-improvements";
+    public const string SSHAgent = "ssh-agent";
+    public const string SSHVersionCheckQAOverride = "ssh-version-check-qa-override";
+    public const string GenerateIdentityFillScriptRefactor = "generate-identity-fill-script-refactor";
+    public const string DelayFido2PageScriptInitWithinMv2 = "delay-fido2-page-script-init-within-mv2";
+    public const string NotificationBarAddLoginImprovements = "notification-bar-add-login-improvements";
+    public const string BlockBrowserInjectionsByDomain = "block-browser-injections-by-domain";
+    public const string NotificationRefresh = "notification-refresh";
+    public const string EnableNewCardCombinedExpiryAutofill = "enable-new-card-combined-expiry-autofill";
+    public const string MacOsNativeCredentialSync = "macos-native-credential-sync";
+    public const string InlineMenuTotp = "inline-menu-totp";
+
+    /* Billing Team */
+    public const string AC2101UpdateTrialInitiationEmail = "AC-2101-update-trial-initiation-email";
+    public const string TrialPayment = "PM-8163-trial-payment";
+    public const string ResellerManagedOrgAlert = "PM-15814-alert-owners-of-reseller-managed-orgs";
+    public const string UsePricingService = "use-pricing-service";
+    public const string P15179_AddExistingOrgsFromProviderPortal = "pm-15179-add-existing-orgs-from-provider-portal";
+    public const string PM12276Breadcrumbing = "pm-12276-breadcrumbing-for-business-features";
+    public const string PM18794_ProviderPaymentMethod = "pm-18794-provider-payment-method";
+
+    /* Key Management Team */
+    public const string ReturnErrorOnExistingKeypair = "return-error-on-existing-keypair";
+    public const string PM4154BulkEncryptionService = "PM-4154-bulk-encryption-service";
+    public const string PrivateKeyRegeneration = "pm-12241-private-key-regeneration";
+    public const string Argon2Default = "argon2-default";
+    public const string UserkeyRotationV2 = "userkey-rotation-v2";
+    public const string SSHKeyItemVaultItem = "ssh-key-vault-item";
+
+    /* Mobile Team */
+    public const string NativeCarouselFlow = "native-carousel-flow";
+    public const string NativeCreateAccountFlow = "native-create-account-flow";
+    public const string AndroidImportLoginsFlow = "import-logins-flow";
+    public const string AppReviewPrompt = "app-review-prompt";
+    public const string EnablePasswordManagerSyncAndroid = "enable-password-manager-sync-android";
+    public const string EnablePasswordManagerSynciOS = "enable-password-manager-sync-ios";
+    public const string AndroidMutualTls = "mutual-tls";
+    public const string SingleTapPasskeyCreation = "single-tap-passkey-creation";
+    public const string SingleTapPasskeyAuthentication = "single-tap-passkey-authentication";
+    public const string EnablePMAuthenticatorSync = "enable-pm-bwa-sync";
+    public const string PM3503_MobileAnonAddySelfHostAlias = "anon-addy-self-host-alias";
+    public const string PM3553_MobileSimpleLoginSelfHostAlias = "simple-login-self-host-alias";
+
+    /* Platform Team */
+    public const string PersistPopupView = "persist-popup-view";
+    public const string StorageReseedRefactor = "storage-reseed-refactor";
+    public const string WebPush = "web-push";
+    public const string RecordInstallationLastActivityDate = "installation-last-activity-date";
+
     /* Tools Team */
     public const string ItemShare = "item-share";
     public const string RiskInsightsCriticalApplication = "pm-14466-risk-insights-critical-application";
     public const string EnableRiskInsightsNotifications = "enable-risk-insights-notifications";
     public const string DesktopSendUIRefresh = "desktop-send-ui-refresh";
     public const string ExportAttachments = "export-attachments";
+    public const string GeneratorToolsModernization = "generator-tools-modernization";
 
     /* Vault Team */
     public const string PM8851_BrowserOnboardingNudge = "pm-8851-browser-onboarding-nudge";
@@ -125,69 +192,7 @@ public static class FeatureFlagKeys
     public const string VaultBulkManagementAction = "vault-bulk-management-action";
     public const string RestrictProviderAccess = "restrict-provider-access";
     public const string SecurityTasks = "security-tasks";
-
-    /* Auth Team */
-    public const string PM9112DeviceApprovalPersistence = "pm-9112-device-approval-persistence";
-
-    /* Key Management Team */
-    public const string SSHKeyItemVaultItem = "ssh-key-vault-item";
-    public const string SSHAgent = "ssh-agent";
-    public const string SSHVersionCheckQAOverride = "ssh-version-check-qa-override";
-    public const string Argon2Default = "argon2-default";
-    public const string PM4154BulkEncryptionService = "PM-4154-bulk-encryption-service";
-    public const string PrivateKeyRegeneration = "pm-12241-private-key-regeneration";
-    public const string UserkeyRotationV2 = "userkey-rotation-v2";
-
-    /* Unsorted */
-    public const string ReturnErrorOnExistingKeypair = "return-error-on-existing-keypair";
-    public const string UseTreeWalkerApiForPageDetailsCollection = "use-tree-walker-api-for-page-details-collection";
-    public const string DuoRedirect = "duo-redirect";
-    public const string AC2101UpdateTrialInitiationEmail = "AC-2101-update-trial-initiation-email";
-    public const string EmailVerification = "email-verification";
-    public const string EmailVerificationDisableTimingDelays = "email-verification-disable-timing-delays";
-    public const string InlineMenuFieldQualification = "inline-menu-field-qualification";
-    public const string InlineMenuPositioningImprovements = "inline-menu-positioning-improvements";
-    public const string DeviceTrustLogging = "pm-8285-device-trust-logging";
-    public const string AuthenticatorTwoFactorToken = "authenticator-2fa-token";
-    public const string IdpAutoSubmitLogin = "idp-auto-submit-login";
-    public const string UnauthenticatedExtensionUIRefresh = "unauth-ui-refresh";
-    public const string GenerateIdentityFillScriptRefactor = "generate-identity-fill-script-refactor";
-    public const string DelayFido2PageScriptInitWithinMv2 = "delay-fido2-page-script-init-within-mv2";
-    public const string NativeCarouselFlow = "native-carousel-flow";
-    public const string NativeCreateAccountFlow = "native-create-account-flow";
-    public const string NotificationBarAddLoginImprovements = "notification-bar-add-login-improvements";
-    public const string BlockBrowserInjectionsByDomain = "block-browser-injections-by-domain";
-    public const string NotificationRefresh = "notification-refresh";
-    public const string PersistPopupView = "persist-popup-view";
     public const string CipherKeyEncryption = "cipher-key-encryption";
-    public const string EnableNewCardCombinedExpiryAutofill = "enable-new-card-combined-expiry-autofill";
-    public const string StorageReseedRefactor = "storage-reseed-refactor";
-    public const string TrialPayment = "PM-8163-trial-payment";
-    public const string GeneratorToolsModernization = "generator-tools-modernization";
-    public const string NewDeviceVerification = "new-device-verification";
-    public const string MacOsNativeCredentialSync = "macos-native-credential-sync";
-    public const string InlineMenuTotp = "inline-menu-totp";
-    public const string AppReviewPrompt = "app-review-prompt";
-    public const string ResellerManagedOrgAlert = "PM-15814-alert-owners-of-reseller-managed-orgs";
-    public const string UsePricingService = "use-pricing-service";
-    public const string RecordInstallationLastActivityDate = "installation-last-activity-date";
-    public const string EnablePasswordManagerSyncAndroid = "enable-password-manager-sync-android";
-    public const string EnablePasswordManagerSynciOS = "enable-password-manager-sync-ios";
-    public const string AccountDeprovisioningBanner = "pm-17120-account-deprovisioning-admin-console-banner";
-    public const string SingleTapPasskeyCreation = "single-tap-passkey-creation";
-    public const string SingleTapPasskeyAuthentication = "single-tap-passkey-authentication";
-    public const string EnablePMAuthenticatorSync = "enable-pm-bwa-sync";
-    public const string P15179_AddExistingOrgsFromProviderPortal = "pm-15179-add-existing-orgs-from-provider-portal";
-    public const string AndroidMutualTls = "mutual-tls";
-    public const string RecoveryCodeLogin = "pm-17128-recovery-code-login";
-    public const string PM3503_MobileAnonAddySelfHostAlias = "anon-addy-self-host-alias";
-    public const string WebPush = "web-push";
-    public const string AndroidImportLoginsFlow = "import-logins-flow";
-    public const string PM12276Breadcrumbing = "pm-12276-breadcrumbing-for-business-features";
-    public const string PM18794_ProviderPaymentMethod = "pm-18794-provider-payment-method";
-    public const string PM3553_MobileSimpleLoginSelfHostAlias = "simple-login-self-host-alias";
-    public const string SetInitialPasswordRefactor = "pm-16117-set-initial-password-refactor";
-    public const string ChangeExistingPasswordRefactor = "pm-16117-change-existing-password-refactor";
 
     public static List<string> GetAllKeys()
     {

From f60db791cc8d7b1efdd830362b85e9a137290de0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Mon, 31 Mar 2025 12:25:36 +0100
Subject: [PATCH 133/184] [PM-19590] Add k6 load testing script for
 SyncController's /sync endpoint (#5508)

* Add k6 load testing script for sync endpoint

* Refactor sync response validation to use lowercase keys

* Remove access token validation from sync.js

* Update http_req_duration threshold in sync.js from 400ms to 1200ms
---
 perf/load/sync.js | 90 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 90 insertions(+)
 create mode 100644 perf/load/sync.js

diff --git a/perf/load/sync.js b/perf/load/sync.js
new file mode 100644
index 0000000000..5624803e84
--- /dev/null
+++ b/perf/load/sync.js
@@ -0,0 +1,90 @@
+import http from "k6/http";
+import { check, fail } from "k6";
+import { authenticate } from "./helpers/auth.js";
+
+const IDENTITY_URL = __ENV.IDENTITY_URL;
+const API_URL = __ENV.API_URL;
+const CLIENT_ID = __ENV.CLIENT_ID;
+const AUTH_USERNAME = __ENV.AUTH_USER_EMAIL;
+const AUTH_PASSWORD = __ENV.AUTH_USER_PASSWORD_HASH;
+
+export const options = {
+  ext: {
+    loadimpact: {
+      projectID: 3639465,
+      name: "Sync",
+    },
+  },
+  scenarios: {
+    constant_load: {
+      executor: "constant-arrival-rate",
+      rate: 30,
+      timeUnit: "1m", // 0.5 requests / second
+      duration: "10m",
+      preAllocatedVUs: 5,
+    },
+    ramping_load: {
+      executor: "ramping-arrival-rate",
+      startRate: 30,
+      timeUnit: "1m", // 0.5 requests / second to start
+      stages: [
+        { duration: "30s", target: 30 },
+        { duration: "2m", target: 75 },
+        { duration: "1m", target: 60 },
+        { duration: "2m", target: 100 },
+        { duration: "2m", target: 90 },
+        { duration: "1m", target: 120 },
+        { duration: "30s", target: 150 },
+        { duration: "30s", target: 60 },
+        { duration: "30s", target: 0 },
+      ],
+      preAllocatedVUs: 20,
+    },
+  },
+  thresholds: {
+    http_req_failed: ["rate<0.01"],
+    http_req_duration: ["p(95)<1200"],
+  },
+};
+
+export function setup() {
+  return authenticate(IDENTITY_URL, CLIENT_ID, AUTH_USERNAME, AUTH_PASSWORD);
+}
+
+export default function (data) {
+  const params = {
+    headers: {
+      Accept: "application/json",
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${data.access_token}`,
+      "X-ClientId": CLIENT_ID,
+    },
+    tags: { name: "Sync" },
+  };
+
+  const excludeDomains = Math.random() > 0.5;
+  
+  const syncRes = http.get(`${API_URL}/sync?excludeDomains=${excludeDomains}`, params);
+  if (
+    !check(syncRes, {
+      "sync status is 200": (r) => r.status === 200,
+    })
+  ) {
+    console.error(`Sync failed with status ${syncRes.status}: ${syncRes.body}`);
+    fail("sync status code was *not* 200");
+  }
+
+  if (syncRes.status === 200) {
+    const syncJson = syncRes.json();
+
+    check(syncJson, {
+      "sync response has profile": (j) => j.profile !== undefined,
+      "sync response has folders": (j) => Array.isArray(j.folders),
+      "sync response has collections": (j) => Array.isArray(j.collections),
+      "sync response has ciphers": (j) => Array.isArray(j.ciphers),
+      "sync response has policies": (j) => Array.isArray(j.policies),
+      "sync response has sends": (j) => Array.isArray(j.sends),
+      "sync response has correct object type": (j) => j.object === "sync"
+    });
+  }
+}

From 887332b4366263abac08f72fe54f47270f8f1dc0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Garc=C3=ADa?=
 <dani-garcia@users.noreply.github.com>
Date: Mon, 31 Mar 2025 15:19:55 +0200
Subject: [PATCH 134/184] [PM-15127] Remove secrets requirement from build
 workflow (#5546)

* [PM-15127] Remove secrets requirement from build workflow

* Remove unneeded check, fix target workflow

* Remove IF
---
 .github/CODEOWNERS                 |  1 +
 .github/workflows/build.yml        | 52 +++++++++++++++++-------------
 .github/workflows/build_target.yml | 21 ++++++++++++
 3 files changed, 52 insertions(+), 22 deletions(-)
 create mode 100644 .github/workflows/build_target.yml

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 11e79590f2..aa868cd1b5 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -66,6 +66,7 @@ src/Admin/Views/Tools @bitwarden/team-billing-dev
 
 # Platform team
 .github/workflows/build.yml @bitwarden/team-platform-dev
+.github/workflows/build_target.yml @bitwarden/team-platform-dev
 .github/workflows/cleanup-after-pr.yml @bitwarden/team-platform-dev
 .github/workflows/cleanup-rc-branch.yml @bitwarden/team-platform-dev
 .github/workflows/repository-management.yml @bitwarden/team-platform-dev
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8f125b7811..f0df238b34 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -7,22 +7,18 @@ on:
       - "main"
       - "rc"
       - "hotfix-rc"
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize]
+  workflow_call:
+    inputs: {}
 
 env:
   _AZ_REGISTRY: "bitwardenprod.azurecr.io"
 
 jobs:
-  check-run:
-    name: Check PR run
-    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
-
   lint:
     name: Lint
     runs-on: ubuntu-22.04
-    needs:
-      - check-run
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -40,6 +36,8 @@ jobs:
     runs-on: ubuntu-22.04
     needs:
       - lint
+    outputs:
+      has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
     strategy:
       fail-fast: false
       matrix:
@@ -75,6 +73,14 @@ jobs:
             base_path: ./bitwarden_license/src
             node: true
     steps:
+      - name: Check secrets
+        id: check-secrets
+        env:
+          AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+        run: |
+          has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
+          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
+
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -134,6 +140,7 @@ jobs:
       id-token: write
     needs:
       - build-artifacts
+    if: ${{ needs.build-artifacts.outputs.has_secrets == 'true' }}
     strategy:
       fail-fast: false
       matrix:
@@ -227,7 +234,7 @@ jobs:
       - name: Generate Docker image tag
         id: tag
         run: |
-          if [[ "${GITHUB_EVENT_NAME}" == "pull_request_target" ]]; then
+          if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then
             IMAGE_TAG=$(echo "${GITHUB_HEAD_REF}" | sed "s#/#-#g")
           else
             IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")
@@ -289,11 +296,11 @@ jobs:
             "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
 
       - name: Install Cosign
-        if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
         uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
 
       - name: Sign image with Cosign
-        if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
         env:
           DIGEST: ${{ steps.build-docker.outputs.digest }}
           TAGS: ${{ steps.image-tags.outputs.tags }}
@@ -343,7 +350,7 @@ jobs:
 
       - name: Make Docker stubs
         if: |
-          github.event_name != 'pull_request_target'
+          github.event_name != 'pull_request'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
         run: |
           # Set proper setup image based on branch
@@ -385,7 +392,7 @@ jobs:
 
       - name: Make Docker stub checksums
         if: |
-          github.event_name != 'pull_request_target'
+          github.event_name != 'pull_request'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
         run: |
           sha256sum docker-stub-US.zip > docker-stub-US-sha256.txt
@@ -393,7 +400,7 @@ jobs:
 
       - name: Upload Docker stub US artifact
         if: |
-          github.event_name != 'pull_request_target'
+          github.event_name != 'pull_request'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
         uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
@@ -403,7 +410,7 @@ jobs:
 
       - name: Upload Docker stub EU artifact
         if: |
-          github.event_name != 'pull_request_target'
+          github.event_name != 'pull_request'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
         uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
@@ -413,7 +420,7 @@ jobs:
 
       - name: Upload Docker stub US checksum artifact
         if: |
-          github.event_name != 'pull_request_target'
+          github.event_name != 'pull_request'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
         uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
@@ -423,7 +430,7 @@ jobs:
 
       - name: Upload Docker stub EU checksum artifact
         if: |
-          github.event_name != 'pull_request_target'
+          github.event_name != 'pull_request'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
         uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
@@ -552,7 +559,7 @@ jobs:
   self-host-build:
     name: Trigger self-host build
     if: |
-      github.event_name != 'pull_request_target'
+      github.event_name != 'pull_request'
       && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
     runs-on: ubuntu-22.04
     needs:
@@ -587,7 +594,7 @@ jobs:
 
   trigger-k8s-deploy:
     name: Trigger k8s deploy
-    if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
+    if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
     runs-on: ubuntu-22.04
     needs:
       - build-docker
@@ -623,7 +630,8 @@ jobs:
   trigger-ee-updates:
     name: Trigger Ephemeral Environment updates
     if: |
-      github.event_name == 'pull_request_target'
+      needs.build-artifacts.outputs.has_secrets == 'true'
+      && github.event_name == 'pull_request'
       && contains(github.event.pull_request.labels.*.name, 'ephemeral-environment')
     runs-on: ubuntu-24.04
     needs:
@@ -660,7 +668,8 @@ jobs:
     name: Trigger Ephemeral Environment Sync
     needs: trigger-ee-updates
     if: |
-      github.event_name == 'pull_request_target'
+      needs.build-artifacts.outputs.has_secrets == 'true'
+      && github.event_name == 'pull_request'
       && contains(github.event.pull_request.labels.*.name, 'ephemeral-environment')
     uses: bitwarden/gh-actions/.github/workflows/_ephemeral_environment_manager.yml@main
     with:
@@ -670,7 +679,6 @@ jobs:
       pull_request_number: ${{ github.event.number }}
     secrets: inherit
 
-
   check-failures:
     name: Check for failures
     if: always()
@@ -686,7 +694,7 @@ jobs:
     steps:
       - name: Check if any job failed
         if: |
-          github.event_name != 'pull_request_target'
+          github.event_name != 'pull_request'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
           && contains(needs.*.result, 'failure')
         run: exit 1
diff --git a/.github/workflows/build_target.yml b/.github/workflows/build_target.yml
new file mode 100644
index 0000000000..313446c949
--- /dev/null
+++ b/.github/workflows/build_target.yml
@@ -0,0 +1,21 @@
+name: Build on PR Target
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
+  run-workflow:
+    name: Run Build on PR Target
+    needs: check-run
+    if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+    uses: ./.github/workflows/build.yml
+    secrets: inherit

From 786b0edcebd19c08992194e46886d5c37b8a85f9 Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Mon, 31 Mar 2025 08:33:57 -0500
Subject: [PATCH 135/184] [PM-18527] - Fix allowing restored user to own
 multiple free orgs (#5444)

* Moved RestoreUserAsync and RestoreUsersAsync to Command.

* Fixing the bug.

* Added test for bulk method.

* Fixing sonar cube warning.

* SonarQube warning fix.

* Excluding org users we already have.

* Fixed misspelling. Added integration test for method.

* test had the misspelling as well :facepalm:

* Split out interface. Added admin and confirmed constraints.

* fixed queries and added xml comments and tests.
---
 .../Scim/Controllers/v2/UsersController.cs    |   9 +-
 .../src/Scim/Users/PatchUserCommand.cs        |   8 +-
 .../Scim.Test/Users/PatchUserCommandTests.cs  |   7 +-
 .../OrganizationUsersController.cs            |  10 +-
 .../v1/IRestoreOrganizationUserCommand.cs     |  54 ++
 .../v1/RestoreOrganizationUserCommand.cs      | 295 ++++++++
 .../Repositories/IOrganizationRepository.cs   |   1 +
 .../Services/IOrganizationService.cs          |   4 -
 .../Implementations/OrganizationService.cs    | 144 +---
 ...OrganizationServiceCollectionExtensions.cs |   3 +
 .../Repositories/OrganizationRepository.cs    |  11 +
 .../Repositories/OrganizationRepository.cs    |  13 +
 .../Organization_ReadManyByIds.sql            |  67 ++
 .../RestoreOrganizationUserCommandTests.cs    | 693 ++++++++++++++++++
 .../Services/OrganizationServiceTests.cs      | 551 --------------
 .../OrganizationRepositoryTests.cs            |  39 +
 .../OrganizationRepositoryTests.cs            |  33 +
 .../2025-03-21_00_Org_ReadManyByManyId.sql    |  66 ++
 18 files changed, 1298 insertions(+), 710 deletions(-)
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/IRestoreOrganizationUserCommand.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs
 create mode 100644 src/Sql/dbo/Stored Procedures/Organization_ReadManyByIds.sql
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/RestoreOrganizationUserCommandTests.cs
 create mode 100644 util/Migrator/DbScripts/2025-03-21_00_Org_ReadManyByManyId.sql

diff --git a/bitwarden_license/src/Scim/Controllers/v2/UsersController.cs b/bitwarden_license/src/Scim/Controllers/v2/UsersController.cs
index 1323205b96..77bc62e952 100644
--- a/bitwarden_license/src/Scim/Controllers/v2/UsersController.cs
+++ b/bitwarden_license/src/Scim/Controllers/v2/UsersController.cs
@@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
@@ -23,7 +24,7 @@ public class UsersController : Controller
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
     private readonly IPatchUserCommand _patchUserCommand;
     private readonly IPostUserCommand _postUserCommand;
-    private readonly ILogger<UsersController> _logger;
+    private readonly IRestoreOrganizationUserCommand _restoreOrganizationUserCommand;
 
     public UsersController(
         IOrganizationUserRepository organizationUserRepository,
@@ -32,7 +33,7 @@ public class UsersController : Controller
         IRemoveOrganizationUserCommand removeOrganizationUserCommand,
         IPatchUserCommand patchUserCommand,
         IPostUserCommand postUserCommand,
-        ILogger<UsersController> logger)
+        IRestoreOrganizationUserCommand restoreOrganizationUserCommand)
     {
         _organizationUserRepository = organizationUserRepository;
         _organizationService = organizationService;
@@ -40,7 +41,7 @@ public class UsersController : Controller
         _removeOrganizationUserCommand = removeOrganizationUserCommand;
         _patchUserCommand = patchUserCommand;
         _postUserCommand = postUserCommand;
-        _logger = logger;
+        _restoreOrganizationUserCommand = restoreOrganizationUserCommand;
     }
 
     [HttpGet("{id}")]
@@ -93,7 +94,7 @@ public class UsersController : Controller
 
         if (model.Active && orgUser.Status == OrganizationUserStatusType.Revoked)
         {
-            await _organizationService.RestoreUserAsync(orgUser, EventSystemUser.SCIM);
+            await _restoreOrganizationUserCommand.RestoreUserAsync(orgUser, EventSystemUser.SCIM);
         }
         else if (!model.Active && orgUser.Status != OrganizationUserStatusType.Revoked)
         {
diff --git a/bitwarden_license/src/Scim/Users/PatchUserCommand.cs b/bitwarden_license/src/Scim/Users/PatchUserCommand.cs
index f4445354ce..3d7082aacc 100644
--- a/bitwarden_license/src/Scim/Users/PatchUserCommand.cs
+++ b/bitwarden_license/src/Scim/Users/PatchUserCommand.cs
@@ -1,4 +1,5 @@
-using Bit.Core.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -11,15 +12,18 @@ public class PatchUserCommand : IPatchUserCommand
 {
     private readonly IOrganizationUserRepository _organizationUserRepository;
     private readonly IOrganizationService _organizationService;
+    private readonly IRestoreOrganizationUserCommand _restoreOrganizationUserCommand;
     private readonly ILogger<PatchUserCommand> _logger;
 
     public PatchUserCommand(
         IOrganizationUserRepository organizationUserRepository,
         IOrganizationService organizationService,
+        IRestoreOrganizationUserCommand restoreOrganizationUserCommand,
         ILogger<PatchUserCommand> logger)
     {
         _organizationUserRepository = organizationUserRepository;
         _organizationService = organizationService;
+        _restoreOrganizationUserCommand = restoreOrganizationUserCommand;
         _logger = logger;
     }
 
@@ -71,7 +75,7 @@ public class PatchUserCommand : IPatchUserCommand
     {
         if (active && orgUser.Status == OrganizationUserStatusType.Revoked)
         {
-            await _organizationService.RestoreUserAsync(orgUser, EventSystemUser.SCIM);
+            await _restoreOrganizationUserCommand.RestoreUserAsync(orgUser, EventSystemUser.SCIM);
             return true;
         }
         else if (!active && orgUser.Status != OrganizationUserStatusType.Revoked)
diff --git a/bitwarden_license/test/Scim.Test/Users/PatchUserCommandTests.cs b/bitwarden_license/test/Scim.Test/Users/PatchUserCommandTests.cs
index 6e9c985b88..44a43d16b7 100644
--- a/bitwarden_license/test/Scim.Test/Users/PatchUserCommandTests.cs
+++ b/bitwarden_license/test/Scim.Test/Users/PatchUserCommandTests.cs
@@ -1,4 +1,5 @@
 using System.Text.Json;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -43,7 +44,7 @@ public class PatchUserCommandTests
 
         await sutProvider.Sut.PatchUserAsync(organizationUser.OrganizationId, organizationUser.Id, scimPatchModel);
 
-        await sutProvider.GetDependency<IOrganizationService>().Received(1).RestoreUserAsync(organizationUser, EventSystemUser.SCIM);
+        await sutProvider.GetDependency<IRestoreOrganizationUserCommand>().Received(1).RestoreUserAsync(organizationUser, EventSystemUser.SCIM);
     }
 
     [Theory]
@@ -71,7 +72,7 @@ public class PatchUserCommandTests
 
         await sutProvider.Sut.PatchUserAsync(organizationUser.OrganizationId, organizationUser.Id, scimPatchModel);
 
-        await sutProvider.GetDependency<IOrganizationService>().Received(1).RestoreUserAsync(organizationUser, EventSystemUser.SCIM);
+        await sutProvider.GetDependency<IRestoreOrganizationUserCommand>().Received(1).RestoreUserAsync(organizationUser, EventSystemUser.SCIM);
     }
 
     [Theory]
@@ -147,7 +148,7 @@ public class PatchUserCommandTests
 
         await sutProvider.Sut.PatchUserAsync(organizationUser.OrganizationId, organizationUser.Id, scimPatchModel);
 
-        await sutProvider.GetDependency<IOrganizationService>().DidNotReceiveWithAnyArgs().RestoreUserAsync(default, EventSystemUser.SCIM);
+        await sutProvider.GetDependency<IRestoreOrganizationUserCommand>().DidNotReceiveWithAnyArgs().RestoreUserAsync(default, EventSystemUser.SCIM);
         await sutProvider.GetDependency<IOrganizationService>().DidNotReceiveWithAnyArgs().RevokeUserAsync(default, EventSystemUser.SCIM);
     }
 
diff --git a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
index cfe93e87ce..5fd9109077 100644
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@@ -8,6 +8,7 @@ using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
@@ -61,6 +62,7 @@ public class OrganizationUsersController : Controller
     private readonly IFeatureService _featureService;
     private readonly IPricingClient _pricingClient;
     private readonly IConfirmOrganizationUserCommand _confirmOrganizationUserCommand;
+    private readonly IRestoreOrganizationUserCommand _restoreOrganizationUserCommand;
 
     public OrganizationUsersController(
         IOrganizationRepository organizationRepository,
@@ -86,7 +88,8 @@ public class OrganizationUsersController : Controller
         IPolicyRequirementQuery policyRequirementQuery,
         IFeatureService featureService,
         IPricingClient pricingClient,
-        IConfirmOrganizationUserCommand confirmOrganizationUserCommand)
+        IConfirmOrganizationUserCommand confirmOrganizationUserCommand,
+        IRestoreOrganizationUserCommand restoreOrganizationUserCommand)
     {
         _organizationRepository = organizationRepository;
         _organizationUserRepository = organizationUserRepository;
@@ -112,6 +115,7 @@ public class OrganizationUsersController : Controller
         _featureService = featureService;
         _pricingClient = pricingClient;
         _confirmOrganizationUserCommand = confirmOrganizationUserCommand;
+        _restoreOrganizationUserCommand = restoreOrganizationUserCommand;
     }
 
     [HttpGet("{id}")]
@@ -630,14 +634,14 @@ public class OrganizationUsersController : Controller
     [HttpPut("{id}/restore")]
     public async Task RestoreAsync(Guid orgId, Guid id)
     {
-        await RestoreOrRevokeUserAsync(orgId, id, (orgUser, userId) => _organizationService.RestoreUserAsync(orgUser, userId));
+        await RestoreOrRevokeUserAsync(orgId, id, (orgUser, userId) => _restoreOrganizationUserCommand.RestoreUserAsync(orgUser, userId));
     }
 
     [HttpPatch("restore")]
     [HttpPut("restore")]
     public async Task<ListResponseModel<OrganizationUserBulkResponseModel>> BulkRestoreAsync(Guid orgId, [FromBody] OrganizationUserBulkRequestModel model)
     {
-        return await RestoreOrRevokeUsersAsync(orgId, model, (orgId, orgUserIds, restoringUserId) => _organizationService.RestoreUsersAsync(orgId, orgUserIds, restoringUserId, _userService));
+        return await RestoreOrRevokeUsersAsync(orgId, model, (orgId, orgUserIds, restoringUserId) => _restoreOrganizationUserCommand.RestoreUsersAsync(orgId, orgUserIds, restoringUserId, _userService));
     }
 
     [HttpPatch("enable-secrets-manager")]
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/IRestoreOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/IRestoreOrganizationUserCommand.cs
new file mode 100644
index 0000000000..e5e5bfb482
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/IRestoreOrganizationUserCommand.cs
@@ -0,0 +1,54 @@
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Services;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+
+/// <summary>
+/// Restores a user back to their previous status.
+/// </summary>
+public interface IRestoreOrganizationUserCommand
+{
+    /// <summary>
+    /// Validates that the requesting user can perform the action. There is also a check done to ensure the organization
+    /// can re-add this user based on their current occupied seats.
+    ///
+    /// Checks are performed to make sure the user is conforming to all policies enforced by the organization as well as
+    /// other organizations the user may belong to.
+    ///
+    /// Reference Events and Push Notifications are fired off for this as well.
+    /// </summary>
+    /// <param name="organizationUser">Revoked user to be restored.</param>
+    /// <param name="restoringUserId">UserId of the user performing the action.</param>
+    Task RestoreUserAsync(OrganizationUser organizationUser, Guid? restoringUserId);
+
+    /// <summary>
+    /// Validates that the requesting user can perform the action. There is also a check done to ensure the organization
+    /// can re-add this user based on their current occupied seats.
+    ///
+    /// Checks are performed to make sure the user is conforming to all policies enforced by the organization as well as
+    /// other organizations the user may belong to.
+    ///
+    /// Reference Events and Push Notifications are fired off for this as well.
+    /// </summary>
+    /// <param name="organizationUser">Revoked user to be restored.</param>
+    /// <param name="systemUser">System that is performing the action on behalf of the organization (Public API, SCIM, etc.)</param>
+    Task RestoreUserAsync(OrganizationUser organizationUser, EventSystemUser systemUser);
+
+    /// <summary>
+    /// Validates that the requesting user can perform the action. There is also a check done to ensure the organization
+    /// can re-add this user based on their current occupied seats.
+    ///
+    /// Checks are performed to make sure the user is conforming to all policies enforced by the organization as well as
+    /// other organizations the user may belong to.
+    ///
+    /// Reference Events and Push Notifications are fired off for this as well.
+    /// </summary>
+    /// <param name="organizationId">Organization the users should be restored to.</param>
+    /// <param name="organizationUserIds">List of organization user ids to restore to previous status.</param>
+    /// <param name="restoringUserId">UserId of the user performing the action.</param>
+    /// <param name="userService">Passed in from caller to avoid circular dependency</param>
+    /// <returns>List of organization user Ids and strings. A successful restoration will have an empty string.
+    /// If an error occurs, the error message will be provided.</returns>
+    Task<List<Tuple<OrganizationUser, string>>> RestoreUsersAsync(Guid organizationId, IEnumerable<Guid> organizationUserIds, Guid? restoringUserId, IUserService userService);
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs
new file mode 100644
index 0000000000..3d4b0fba5c
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs
@@ -0,0 +1,295 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Services;
+using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+
+public class RestoreOrganizationUserCommand(
+    ICurrentContext currentContext,
+    IEventService eventService,
+    IFeatureService featureService,
+    IPushNotificationService pushNotificationService,
+    IOrganizationUserRepository organizationUserRepository,
+    IOrganizationRepository organizationRepository,
+    ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
+    IPolicyService policyService,
+    IUserRepository userRepository,
+    IOrganizationService organizationService) : IRestoreOrganizationUserCommand
+{
+    public async Task RestoreUserAsync(OrganizationUser organizationUser, Guid? restoringUserId)
+    {
+        if (restoringUserId.HasValue && organizationUser.UserId == restoringUserId.Value)
+        {
+            throw new BadRequestException("You cannot restore yourself.");
+        }
+
+        if (organizationUser.Type == OrganizationUserType.Owner && restoringUserId.HasValue &&
+            !await currentContext.OrganizationOwner(organizationUser.OrganizationId))
+        {
+            throw new BadRequestException("Only owners can restore other owners.");
+        }
+
+        await RepositoryRestoreUserAsync(organizationUser);
+        await eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
+
+        if (featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) &&
+            organizationUser.UserId.HasValue)
+        {
+            await pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
+        }
+    }
+
+    public async Task RestoreUserAsync(OrganizationUser organizationUser, EventSystemUser systemUser)
+    {
+        await RepositoryRestoreUserAsync(organizationUser);
+        await eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored,
+            systemUser);
+
+        if (featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) &&
+            organizationUser.UserId.HasValue)
+        {
+            await pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
+        }
+    }
+
+    private async Task RepositoryRestoreUserAsync(OrganizationUser organizationUser)
+    {
+        if (organizationUser.Status != OrganizationUserStatusType.Revoked)
+        {
+            throw new BadRequestException("Already active.");
+        }
+
+        var organization = await organizationRepository.GetByIdAsync(organizationUser.OrganizationId);
+        var occupiedSeats = await organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
+        var availableSeats = organization.Seats.GetValueOrDefault(0) - occupiedSeats;
+
+        if (availableSeats < 1)
+        {
+            await organizationService.AutoAddSeatsAsync(organization, 1); // Hooray
+        }
+
+        var userTwoFactorIsEnabled = false;
+        // Only check 2FA status if the user is linked to a user account
+        if (organizationUser.UserId.HasValue)
+        {
+            userTwoFactorIsEnabled =
+                (await twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync([organizationUser.UserId.Value]))
+                .FirstOrDefault()
+                .twoFactorIsEnabled;
+        }
+
+        await CheckUserForOtherFreeOrganizationOwnershipAsync(organizationUser);
+
+        await CheckPoliciesBeforeRestoreAsync(organizationUser, userTwoFactorIsEnabled);
+
+        var status = OrganizationService.GetPriorActiveOrganizationUserStatusType(organizationUser);
+
+        await organizationUserRepository.RestoreAsync(organizationUser.Id, status);
+
+        organizationUser.Status = status;
+    }
+
+    private async Task CheckUserForOtherFreeOrganizationOwnershipAsync(OrganizationUser organizationUser)
+    {
+        var relatedOrgUsersFromOtherOrgs = await organizationUserRepository.GetManyByUserAsync(organizationUser.UserId.Value);
+        var otherOrgs = await organizationRepository.GetManyByUserIdAsync(organizationUser.UserId.Value);
+
+        var orgOrgUserDict = relatedOrgUsersFromOtherOrgs
+            .Where(x => x.Id != organizationUser.Id)
+            .ToDictionary(x => x, x => otherOrgs.FirstOrDefault(y => y.Id == x.OrganizationId));
+
+        CheckForOtherFreeOrganizationOwnership(organizationUser, orgOrgUserDict);
+    }
+
+    private async Task<Dictionary<OrganizationUser, Organization>> GetRelatedOrganizationUsersAndOrganizations(
+        IEnumerable<OrganizationUser> organizationUsers)
+    {
+        var allUserIds = organizationUsers.Select(x => x.UserId.Value);
+
+        var otherOrganizationUsers = (await organizationUserRepository.GetManyByManyUsersAsync(allUserIds))
+            .Where(x => organizationUsers.Any(y => y.Id == x.Id) == false);
+
+        var otherOrgs = await organizationRepository.GetManyByIdsAsync(otherOrganizationUsers
+                .Select(x => x.OrganizationId)
+                .Distinct());
+
+        return otherOrganizationUsers
+            .ToDictionary(x => x, x => otherOrgs.FirstOrDefault(y => y.Id == x.OrganizationId));
+    }
+
+    private static void CheckForOtherFreeOrganizationOwnership(OrganizationUser organizationUser,
+        Dictionary<OrganizationUser, Organization> otherOrgUsersAndOrgs)
+    {
+        var ownerOrAdminList = new[] { OrganizationUserType.Owner, OrganizationUserType.Admin };
+        if (otherOrgUsersAndOrgs.Any(x =>
+                x.Key.UserId == organizationUser.UserId &&
+                ownerOrAdminList.Any(userType => userType == x.Key.Type) &&
+                x.Key.Status == OrganizationUserStatusType.Confirmed &&
+                x.Value.PlanType == PlanType.Free))
+        {
+            throw new BadRequestException(
+                "User is an owner/admin of another free organization. Please have them upgrade to a paid plan to restore their account.");
+        }
+    }
+
+    public async Task<List<Tuple<OrganizationUser, string>>> RestoreUsersAsync(Guid organizationId,
+        IEnumerable<Guid> organizationUserIds, Guid? restoringUserId, IUserService userService)
+    {
+        var orgUsers = await organizationUserRepository.GetManyAsync(organizationUserIds);
+        var filteredUsers = orgUsers.Where(u => u.OrganizationId == organizationId)
+            .ToList();
+
+        if (filteredUsers.Count == 0)
+        {
+            throw new BadRequestException("Users invalid.");
+        }
+
+        var organization = await organizationRepository.GetByIdAsync(organizationId);
+        var occupiedSeats = await organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
+        var availableSeats = organization.Seats.GetValueOrDefault(0) - occupiedSeats;
+        var newSeatsRequired = organizationUserIds.Count() - availableSeats;
+        await organizationService.AutoAddSeatsAsync(organization, newSeatsRequired);
+
+        var deletingUserIsOwner = false;
+        if (restoringUserId.HasValue)
+        {
+            deletingUserIsOwner = await currentContext.OrganizationOwner(organizationId);
+        }
+
+        // Query Two Factor Authentication status for all users in the organization
+        // This is an optimization to avoid querying the Two Factor Authentication status for each user individually
+        var organizationUsersTwoFactorEnabled = await twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(
+            filteredUsers.Where(ou => ou.UserId.HasValue).Select(ou => ou.UserId.Value));
+
+        var orgUsersAndOrgs = await GetRelatedOrganizationUsersAndOrganizations(filteredUsers);
+
+        var result = new List<Tuple<OrganizationUser, string>>();
+
+        foreach (var organizationUser in filteredUsers)
+        {
+            try
+            {
+                if (organizationUser.Status != OrganizationUserStatusType.Revoked)
+                {
+                    throw new BadRequestException("Already active.");
+                }
+
+                if (restoringUserId.HasValue && organizationUser.UserId == restoringUserId)
+                {
+                    throw new BadRequestException("You cannot restore yourself.");
+                }
+
+                if (organizationUser.Type == OrganizationUserType.Owner && restoringUserId.HasValue &&
+                    !deletingUserIsOwner)
+                {
+                    throw new BadRequestException("Only owners can restore other owners.");
+                }
+
+                var twoFactorIsEnabled = organizationUser.UserId.HasValue
+                                         && organizationUsersTwoFactorEnabled
+                                             .FirstOrDefault(ou => ou.userId == organizationUser.UserId.Value)
+                                             .twoFactorIsEnabled;
+
+                await CheckPoliciesBeforeRestoreAsync(organizationUser, twoFactorIsEnabled);
+
+                CheckForOtherFreeOrganizationOwnership(organizationUser, orgUsersAndOrgs);
+
+                var status = OrganizationService.GetPriorActiveOrganizationUserStatusType(organizationUser);
+
+                await organizationUserRepository.RestoreAsync(organizationUser.Id, status);
+                organizationUser.Status = status;
+                await eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
+                if (featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) &&
+                    organizationUser.UserId.HasValue)
+                {
+                    await pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
+                }
+
+                result.Add(Tuple.Create(organizationUser, ""));
+            }
+            catch (BadRequestException e)
+            {
+                result.Add(Tuple.Create(organizationUser, e.Message));
+            }
+        }
+
+        return result;
+    }
+
+    private async Task CheckPoliciesBeforeRestoreAsync(OrganizationUser orgUser, bool userHasTwoFactorEnabled)
+    {
+        // An invited OrganizationUser isn't linked with a user account yet, so these checks are irrelevant
+        // The user will be subject to the same checks when they try to accept the invite
+        if (OrganizationService.GetPriorActiveOrganizationUserStatusType(orgUser) == OrganizationUserStatusType.Invited)
+        {
+            return;
+        }
+
+        var userId = orgUser.UserId.Value;
+
+        // Enforce Single Organization Policy of organization user is being restored to
+        var allOrgUsers = await organizationUserRepository.GetManyByUserAsync(userId);
+        var hasOtherOrgs = allOrgUsers.Any(ou => ou.OrganizationId != orgUser.OrganizationId);
+        var singleOrgPoliciesApplyingToRevokedUsers = await policyService.GetPoliciesApplicableToUserAsync(userId,
+            PolicyType.SingleOrg, OrganizationUserStatusType.Revoked);
+        var singleOrgPolicyApplies =
+            singleOrgPoliciesApplyingToRevokedUsers.Any(p => p.OrganizationId == orgUser.OrganizationId);
+
+        var singleOrgCompliant = true;
+        var belongsToOtherOrgCompliant = true;
+        var twoFactorCompliant = true;
+
+        if (hasOtherOrgs && singleOrgPolicyApplies)
+        {
+            singleOrgCompliant = false;
+        }
+
+        // Enforce Single Organization Policy of other organizations user is a member of
+        var anySingleOrgPolicies = await policyService.AnyPoliciesApplicableToUserAsync(userId, PolicyType.SingleOrg);
+        if (anySingleOrgPolicies)
+        {
+            belongsToOtherOrgCompliant = false;
+        }
+
+        // Enforce 2FA Policy of organization user is trying to join
+        if (!userHasTwoFactorEnabled)
+        {
+            var invitedTwoFactorPolicies = await policyService.GetPoliciesApplicableToUserAsync(userId,
+                PolicyType.TwoFactorAuthentication, OrganizationUserStatusType.Revoked);
+            if (invitedTwoFactorPolicies.Any(p => p.OrganizationId == orgUser.OrganizationId))
+            {
+                twoFactorCompliant = false;
+            }
+        }
+
+        var user = await userRepository.GetByIdAsync(userId);
+
+        if (!singleOrgCompliant && !twoFactorCompliant)
+        {
+            throw new BadRequestException(user.Email +
+                                          " is not compliant with the single organization and two-step login policy");
+        }
+        else if (!singleOrgCompliant)
+        {
+            throw new BadRequestException(user.Email + " is not compliant with the single organization policy");
+        }
+        else if (!belongsToOtherOrgCompliant)
+        {
+            throw new BadRequestException(user.Email +
+                                          " belongs to an organization that doesn't allow them to join multiple organizations");
+        }
+        else if (!twoFactorCompliant)
+        {
+            throw new BadRequestException(user.Email + " is not compliant with the two-step login policy");
+        }
+    }
+}
diff --git a/src/Core/AdminConsole/Repositories/IOrganizationRepository.cs b/src/Core/AdminConsole/Repositories/IOrganizationRepository.cs
index 584d95ffe2..7e315ed58b 100644
--- a/src/Core/AdminConsole/Repositories/IOrganizationRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IOrganizationRepository.cs
@@ -24,4 +24,5 @@ public interface IOrganizationRepository : IRepository<Organization, Guid>
     /// </summary>
     Task<ICollection<Organization>> GetByVerifiedUserEmailDomainAsync(Guid userId);
     Task<ICollection<Organization>> GetAddableToProviderByUserIdAsync(Guid userId, ProviderType providerType);
+    Task<ICollection<Organization>> GetManyByIdsAsync(IEnumerable<Guid> ids);
 }
diff --git a/src/Core/AdminConsole/Services/IOrganizationService.cs b/src/Core/AdminConsole/Services/IOrganizationService.cs
index 476fccb480..e0088f1f74 100644
--- a/src/Core/AdminConsole/Services/IOrganizationService.cs
+++ b/src/Core/AdminConsole/Services/IOrganizationService.cs
@@ -48,10 +48,6 @@ public interface IOrganizationService
     Task RevokeUserAsync(OrganizationUser organizationUser, EventSystemUser systemUser);
     Task<List<Tuple<OrganizationUser, string>>> RevokeUsersAsync(Guid organizationId,
         IEnumerable<Guid> organizationUserIds, Guid? revokingUserId);
-    Task RestoreUserAsync(OrganizationUser organizationUser, Guid? restoringUserId);
-    Task RestoreUserAsync(OrganizationUser organizationUser, EventSystemUser systemUser);
-    Task<List<Tuple<OrganizationUser, string>>> RestoreUsersAsync(Guid organizationId,
-        IEnumerable<Guid> organizationUserIds, Guid? restoringUserId, IUserService userService);
     Task CreatePendingOrganization(Organization organization, string ownerEmail, ClaimsPrincipal user, IUserService userService, bool salesAssistedTrialStarted);
     /// <summary>
     /// Update an Organization entry by setting the public/private keys, set it as 'Enabled' and move the Status from 'Pending' to 'Created'.
diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index ab5703eaa1..64bd434327 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -19,7 +19,6 @@ using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Extensions;
 using Bit.Core.Billing.Pricing;
-using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -75,7 +74,6 @@ public class OrganizationService : IOrganizationService
     private readonly IDataProtectorTokenFactory<OrgUserInviteTokenable> _orgUserInviteTokenDataFactory;
     private readonly IFeatureService _featureService;
     private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
-    private readonly IOrganizationBillingService _organizationBillingService;
     private readonly IHasConfirmedOwnersExceptQuery _hasConfirmedOwnersExceptQuery;
     private readonly IPricingClient _pricingClient;
     private readonly IPolicyRequirementQuery _policyRequirementQuery;
@@ -112,7 +110,6 @@ public class OrganizationService : IOrganizationService
         IProviderRepository providerRepository,
         IFeatureService featureService,
         ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
-        IOrganizationBillingService organizationBillingService,
         IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery,
         IPricingClient pricingClient,
         IPolicyRequirementQuery policyRequirementQuery)
@@ -148,7 +145,6 @@ public class OrganizationService : IOrganizationService
         _orgUserInviteTokenDataFactory = orgUserInviteTokenDataFactory;
         _featureService = featureService;
         _twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
-        _organizationBillingService = organizationBillingService;
         _hasConfirmedOwnersExceptQuery = hasConfirmedOwnersExceptQuery;
         _pricingClient = pricingClient;
         _policyRequirementQuery = policyRequirementQuery;
@@ -1891,144 +1887,6 @@ public class OrganizationService : IOrganizationService
         return result;
     }
 
-    public async Task RestoreUserAsync(OrganizationUser organizationUser, Guid? restoringUserId)
-    {
-        if (restoringUserId.HasValue && organizationUser.UserId == restoringUserId.Value)
-        {
-            throw new BadRequestException("You cannot restore yourself.");
-        }
-
-        if (organizationUser.Type == OrganizationUserType.Owner && restoringUserId.HasValue &&
-            !await _currentContext.OrganizationOwner(organizationUser.OrganizationId))
-        {
-            throw new BadRequestException("Only owners can restore other owners.");
-        }
-
-        await RepositoryRestoreUserAsync(organizationUser);
-        await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
-
-        if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
-        {
-            await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
-        }
-    }
-
-    public async Task RestoreUserAsync(OrganizationUser organizationUser, EventSystemUser systemUser)
-    {
-        await RepositoryRestoreUserAsync(organizationUser);
-        await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored, systemUser);
-
-        if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
-        {
-            await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
-        }
-    }
-
-    private async Task RepositoryRestoreUserAsync(OrganizationUser organizationUser)
-    {
-        if (organizationUser.Status != OrganizationUserStatusType.Revoked)
-        {
-            throw new BadRequestException("Already active.");
-        }
-
-        var organization = await _organizationRepository.GetByIdAsync(organizationUser.OrganizationId);
-        var occupiedSeats = await _organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
-        var availableSeats = organization.Seats.GetValueOrDefault(0) - occupiedSeats;
-        if (availableSeats < 1)
-        {
-            await AutoAddSeatsAsync(organization, 1);
-        }
-
-        var userTwoFactorIsEnabled = false;
-        // Only check Two Factor Authentication status if the user is linked to a user account
-        if (organizationUser.UserId.HasValue)
-        {
-            userTwoFactorIsEnabled = (await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(new[] { organizationUser.UserId.Value })).FirstOrDefault().twoFactorIsEnabled;
-        }
-
-        await CheckPoliciesBeforeRestoreAsync(organizationUser, userTwoFactorIsEnabled);
-
-        var status = GetPriorActiveOrganizationUserStatusType(organizationUser);
-
-        await _organizationUserRepository.RestoreAsync(organizationUser.Id, status);
-        organizationUser.Status = status;
-    }
-
-    public async Task<List<Tuple<OrganizationUser, string>>> RestoreUsersAsync(Guid organizationId,
-        IEnumerable<Guid> organizationUserIds, Guid? restoringUserId, IUserService userService)
-    {
-        var orgUsers = await _organizationUserRepository.GetManyAsync(organizationUserIds);
-        var filteredUsers = orgUsers.Where(u => u.OrganizationId == organizationId)
-            .ToList();
-
-        if (!filteredUsers.Any())
-        {
-            throw new BadRequestException("Users invalid.");
-        }
-
-        var organization = await _organizationRepository.GetByIdAsync(organizationId);
-        var occupiedSeats = await _organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
-        var availableSeats = organization.Seats.GetValueOrDefault(0) - occupiedSeats;
-        var newSeatsRequired = organizationUserIds.Count() - availableSeats;
-        await AutoAddSeatsAsync(organization, newSeatsRequired);
-
-        var deletingUserIsOwner = false;
-        if (restoringUserId.HasValue)
-        {
-            deletingUserIsOwner = await _currentContext.OrganizationOwner(organizationId);
-        }
-
-        // Query Two Factor Authentication status for all users in the organization
-        // This is an optimization to avoid querying the Two Factor Authentication status for each user individually
-        var organizationUsersTwoFactorEnabled = await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(
-            filteredUsers.Where(ou => ou.UserId.HasValue).Select(ou => ou.UserId.Value));
-
-        var result = new List<Tuple<OrganizationUser, string>>();
-
-        foreach (var organizationUser in filteredUsers)
-        {
-            try
-            {
-                if (organizationUser.Status != OrganizationUserStatusType.Revoked)
-                {
-                    throw new BadRequestException("Already active.");
-                }
-
-                if (restoringUserId.HasValue && organizationUser.UserId == restoringUserId)
-                {
-                    throw new BadRequestException("You cannot restore yourself.");
-                }
-
-                if (organizationUser.Type == OrganizationUserType.Owner && restoringUserId.HasValue && !deletingUserIsOwner)
-                {
-                    throw new BadRequestException("Only owners can restore other owners.");
-                }
-
-                var twoFactorIsEnabled = organizationUser.UserId.HasValue
-                    && organizationUsersTwoFactorEnabled.FirstOrDefault(ou => ou.userId == organizationUser.UserId.Value).twoFactorIsEnabled;
-                await CheckPoliciesBeforeRestoreAsync(organizationUser, twoFactorIsEnabled);
-
-                var status = GetPriorActiveOrganizationUserStatusType(organizationUser);
-
-                await _organizationUserRepository.RestoreAsync(organizationUser.Id, status);
-                organizationUser.Status = status;
-                await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
-                if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
-                {
-                    await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
-                }
-
-                result.Add(Tuple.Create(organizationUser, ""));
-            }
-            catch (BadRequestException e)
-            {
-                result.Add(Tuple.Create(organizationUser, e.Message));
-            }
-        }
-
-        return result;
-    }
-
     private async Task CheckPoliciesBeforeRestoreAsync(OrganizationUser orgUser, bool userHasTwoFactorEnabled)
     {
         // An invited OrganizationUser isn't linked with a user account yet, so these checks are irrelevant
@@ -2095,7 +1953,7 @@ public class OrganizationService : IOrganizationService
         }
     }
 
-    static OrganizationUserStatusType GetPriorActiveOrganizationUserStatusType(OrganizationUser organizationUser)
+    public static OrganizationUserStatusType GetPriorActiveOrganizationUserStatusType(OrganizationUser organizationUser)
     {
         // Determine status to revert back to
         var status = OrganizationUserStatusType.Invited;
diff --git a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
index e13a06f660..59cfdace65 100644
--- a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
+++ b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
@@ -13,6 +13,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
 using Bit.Core.Models.Business.Tokenables;
 using Bit.Core.OrganizationFeatures.OrganizationCollections;
 using Bit.Core.OrganizationFeatures.OrganizationCollections.Interfaces;
@@ -168,6 +169,8 @@ public static class OrganizationServiceCollectionExtensions
         services.AddScoped<IOrganizationUserUserDetailsQuery, OrganizationUserUserDetailsQuery>();
         services.AddScoped<IGetOrganizationUsersManagementStatusQuery, GetOrganizationUsersManagementStatusQuery>();
 
+        services.AddScoped<IRestoreOrganizationUserCommand, RestoreOrganizationUserCommand>();
+
         services.AddScoped<IAuthorizationHandler, OrganizationUserUserMiniDetailsAuthorizationHandler>();
         services.AddScoped<IAuthorizationHandler, OrganizationUserUserDetailsAuthorizationHandler>();
         services.AddScoped<IHasConfirmedOwnersExceptQuery, HasConfirmedOwnersExceptQuery>();
diff --git a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationRepository.cs b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationRepository.cs
index f624f7da28..3da8ad1a6c 100644
--- a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationRepository.cs
@@ -196,4 +196,15 @@ public class OrganizationRepository : Repository<Organization, Guid>, IOrganizat
             return result.ToList();
         }
     }
+
+    public async Task<ICollection<Organization>> GetManyByIdsAsync(IEnumerable<Guid> ids)
+    {
+        await using var connection = new SqlConnection(ConnectionString);
+
+        return (await connection.QueryAsync<Organization>(
+            $"[{Schema}].[{Table}_ReadManyByIds]",
+            new { OrganizationIds = ids.ToGuidIdArrayTVP() },
+            commandType: CommandType.StoredProcedure))
+            .ToList();
+    }
 }
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
index 6fc42b699d..c095b07030 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
@@ -354,6 +354,19 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
         }
     }
 
+    public async Task<ICollection<Core.AdminConsole.Entities.Organization>> GetManyByIdsAsync(IEnumerable<Guid> ids)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+
+        var dbContext = GetDatabaseContext(scope);
+
+        var query = from organization in dbContext.Organizations
+                    where ids.Contains(organization.Id)
+                    select organization;
+
+        return await query.ToArrayAsync();
+    }
+
     public Task EnableCollectionEnhancements(Guid organizationId)
     {
         throw new NotImplementedException("Collection enhancements migration is not yet supported for Entity Framework.");
diff --git a/src/Sql/dbo/Stored Procedures/Organization_ReadManyByIds.sql b/src/Sql/dbo/Stored Procedures/Organization_ReadManyByIds.sql
new file mode 100644
index 0000000000..23f1f578d0
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/Organization_ReadManyByIds.sql	
@@ -0,0 +1,67 @@
+CREATE PROCEDURE [dbo].[Organization_ReadManyByIds] @OrganizationIds AS [dbo].[GuidIdArray] READONLY
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT o.[Id],
+           o.[Identifier],
+           o.[Name],
+           o.[BusinessName],
+           o.[BusinessAddress1],
+           o.[BusinessAddress2],
+           o.[BusinessAddress3],
+           o.[BusinessCountry],
+           o.[BusinessTaxNumber],
+           o.[BillingEmail],
+           o.[Plan],
+           o.[PlanType],
+           o.[Seats],
+           o.[MaxCollections],
+           o.[UsePolicies],
+           o.[UseSso],
+           o.[UseGroups],
+           o.[UseDirectory],
+           o.[UseEvents],
+           o.[UseTotp],
+           o.[Use2fa],
+           o.[UseApi],
+           o.[UseResetPassword],
+           o.[SelfHost],
+           o.[UsersGetPremium],
+           o.[Storage],
+           o.[MaxStorageGb],
+           o.[Gateway],
+           o.[GatewayCustomerId],
+           o.[GatewaySubscriptionId],
+           o.[ReferenceData],
+           o.[Enabled],
+           o.[LicenseKey],
+           o.[PublicKey],
+           o.[PrivateKey],
+           o.[TwoFactorProviders],
+           o.[ExpirationDate],
+           o.[CreationDate],
+           o.[RevisionDate],
+           o.[OwnersNotifiedOfAutoscaling],
+           o.[MaxAutoscaleSeats],
+           o.[UseKeyConnector],
+           o.[UseScim],
+           o.[UseCustomPermissions],
+           o.[UseSecretsManager],
+           o.[Status],
+           o.[UsePasswordManager],
+           o.[SmSeats],
+           o.[SmServiceAccounts],
+           o.[MaxAutoscaleSmSeats],
+           o.[MaxAutoscaleSmServiceAccounts],
+           o.[SecretsManagerBeta],
+           o.[LimitCollectionCreation],
+           o.[LimitCollectionDeletion],
+           o.[LimitItemDeletion],
+           o.[AllowAdminAccessToAllCollectionItems],
+           o.[UseRiskInsights]
+    FROM [dbo].[OrganizationView] o
+    INNER JOIN @OrganizationIds ids ON o.[Id] = ids.[Id]
+
+END
+
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/RestoreOrganizationUserCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/RestoreOrganizationUserCommandTests.cs
new file mode 100644
index 0000000000..726664849d
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/RestoreOrganizationUserCommandTests.cs
@@ -0,0 +1,693 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+using Bit.Core.AdminConsole.Services;
+using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Test.AutoFixture.OrganizationUserFixtures;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser;
+
+[SutProviderCustomize]
+public class RestoreOrganizationUserCommandTests
+{
+    [Theory, BitAutoData]
+    public async Task RestoreUser_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
+
+        await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUser_WithPushSyncOrgKeysOnRevokeRestoreEnabled_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore)
+            .Returns(true);
+
+        await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncOrgKeysAsync(organizationUser.UserId!.Value);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUser_WithEventSystemUser_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, EventSystemUser eventSystemUser, SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        RestoreUser_Setup(organization, null, organizationUser, sutProvider);
+
+        await sutProvider.Sut.RestoreUserAsync(organizationUser, eventSystemUser);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored, eventSystemUser);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUser_WithEventSystemUser_WithPushSyncOrgKeysOnRevokeRestoreEnabled_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, EventSystemUser eventSystemUser, SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        RestoreUser_Setup(organization, null, organizationUser, sutProvider);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore)
+            .Returns(true);
+
+        await sutProvider.Sut.RestoreUserAsync(organizationUser, eventSystemUser);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored, eventSystemUser);
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncOrgKeysAsync(organizationUser.UserId!.Value);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUser_RestoreThemselves_Fails(Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        organizationUser.UserId = owner.Id;
+        RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
+
+        Assert.Contains("you cannot restore yourself", exception.Message.ToLowerInvariant());
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceiveWithAnyArgs()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Admin)]
+    [BitAutoData(OrganizationUserType.Custom)]
+    public async Task RestoreUser_AdminRestoreOwner_Fails(OrganizationUserType restoringUserType,
+        Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed)] OrganizationUser restoringUser,
+        [OrganizationUser(OrganizationUserStatusType.Revoked, OrganizationUserType.Owner)] OrganizationUser organizationUser, SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        restoringUser.Type = restoringUserType;
+        RestoreUser_Setup(organization, restoringUser, organizationUser, sutProvider);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RestoreUserAsync(organizationUser, restoringUser.Id));
+
+        Assert.Contains("only owners can restore other owners", exception.Message.ToLowerInvariant());
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceiveWithAnyArgs()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserStatusType.Invited)]
+    [BitAutoData(OrganizationUserStatusType.Accepted)]
+    [BitAutoData(OrganizationUserStatusType.Confirmed)]
+    public async Task RestoreUser_WithStatusOtherThanRevoked_Fails(OrganizationUserStatusType userStatus, Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser] OrganizationUser organizationUser, SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        organizationUser.Status = userStatus;
+        RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
+
+        Assert.Contains("already active", exception.Message.ToLowerInvariant());
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceiveWithAnyArgs()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUser_WithOtherOrganizationSingleOrgPolicyEnabled_Fails(
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
+        SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
+        RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
+
+        sutProvider.GetDependency<IPolicyService>()
+            .AnyPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg, Arg.Any<OrganizationUserStatusType>())
+            .Returns(true);
+
+        var user = new User();
+        user.Email = "test@bitwarden.com";
+        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
+
+        Assert.Contains("test@bitwarden.com belongs to an organization that doesn't allow them to join multiple organizations", exception.Message.ToLowerInvariant());
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceiveWithAnyArgs()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUser_With2FAPolicyEnabled_WithoutUser2FAConfigured_Fails(
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
+        SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        organizationUser.Email = null;
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
+            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (organizationUser.UserId.Value, false) });
+
+        RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
+
+        sutProvider.GetDependency<IPolicyService>()
+            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
+            .Returns(new[] { new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication } });
+
+        var user = new User();
+        user.Email = "test@bitwarden.com";
+        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
+
+        Assert.Contains("test@bitwarden.com is not compliant with the two-step login policy", exception.Message.ToLowerInvariant());
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceiveWithAnyArgs()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUser_With2FAPolicyEnabled_WithUser2FAConfigured_Success(
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
+        SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
+        RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
+
+        sutProvider.GetDependency<IPolicyService>()
+            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
+            .Returns(new[] { new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication } });
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
+            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (organizationUser.UserId.Value, true) });
+
+        await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Confirmed);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUser_WithSingleOrgPolicyEnabled_Fails(
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser secondOrganizationUser,
+        SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
+        secondOrganizationUser.UserId = organizationUser.UserId;
+        RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(organizationUser.UserId.Value)
+            .Returns(new[] { organizationUser, secondOrganizationUser });
+        sutProvider.GetDependency<IPolicyService>()
+            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg, Arg.Any<OrganizationUserStatusType>())
+            .Returns(new[]
+            {
+                new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.SingleOrg, OrganizationUserStatus = OrganizationUserStatusType.Revoked }
+            });
+
+        var user = new User();
+        user.Email = "test@bitwarden.com";
+        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
+
+        Assert.Contains("test@bitwarden.com is not compliant with the single organization policy", exception.Message.ToLowerInvariant());
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceiveWithAnyArgs()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUser_vNext_WithOtherOrganizationSingleOrgPolicyEnabled_Fails(
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser secondOrganizationUser,
+        SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
+        secondOrganizationUser.UserId = organizationUser.UserId;
+        RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
+            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)> { (organizationUser.UserId.Value, true) });
+
+        sutProvider.GetDependency<IPolicyService>()
+            .AnyPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg, Arg.Any<OrganizationUserStatusType>())
+            .Returns(true);
+
+        var user = new User { Email = "test@bitwarden.com" };
+        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
+
+        Assert.Contains("test@bitwarden.com belongs to an organization that doesn't allow them to join multiple organizations", exception.Message.ToLowerInvariant());
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceiveWithAnyArgs()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUser_WithSingleOrgPolicyEnabled_And_2FA_Policy_Fails(
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser secondOrganizationUser,
+        SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
+        secondOrganizationUser.UserId = organizationUser.UserId;
+        RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(organizationUser.UserId.Value)
+            .Returns(new[] { organizationUser, secondOrganizationUser });
+        sutProvider.GetDependency<IPolicyService>()
+            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg, Arg.Any<OrganizationUserStatusType>())
+            .Returns(new[]
+            {
+                new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.SingleOrg, OrganizationUserStatus = OrganizationUserStatusType.Revoked }
+            });
+
+        sutProvider.GetDependency<IPolicyService>()
+            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
+            .Returns([
+                new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication, OrganizationUserStatus = OrganizationUserStatusType.Revoked }
+            ]);
+
+        var user = new User { Email = "test@bitwarden.com" };
+        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
+
+        Assert.Contains("test@bitwarden.com is not compliant with the single organization and two-step login policy", exception.Message.ToLowerInvariant());
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceiveWithAnyArgs()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUser_vNext_With2FAPolicyEnabled_WithoutUser2FAConfigured_Fails(
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
+        SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        organizationUser.Email = null;
+
+        RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
+
+        sutProvider.GetDependency<IPolicyService>()
+            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
+            .Returns([new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication }
+            ]);
+
+        var user = new User { Email = "test@bitwarden.com" };
+        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
+
+        Assert.Contains("test@bitwarden.com is not compliant with the two-step login policy", exception.Message.ToLowerInvariant());
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceiveWithAnyArgs()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUser_vNext_With2FAPolicyEnabled_WithUser2FAConfigured_Success(
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
+        SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
+        RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
+
+        sutProvider.GetDependency<IPolicyService>()
+            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
+            .Returns([new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication }
+            ]);
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
+            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)> { (organizationUser.UserId.Value, true) });
+
+        await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Confirmed);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUser_WhenUserOwningAnotherFreeOrganization_ThenRestoreUserFails(
+        Organization organization,
+        Organization otherOrganization,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser orgUserOwnerFromDifferentOrg,
+        SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
+
+        orgUserOwnerFromDifferentOrg.UserId = organizationUser.UserId;
+        otherOrganization.Id = orgUserOwnerFromDifferentOrg.OrganizationId;
+        otherOrganization.PlanType = PlanType.Free;
+
+        RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(organizationUser.UserId.Value)
+            .Returns([orgUserOwnerFromDifferentOrg]);
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetManyByUserIdAsync(organizationUser.UserId.Value)
+            .Returns([otherOrganization]);
+
+        sutProvider.GetDependency<IPolicyService>()
+            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
+            .Returns([new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication }
+            ]);
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
+            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)> { (organizationUser.UserId.Value, true) });
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
+
+        Assert.Equal("User is an owner/admin of another free organization. Please have them upgrade to a paid plan to restore their account.", exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUsers_Success(Organization organization,
+    [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+    [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser1,
+    [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser2,
+    SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        RestoreUser_Setup(organization, owner, orgUser1, sutProvider);
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        var eventService = sutProvider.GetDependency<IEventService>();
+        var twoFactorIsEnabledQuery = sutProvider.GetDependency<ITwoFactorIsEnabledQuery>();
+        var userService = Substitute.For<IUserService>();
+
+        orgUser1.Email = orgUser2.Email = null; // Mock that users were previously confirmed
+        orgUser1.OrganizationId = orgUser2.OrganizationId = organization.Id;
+        organizationUserRepository
+            .GetManyAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.Id) && ids.Contains(orgUser2.Id)))
+            .Returns([orgUser1, orgUser2]);
+
+        twoFactorIsEnabledQuery
+            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.UserId!.Value) && ids.Contains(orgUser2.UserId!.Value)))
+            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>
+            {
+                (orgUser1.UserId!.Value, true),
+                (orgUser2.UserId!.Value, false)
+            });
+
+        // Act
+        var result = await sutProvider.Sut.RestoreUsersAsync(organization.Id, new[] { orgUser1.Id, orgUser2.Id }, owner.Id, userService);
+
+        // Assert
+        Assert.Equal(2, result.Count);
+        Assert.All(result, r => Assert.Empty(r.Item2)); // No error messages
+        await organizationUserRepository
+            .Received(1)
+            .RestoreAsync(orgUser1.Id, OrganizationUserStatusType.Confirmed);
+        await organizationUserRepository
+            .Received(1)
+            .RestoreAsync(orgUser2.Id, OrganizationUserStatusType.Confirmed);
+        await eventService.Received(1)
+            .LogOrganizationUserEventAsync(orgUser1, EventType.OrganizationUser_Restored);
+        await eventService.Received(1)
+            .LogOrganizationUserEventAsync(orgUser2, EventType.OrganizationUser_Restored);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUsers_With2FAPolicy_BlocksNonCompliantUser(Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser1,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser2,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser3,
+        SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        RestoreUser_Setup(organization, owner, orgUser1, sutProvider);
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+        var policyService = sutProvider.GetDependency<IPolicyService>();
+        var userService = Substitute.For<IUserService>();
+
+        orgUser1.Email = orgUser2.Email = null;
+        orgUser3.UserId = null;
+        orgUser3.Key = null;
+        orgUser1.OrganizationId = orgUser2.OrganizationId = orgUser3.OrganizationId = organization.Id;
+        organizationUserRepository
+            .GetManyAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.Id) && ids.Contains(orgUser2.Id) && ids.Contains(orgUser3.Id)))
+            .Returns(new[] { orgUser1, orgUser2, orgUser3 });
+
+        userRepository.GetByIdAsync(orgUser2.UserId!.Value).Returns(new User { Email = "test@example.com" });
+
+        // Setup 2FA policy
+        policyService.GetPoliciesApplicableToUserAsync(Arg.Any<Guid>(), PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
+            .Returns([new OrganizationUserPolicyDetails { OrganizationId = organization.Id, PolicyType = PolicyType.TwoFactorAuthentication }]);
+
+        // User1 has 2FA, User2 doesn't
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.UserId!.Value) && ids.Contains(orgUser2.UserId!.Value)))
+            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>
+            {
+                (orgUser1.UserId!.Value, true),
+                (orgUser2.UserId!.Value, false)
+            });
+
+        // Act
+        var result = await sutProvider.Sut.RestoreUsersAsync(organization.Id, [orgUser1.Id, orgUser2.Id, orgUser3.Id], owner.Id, userService);
+
+        // Assert
+        Assert.Equal(3, result.Count);
+        Assert.Empty(result[0].Item2); // First user should succeed
+        Assert.Contains("two-step login", result[1].Item2); // Second user should fail
+        Assert.Empty(result[2].Item2); // Third user should succeed
+        await organizationUserRepository
+            .Received(1)
+            .RestoreAsync(orgUser1.Id, OrganizationUserStatusType.Confirmed);
+        await organizationUserRepository
+            .DidNotReceive()
+            .RestoreAsync(orgUser2.Id, Arg.Any<OrganizationUserStatusType>());
+        await organizationUserRepository
+            .Received(1)
+            .RestoreAsync(orgUser3.Id, OrganizationUserStatusType.Invited);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUsers_UserOwnsAnotherFreeOrganization_BlocksOwnerUserFromBeingRestored(Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser1,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser2,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser3,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser orgUserFromOtherOrg,
+        Organization otherOrganization,
+        SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        RestoreUser_Setup(organization, owner, orgUser1, sutProvider);
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+        var policyService = sutProvider.GetDependency<IPolicyService>();
+        var userService = Substitute.For<IUserService>();
+
+        orgUser1.Email = orgUser2.Email = null;
+        orgUser3.UserId = null;
+        orgUser3.Key = null;
+        orgUser1.OrganizationId = orgUser2.OrganizationId = orgUser3.OrganizationId = organization.Id;
+
+        orgUserFromOtherOrg.UserId = orgUser1.UserId;
+        otherOrganization.Id = orgUserFromOtherOrg.OrganizationId;
+        otherOrganization.PlanType = PlanType.Free;
+
+        organizationUserRepository
+            .GetManyAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.Id) && ids.Contains(orgUser2.Id) && ids.Contains(orgUser3.Id)))
+            .Returns(new[] { orgUser1, orgUser2, orgUser3 });
+
+        userRepository.GetByIdAsync(orgUser2.UserId!.Value).Returns(new User { Email = "test@example.com" });
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([orgUserFromOtherOrg]);
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetManyByIdsAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUserFromOtherOrg.OrganizationId)))
+            .Returns([otherOrganization]);
+
+
+        // Setup 2FA policy
+        policyService.GetPoliciesApplicableToUserAsync(Arg.Any<Guid>(), PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
+            .Returns([new OrganizationUserPolicyDetails { OrganizationId = organization.Id, PolicyType = PolicyType.TwoFactorAuthentication }]);
+
+        // User1 has 2FA, User2 doesn't
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.UserId!.Value) && ids.Contains(orgUser2.UserId!.Value)))
+            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>
+            {
+                (orgUser1.UserId!.Value, true),
+                (orgUser2.UserId!.Value, false)
+            });
+
+        // Act
+        var result = await sutProvider.Sut.RestoreUsersAsync(organization.Id, [orgUser1.Id, orgUser2.Id, orgUser3.Id], owner.Id, userService);
+
+        // Assert
+        Assert.Equal(3, result.Count);
+        Assert.Contains("owner", result[0].Item2); // Owner should fail
+        await organizationUserRepository
+            .DidNotReceive()
+            .RestoreAsync(orgUser1.Id, OrganizationUserStatusType.Confirmed);
+    }
+
+    private static void RestoreUser_Setup(
+        Organization organization,
+        OrganizationUser? requestingOrganizationUser,
+        OrganizationUser targetOrganizationUser,
+        SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        if (requestingOrganizationUser != null)
+        {
+            requestingOrganizationUser.OrganizationId = organization.Id;
+        }
+        targetOrganizationUser.OrganizationId = organization.Id;
+
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationOwner(organization.Id).Returns(requestingOrganizationUser != null && requestingOrganizationUser.Type is OrganizationUserType.Owner);
+        sutProvider.GetDependency<ICurrentContext>().ManageUsers(organization.Id).Returns(requestingOrganizationUser != null && (requestingOrganizationUser.Type is OrganizationUserType.Owner or OrganizationUserType.Admin));
+    }
+}
diff --git a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
index 82dc0e2ebe..bd8ae1daaf 100644
--- a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
+++ b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
@@ -1,14 +1,11 @@
 using System.Text.Json;
 using Bit.Core.AdminConsole.Entities.Provider;
-using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
-using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Auth.Repositories;
-using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Pricing;
 using Bit.Core.Context;
@@ -1233,451 +1230,6 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
             .PushSyncOrgKeysAsync(organizationUser.UserId!.Value);
     }
 
-    [Theory, BitAutoData]
-    public async Task RestoreUser_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, SutProvider<OrganizationService> sutProvider)
-    {
-        RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-
-        await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
-
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .Received(1)
-            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
-        await sutProvider.GetDependency<IEventService>()
-            .Received(1)
-            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
-    }
-
-    [Theory, BitAutoData]
-    public async Task RestoreUser_WithPushSyncOrgKeysOnRevokeRestoreEnabled_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, SutProvider<OrganizationService> sutProvider)
-    {
-        RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore)
-            .Returns(true);
-
-        await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
-
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .Received(1)
-            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
-        await sutProvider.GetDependency<IEventService>()
-            .Received(1)
-            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
-        await sutProvider.GetDependency<IPushNotificationService>()
-            .Received(1)
-            .PushSyncOrgKeysAsync(organizationUser.UserId!.Value);
-    }
-
-    [Theory, BitAutoData]
-    public async Task RestoreUser_WithEventSystemUser_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, EventSystemUser eventSystemUser, SutProvider<OrganizationService> sutProvider)
-    {
-        RestoreRevokeUser_Setup(organization, null, organizationUser, sutProvider);
-
-        await sutProvider.Sut.RestoreUserAsync(organizationUser, eventSystemUser);
-
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .Received(1)
-            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
-        await sutProvider.GetDependency<IEventService>()
-            .Received(1)
-            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored, eventSystemUser);
-    }
-
-    [Theory, BitAutoData]
-    public async Task RestoreUser_WithEventSystemUser_WithPushSyncOrgKeysOnRevokeRestoreEnabled_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, EventSystemUser eventSystemUser, SutProvider<OrganizationService> sutProvider)
-    {
-        RestoreRevokeUser_Setup(organization, null, organizationUser, sutProvider);
-
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore)
-            .Returns(true);
-
-        await sutProvider.Sut.RestoreUserAsync(organizationUser, eventSystemUser);
-
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .Received(1)
-            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
-        await sutProvider.GetDependency<IEventService>()
-            .Received(1)
-            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored, eventSystemUser);
-        await sutProvider.GetDependency<IPushNotificationService>()
-            .Received(1)
-            .PushSyncOrgKeysAsync(organizationUser.UserId!.Value);
-    }
-
-    [Theory, BitAutoData]
-    public async Task RestoreUser_RestoreThemselves_Fails(Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, SutProvider<OrganizationService> sutProvider)
-    {
-        organizationUser.UserId = owner.Id;
-        RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
-
-        Assert.Contains("you cannot restore yourself", exception.Message.ToLowerInvariant());
-
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
-        await sutProvider.GetDependency<IEventService>()
-            .DidNotReceiveWithAnyArgs()
-            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
-        await sutProvider.GetDependency<IPushNotificationService>()
-            .DidNotReceiveWithAnyArgs()
-            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
-    }
-
-    [Theory]
-    [BitAutoData(OrganizationUserType.Admin)]
-    [BitAutoData(OrganizationUserType.Custom)]
-    public async Task RestoreUser_AdminRestoreOwner_Fails(OrganizationUserType restoringUserType,
-        Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed)] OrganizationUser restoringUser,
-        [OrganizationUser(OrganizationUserStatusType.Revoked, OrganizationUserType.Owner)] OrganizationUser organizationUser, SutProvider<OrganizationService> sutProvider)
-    {
-        restoringUser.Type = restoringUserType;
-        RestoreRevokeUser_Setup(organization, restoringUser, organizationUser, sutProvider);
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.RestoreUserAsync(organizationUser, restoringUser.Id));
-
-        Assert.Contains("only owners can restore other owners", exception.Message.ToLowerInvariant());
-
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
-        await sutProvider.GetDependency<IEventService>()
-            .DidNotReceiveWithAnyArgs()
-            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
-        await sutProvider.GetDependency<IPushNotificationService>()
-            .DidNotReceiveWithAnyArgs()
-            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
-    }
-
-    [Theory]
-    [BitAutoData(OrganizationUserStatusType.Invited)]
-    [BitAutoData(OrganizationUserStatusType.Accepted)]
-    [BitAutoData(OrganizationUserStatusType.Confirmed)]
-    public async Task RestoreUser_WithStatusOtherThanRevoked_Fails(OrganizationUserStatusType userStatus, Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        [OrganizationUser] OrganizationUser organizationUser, SutProvider<OrganizationService> sutProvider)
-    {
-        organizationUser.Status = userStatus;
-        RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
-
-        Assert.Contains("already active", exception.Message.ToLowerInvariant());
-
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
-        await sutProvider.GetDependency<IEventService>()
-            .DidNotReceiveWithAnyArgs()
-            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
-        await sutProvider.GetDependency<IPushNotificationService>()
-            .DidNotReceiveWithAnyArgs()
-            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
-    }
-
-    [Theory, BitAutoData]
-    public async Task RestoreUser_WithOtherOrganizationSingleOrgPolicyEnabled_Fails(
-        Organization organization,
-        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
-        SutProvider<OrganizationService> sutProvider)
-    {
-        organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
-        RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-
-        sutProvider.GetDependency<IPolicyService>()
-            .AnyPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg, Arg.Any<OrganizationUserStatusType>())
-            .Returns(true);
-
-        var user = new User();
-        user.Email = "test@bitwarden.com";
-        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
-
-        Assert.Contains("test@bitwarden.com belongs to an organization that doesn't allow them to join multiple organizations", exception.Message.ToLowerInvariant());
-
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
-        await sutProvider.GetDependency<IEventService>()
-            .DidNotReceiveWithAnyArgs()
-            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
-        await sutProvider.GetDependency<IPushNotificationService>()
-            .DidNotReceiveWithAnyArgs()
-            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
-    }
-
-    [Theory, BitAutoData]
-    public async Task RestoreUser_With2FAPolicyEnabled_WithoutUser2FAConfigured_Fails(
-        Organization organization,
-        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
-        SutProvider<OrganizationService> sutProvider)
-    {
-        organizationUser.Email = null;
-
-        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
-            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
-            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (organizationUser.UserId.Value, false) });
-
-        RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-
-        sutProvider.GetDependency<IPolicyService>()
-            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
-            .Returns(new[] { new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication } });
-
-        var user = new User();
-        user.Email = "test@bitwarden.com";
-        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
-
-        Assert.Contains("test@bitwarden.com is not compliant with the two-step login policy", exception.Message.ToLowerInvariant());
-
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
-        await sutProvider.GetDependency<IEventService>()
-            .DidNotReceiveWithAnyArgs()
-            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
-        await sutProvider.GetDependency<IPushNotificationService>()
-            .DidNotReceiveWithAnyArgs()
-            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
-    }
-
-    [Theory, BitAutoData]
-    public async Task RestoreUser_With2FAPolicyEnabled_WithUser2FAConfigured_Success(
-        Organization organization,
-        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
-        SutProvider<OrganizationService> sutProvider)
-    {
-        organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
-        RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-
-        sutProvider.GetDependency<IPolicyService>()
-            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
-            .Returns(new[] { new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication } });
-        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
-            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
-            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (organizationUser.UserId.Value, true) });
-
-        await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
-
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .Received(1)
-            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Confirmed);
-        await sutProvider.GetDependency<IEventService>()
-            .Received(1)
-            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
-    }
-
-    [Theory, BitAutoData]
-    public async Task RestoreUser_WithSingleOrgPolicyEnabled_Fails(
-        Organization organization,
-        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
-        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser secondOrganizationUser,
-        SutProvider<OrganizationService> sutProvider)
-    {
-        organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
-        secondOrganizationUser.UserId = organizationUser.UserId;
-        RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyByUserAsync(organizationUser.UserId.Value)
-            .Returns(new[] { organizationUser, secondOrganizationUser });
-        sutProvider.GetDependency<IPolicyService>()
-            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg, Arg.Any<OrganizationUserStatusType>())
-            .Returns(new[]
-            {
-                new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.SingleOrg, OrganizationUserStatus = OrganizationUserStatusType.Revoked }
-            });
-
-        var user = new User();
-        user.Email = "test@bitwarden.com";
-        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
-
-        Assert.Contains("test@bitwarden.com is not compliant with the single organization policy", exception.Message.ToLowerInvariant());
-
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
-        await sutProvider.GetDependency<IEventService>()
-            .DidNotReceiveWithAnyArgs()
-            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
-        await sutProvider.GetDependency<IPushNotificationService>()
-            .DidNotReceiveWithAnyArgs()
-            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
-    }
-
-    [Theory, BitAutoData]
-    public async Task RestoreUser_vNext_WithOtherOrganizationSingleOrgPolicyEnabled_Fails(
-        Organization organization,
-        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
-        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser secondOrganizationUser,
-        SutProvider<OrganizationService> sutProvider)
-    {
-        organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
-        secondOrganizationUser.UserId = organizationUser.UserId;
-        RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-
-        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
-            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
-            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (organizationUser.UserId.Value, true) });
-
-        sutProvider.GetDependency<IPolicyService>()
-            .AnyPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg, Arg.Any<OrganizationUserStatusType>())
-            .Returns(true);
-
-        var user = new User();
-        user.Email = "test@bitwarden.com";
-        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
-
-        Assert.Contains("test@bitwarden.com belongs to an organization that doesn't allow them to join multiple organizations", exception.Message.ToLowerInvariant());
-
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
-        await sutProvider.GetDependency<IEventService>()
-            .DidNotReceiveWithAnyArgs()
-            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
-        await sutProvider.GetDependency<IPushNotificationService>()
-            .DidNotReceiveWithAnyArgs()
-            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
-    }
-
-    [Theory, BitAutoData]
-    public async Task RestoreUser_WithSingleOrgPolicyEnabled_And_2FA_Policy_Fails(
-        Organization organization,
-        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
-        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser secondOrganizationUser,
-        SutProvider<OrganizationService> sutProvider)
-    {
-        organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
-        secondOrganizationUser.UserId = organizationUser.UserId;
-        RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyByUserAsync(organizationUser.UserId.Value)
-            .Returns(new[] { organizationUser, secondOrganizationUser });
-        sutProvider.GetDependency<IPolicyService>()
-            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg, Arg.Any<OrganizationUserStatusType>())
-            .Returns(new[]
-            {
-                new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.SingleOrg, OrganizationUserStatus = OrganizationUserStatusType.Revoked }
-            });
-
-        sutProvider.GetDependency<IPolicyService>()
-            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
-            .Returns(new[]
-            {
-                new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication, OrganizationUserStatus = OrganizationUserStatusType.Revoked }
-            });
-
-        var user = new User();
-        user.Email = "test@bitwarden.com";
-        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
-
-        Assert.Contains("test@bitwarden.com is not compliant with the single organization and two-step login polciy", exception.Message.ToLowerInvariant());
-
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
-        await sutProvider.GetDependency<IEventService>()
-            .DidNotReceiveWithAnyArgs()
-            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
-        await sutProvider.GetDependency<IPushNotificationService>()
-            .DidNotReceiveWithAnyArgs()
-            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
-    }
-
-    [Theory, BitAutoData]
-    public async Task RestoreUser_vNext_With2FAPolicyEnabled_WithoutUser2FAConfigured_Fails(
-        Organization organization,
-        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
-        SutProvider<OrganizationService> sutProvider)
-    {
-        organizationUser.Email = null;
-
-        RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-
-        sutProvider.GetDependency<IPolicyService>()
-            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
-            .Returns(new[] { new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication } });
-
-        var user = new User();
-        user.Email = "test@bitwarden.com";
-        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
-
-        Assert.Contains("test@bitwarden.com is not compliant with the two-step login policy", exception.Message.ToLowerInvariant());
-
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .DidNotReceiveWithAnyArgs()
-            .RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
-        await sutProvider.GetDependency<IEventService>()
-            .DidNotReceiveWithAnyArgs()
-            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
-        await sutProvider.GetDependency<IPushNotificationService>()
-            .DidNotReceiveWithAnyArgs()
-            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
-    }
-
-    [Theory, BitAutoData]
-    public async Task RestoreUser_vNext_With2FAPolicyEnabled_WithUser2FAConfigured_Success(
-        Organization organization,
-        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
-        SutProvider<OrganizationService> sutProvider)
-    {
-        organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
-        RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-
-        sutProvider.GetDependency<IPolicyService>()
-            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
-            .Returns(new[] { new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication } });
-
-        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
-            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
-            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (organizationUser.UserId.Value, true) });
-
-        await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
-
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .Received(1)
-            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Confirmed);
-        await sutProvider.GetDependency<IEventService>()
-            .Received(1)
-            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
-    }
-
     [Theory]
     [BitAutoData(PlanType.TeamsAnnually)]
     [BitAutoData(PlanType.TeamsMonthly)]
@@ -1991,107 +1543,4 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
             }
         );
     }
-
-    [Theory, BitAutoData]
-    public async Task RestoreUsers_Success(Organization organization,
-        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser1,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser2,
-        SutProvider<OrganizationService> sutProvider)
-    {
-        // Arrange
-        RestoreRevokeUser_Setup(organization, owner, orgUser1, sutProvider);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var eventService = sutProvider.GetDependency<IEventService>();
-        var twoFactorIsEnabledQuery = sutProvider.GetDependency<ITwoFactorIsEnabledQuery>();
-        var userService = Substitute.For<IUserService>();
-
-        orgUser1.Email = orgUser2.Email = null; // Mock that users were previously confirmed
-        orgUser1.OrganizationId = orgUser2.OrganizationId = organization.Id;
-        organizationUserRepository
-            .GetManyAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.Id) && ids.Contains(orgUser2.Id)))
-            .Returns(new[] { orgUser1, orgUser2 });
-
-        twoFactorIsEnabledQuery
-            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.UserId!.Value) && ids.Contains(orgUser2.UserId!.Value)))
-            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>
-            {
-                (orgUser1.UserId!.Value, true),
-                (orgUser2.UserId!.Value, false)
-            });
-
-        // Act
-        var result = await sutProvider.Sut.RestoreUsersAsync(organization.Id, new[] { orgUser1.Id, orgUser2.Id }, owner.Id, userService);
-
-        // Assert
-        Assert.Equal(2, result.Count);
-        Assert.All(result, r => Assert.Empty(r.Item2)); // No error messages
-        await organizationUserRepository
-            .Received(1)
-            .RestoreAsync(orgUser1.Id, OrganizationUserStatusType.Confirmed);
-        await organizationUserRepository
-            .Received(1)
-            .RestoreAsync(orgUser2.Id, OrganizationUserStatusType.Confirmed);
-        await eventService.Received(1)
-            .LogOrganizationUserEventAsync(orgUser1, EventType.OrganizationUser_Restored);
-        await eventService.Received(1)
-            .LogOrganizationUserEventAsync(orgUser2, EventType.OrganizationUser_Restored);
-    }
-
-    [Theory, BitAutoData]
-    public async Task RestoreUsers_With2FAPolicy_BlocksNonCompliantUser(Organization organization,
-        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser1,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser2,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser3,
-        SutProvider<OrganizationService> sutProvider)
-    {
-        // Arrange
-        RestoreRevokeUser_Setup(organization, owner, orgUser1, sutProvider);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        var userRepository = sutProvider.GetDependency<IUserRepository>();
-        var policyService = sutProvider.GetDependency<IPolicyService>();
-        var userService = Substitute.For<IUserService>();
-
-        orgUser1.Email = orgUser2.Email = null;
-        orgUser3.UserId = null;
-        orgUser3.Key = null;
-        orgUser1.OrganizationId = orgUser2.OrganizationId = orgUser3.OrganizationId = organization.Id;
-        organizationUserRepository
-            .GetManyAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.Id) && ids.Contains(orgUser2.Id) && ids.Contains(orgUser3.Id)))
-            .Returns(new[] { orgUser1, orgUser2, orgUser3 });
-
-        userRepository.GetByIdAsync(orgUser2.UserId!.Value).Returns(new User { Email = "test@example.com" });
-
-        // Setup 2FA policy
-        policyService.GetPoliciesApplicableToUserAsync(Arg.Any<Guid>(), PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
-            .Returns(new[] { new OrganizationUserPolicyDetails { OrganizationId = organization.Id, PolicyType = PolicyType.TwoFactorAuthentication } });
-
-        // User1 has 2FA, User2 doesn't
-        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
-            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.UserId!.Value) && ids.Contains(orgUser2.UserId!.Value)))
-            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>
-            {
-                (orgUser1.UserId!.Value, true),
-                (orgUser2.UserId!.Value, false)
-            });
-
-        // Act
-        var result = await sutProvider.Sut.RestoreUsersAsync(organization.Id, new[] { orgUser1.Id, orgUser2.Id, orgUser3.Id }, owner.Id, userService);
-
-        // Assert
-        Assert.Equal(3, result.Count);
-        Assert.Empty(result[0].Item2); // First user should succeed
-        Assert.Contains("two-step login", result[1].Item2); // Second user should fail
-        Assert.Empty(result[2].Item2); // Third user should succeed
-        await organizationUserRepository
-            .Received(1)
-            .RestoreAsync(orgUser1.Id, OrganizationUserStatusType.Confirmed);
-        await organizationUserRepository
-            .DidNotReceive()
-            .RestoreAsync(orgUser2.Id, Arg.Any<OrganizationUserStatusType>());
-        await organizationUserRepository
-            .Received(1)
-            .RestoreAsync(orgUser3.Id, OrganizationUserStatusType.Invited);
-    }
 }
diff --git a/test/Infrastructure.EFIntegration.Test/AdminConsole/Repositories/OrganizationRepositoryTests.cs b/test/Infrastructure.EFIntegration.Test/AdminConsole/Repositories/OrganizationRepositoryTests.cs
index f6d4227e2b..e8bafaea5b 100644
--- a/test/Infrastructure.EFIntegration.Test/AdminConsole/Repositories/OrganizationRepositoryTests.cs
+++ b/test/Infrastructure.EFIntegration.Test/AdminConsole/Repositories/OrganizationRepositoryTests.cs
@@ -196,4 +196,43 @@ public class OrganizationRepositoryTests
         Assert.Single(sqlResult);
         Assert.True(sqlResult.All(o => o.Name == org.Name));
     }
+
+    [CiSkippedTheory, EfOrganizationAutoData]
+    public async Task GetManyByIdsAsync_Works_DataMatches(List<Organization> organizations,
+        SqlRepo.OrganizationRepository sqlOrganizationRepo,
+        List<EfRepo.OrganizationRepository> suts)
+    {
+        var returnedOrgs = new List<Organization>();
+
+        foreach (var sut in suts)
+        {
+            _ = await sut.CreateMany(organizations);
+            sut.ClearChangeTracking();
+
+            var efReturnedOrgs = await sut.GetManyByIdsAsync(organizations.Select(o => o.Id).ToList());
+            returnedOrgs.AddRange(efReturnedOrgs);
+        }
+
+        foreach (var organization in organizations)
+        {
+            var postSqlOrg = await sqlOrganizationRepo.CreateAsync(organization);
+            returnedOrgs.Add(await sqlOrganizationRepo.GetByIdAsync(postSqlOrg.Id));
+        }
+
+        var orgIds = organizations.Select(o => o.Id).ToList();
+        var distinctReturnedOrgIds = returnedOrgs.Select(o => o.Id).Distinct().ToList();
+
+        Assert.Equal(orgIds.Count, distinctReturnedOrgIds.Count);
+        Assert.Equivalent(orgIds, distinctReturnedOrgIds);
+
+        // clean up
+        foreach (var organization in organizations)
+        {
+            await sqlOrganizationRepo.DeleteAsync(organization);
+            foreach (var sut in suts)
+            {
+                await sut.DeleteAsync(organization);
+            }
+        }
+    }
 }
diff --git a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationRepositoryTests.cs b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationRepositoryTests.cs
index f7c61ad957..a95778b199 100644
--- a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationRepositoryTests.cs
@@ -253,4 +253,37 @@ public class OrganizationRepositoryTests
 
         Assert.Empty(result);
     }
+
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetManyByIdsAsync_ExistingOrganizations_ReturnsOrganizations(IOrganizationRepository organizationRepository)
+    {
+        var email = "test@email.com";
+
+        var organization1 = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = $"Test Org 1",
+            BillingEmail = email,
+            Plan = "Test",
+            PrivateKey = "privatekey1"
+        });
+
+        var organization2 = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = $"Test Org 2",
+            BillingEmail = email,
+            Plan = "Test",
+            PrivateKey = "privatekey2"
+        });
+
+        var result = await organizationRepository.GetManyByIdsAsync([organization1.Id, organization2.Id]);
+
+        Assert.Equal(2, result.Count);
+        Assert.Contains(result, org => org.Id == organization1.Id);
+        Assert.Contains(result, org => org.Id == organization2.Id);
+
+        // Clean up
+        await organizationRepository.DeleteAsync(organization1);
+        await organizationRepository.DeleteAsync(organization2);
+    }
 }
diff --git a/util/Migrator/DbScripts/2025-03-21_00_Org_ReadManyByManyId.sql b/util/Migrator/DbScripts/2025-03-21_00_Org_ReadManyByManyId.sql
new file mode 100644
index 0000000000..fb58d3cff7
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-03-21_00_Org_ReadManyByManyId.sql
@@ -0,0 +1,66 @@
+CREATE OR ALTER PROCEDURE [dbo].[Organization_ReadManyByIds] @OrganizationIds AS [dbo].[GuidIdArray] READONLY
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT o.[Id],
+           o.[Identifier],
+           o.[Name],
+           o.[BusinessName],
+           o.[BusinessAddress1],
+           o.[BusinessAddress2],
+           o.[BusinessAddress3],
+           o.[BusinessCountry],
+           o.[BusinessTaxNumber],
+           o.[BillingEmail],
+           o.[Plan],
+           o.[PlanType],
+           o.[Seats],
+           o.[MaxCollections],
+           o.[UsePolicies],
+           o.[UseSso],
+           o.[UseGroups],
+           o.[UseDirectory],
+           o.[UseEvents],
+           o.[UseTotp],
+           o.[Use2fa],
+           o.[UseApi],
+           o.[UseResetPassword],
+           o.[SelfHost],
+           o.[UsersGetPremium],
+           o.[Storage],
+           o.[MaxStorageGb],
+           o.[Gateway],
+           o.[GatewayCustomerId],
+           o.[GatewaySubscriptionId],
+           o.[ReferenceData],
+           o.[Enabled],
+           o.[LicenseKey],
+           o.[PublicKey],
+           o.[PrivateKey],
+           o.[TwoFactorProviders],
+           o.[ExpirationDate],
+           o.[CreationDate],
+           o.[RevisionDate],
+           o.[OwnersNotifiedOfAutoscaling],
+           o.[MaxAutoscaleSeats],
+           o.[UseKeyConnector],
+           o.[UseScim],
+           o.[UseCustomPermissions],
+           o.[UseSecretsManager],
+           o.[Status],
+           o.[UsePasswordManager],
+           o.[SmSeats],
+           o.[SmServiceAccounts],
+           o.[MaxAutoscaleSmSeats],
+           o.[MaxAutoscaleSmServiceAccounts],
+           o.[SecretsManagerBeta],
+           o.[LimitCollectionCreation],
+           o.[LimitCollectionDeletion],
+           o.[LimitItemDeletion],
+           o.[AllowAdminAccessToAllCollectionItems],
+           o.[UseRiskInsights]
+    FROM [dbo].[OrganizationView] o
+             INNER JOIN @OrganizationIds ids ON o.[Id] = ids.[Id]
+END
+

From 683ade9ffc3887623af43b2a30b8f0933d01733d Mon Sep 17 00:00:00 2001
From: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
Date: Mon, 31 Mar 2025 09:49:14 -0400
Subject: [PATCH 136/184] feat(EF WebAuthnCreds Repo): [Auth/PM-19629]  EF
 WebAuthnCredentialRepository.cs - Rewrite query to avoid reading entire table
 into memory (#5567)

---
 .../Auth/Repositories/WebAuthnCredentialRepository.cs    | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/Infrastructure.EntityFramework/Auth/Repositories/WebAuthnCredentialRepository.cs b/src/Infrastructure.EntityFramework/Auth/Repositories/WebAuthnCredentialRepository.cs
index e198a5f79d..ca32c44211 100644
--- a/src/Infrastructure.EntityFramework/Auth/Repositories/WebAuthnCredentialRepository.cs
+++ b/src/Infrastructure.EntityFramework/Auth/Repositories/WebAuthnCredentialRepository.cs
@@ -68,12 +68,11 @@ public class WebAuthnCredentialRepository : Repository<Core.Auth.Entities.WebAut
             var newCreds = credentials.ToList();
             using var scope = ServiceScopeFactory.CreateScope();
             var dbContext = GetDatabaseContext(scope);
-            var userWebauthnCredentials = await GetDbSet(dbContext)
-                .Where(wc => wc.Id == wc.Id)
+
+            var newCredIds = newCreds.Select(nwc => nwc.Id).ToList();
+            var validUserWebauthnCredentials = await GetDbSet(dbContext)
+                .Where(wc => wc.UserId == userId && newCredIds.Contains(wc.Id))
                 .ToListAsync();
-            var validUserWebauthnCredentials = userWebauthnCredentials
-                .Where(wc => newCreds.Any(nwc => nwc.Id == wc.Id))
-                .Where(wc => wc.UserId == userId);
 
             foreach (var wc in validUserWebauthnCredentials)
             {

From 30ad7d3f7319b1b5de6e8e9a16bd0305a0bdb699 Mon Sep 17 00:00:00 2001
From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
Date: Mon, 31 Mar 2025 12:25:41 -0400
Subject: [PATCH 137/184] [PM-18564] Added policy validation before creating or
 sending org sponsorship invite (#5459)

* Added policy validation before creating or sending org sponsorship invite

* dotnet format strikes again
---
 .../OrganizationSponsorshipsController.cs     | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/src/Api/Billing/Controllers/OrganizationSponsorshipsController.cs b/src/Api/Billing/Controllers/OrganizationSponsorshipsController.cs
index 42263aa88b..a8c9fa622d 100644
--- a/src/Api/Billing/Controllers/OrganizationSponsorshipsController.cs
+++ b/src/Api/Billing/Controllers/OrganizationSponsorshipsController.cs
@@ -76,6 +76,13 @@ public class OrganizationSponsorshipsController : Controller
     public async Task CreateSponsorship(Guid sponsoringOrgId, [FromBody] OrganizationSponsorshipCreateRequestModel model)
     {
         var sponsoringOrg = await _organizationRepository.GetByIdAsync(sponsoringOrgId);
+        var freeFamiliesSponsorshipPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(sponsoringOrgId,
+            PolicyType.FreeFamiliesSponsorshipPolicy);
+
+        if (freeFamiliesSponsorshipPolicy?.Enabled == true)
+        {
+            throw new BadRequestException("Free Bitwarden Families sponsorship has been disabled by your organization administrator.");
+        }
 
         var sponsorship = await _createSponsorshipCommand.CreateSponsorshipAsync(
             sponsoringOrg,
@@ -89,6 +96,14 @@ public class OrganizationSponsorshipsController : Controller
     [SelfHosted(NotSelfHostedOnly = true)]
     public async Task ResendSponsorshipOffer(Guid sponsoringOrgId)
     {
+        var freeFamiliesSponsorshipPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(sponsoringOrgId,
+            PolicyType.FreeFamiliesSponsorshipPolicy);
+
+        if (freeFamiliesSponsorshipPolicy?.Enabled == true)
+        {
+            throw new BadRequestException("Free Bitwarden Families sponsorship has been disabled by your organization administrator.");
+        }
+
         var sponsoringOrgUser = await _organizationUserRepository
             .GetByOrganizationAsync(sponsoringOrgId, _currentContext.UserId ?? default);
 
@@ -135,6 +150,14 @@ public class OrganizationSponsorshipsController : Controller
             throw new BadRequestException("Can only redeem sponsorship for an organization you own.");
         }
 
+        var freeFamiliesSponsorshipPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(
+            model.SponsoredOrganizationId, PolicyType.FreeFamiliesSponsorshipPolicy);
+
+        if (freeFamiliesSponsorshipPolicy?.Enabled == true)
+        {
+            throw new BadRequestException("Free Bitwarden Families sponsorship has been disabled by your organization administrator.");
+        }
+
         await _setUpSponsorshipCommand.SetUpSponsorshipAsync(
             sponsorship,
             await _organizationRepository.GetByIdAsync(model.SponsoredOrganizationId));

From a879e4722cba7e3bf08c67a0ac5f4f0c7bd2a211 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 31 Mar 2025 16:33:50 +0000
Subject: [PATCH 138/184] [deps] Tools: Update aws-sdk-net monorepo (#5580)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
---
 src/Core/Core.csproj | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index ea72f3c785..6fffbbf8e5 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -23,8 +23,8 @@
 
   <ItemGroup>
     <PackageReference Include="AspNetCoreRateLimit.Redis" Version="2.0.0" />
-    <PackageReference Include="AWSSDK.SimpleEmail" Version="3.7.402.28" />
-    <PackageReference Include="AWSSDK.SQS" Version="3.7.400.85" />
+    <PackageReference Include="AWSSDK.SimpleEmail" Version="3.7.402.61" />
+    <PackageReference Include="AWSSDK.SQS" Version="3.7.400.118" />
     <PackageReference Include="Azure.Data.Tables" Version="12.9.0" />
     <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Blobs" Version="1.3.4" />
     <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="8.0.10" />

From e7abb07d19cddc7157b9c7ed15bce7eb228113c0 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 31 Mar 2025 16:35:59 +0000
Subject: [PATCH 139/184] [deps] Tools: Update LaunchDarkly.ServerSdk to 8.7.0
 (#5581)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
---
 src/Core/Core.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 6fffbbf8e5..7a217ec7de 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -61,7 +61,7 @@
     <PackageReference Include="Otp.NET" Version="1.4.0" />
     <PackageReference Include="YubicoDotNetClient" Version="1.2.0" />
     <PackageReference Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="8.0.10" />
-    <PackageReference Include="LaunchDarkly.ServerSdk" Version="8.6.0" />
+    <PackageReference Include="LaunchDarkly.ServerSdk" Version="8.7.0" />
     <PackageReference Include="Quartz" Version="3.13.1" />
     <PackageReference Include="Quartz.Extensions.Hosting" Version="3.13.1" />
     <PackageReference Include="Quartz.Extensions.DependencyInjection" Version="3.13.1" />

From 0579fb0e68f0b3fdc81c0a98d13ffe9d99c8b5b2 Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Mon, 31 Mar 2025 14:27:09 -0400
Subject: [PATCH 140/184] [PM-9115] Add feature flag for 2FA persistence
 (#5583)

* Add new feature flag.

* Clarified name.
---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index ea360eb744..b772002dbb 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -112,6 +112,7 @@ public static class FeatureFlagKeys
 
     /* Auth Team */
     public const string PM9112DeviceApprovalPersistence = "pm-9112-device-approval-persistence";
+    public const string TwoFactorExtensionDataPersistence = "pm-9115-two-factor-extension-data-persistence";
     public const string DuoRedirect = "duo-redirect";
     public const string EmailVerification = "email-verification";
     public const string EmailVerificationDisableTimingDelays = "email-verification-disable-timing-delays";

From 9c16127bd4d9c6cb690c3a83a96179e5b606004e Mon Sep 17 00:00:00 2001
From: Nick Krantz <125900171+nick-livefront@users.noreply.github.com>
Date: Mon, 31 Mar 2025 14:00:43 -0500
Subject: [PATCH 141/184] [PM-14406] Fix security task email sends (#5571)

* convert `AdminOwnerEmails` to List rather than IEnumerable

* check for JSON array in `formatAdminOwnerEmails`

* remove trailing comma for admin/owners

* Use display block on tables to enforce padding

* update padding around review at-risk passwords
---
 .../SecurityTasksNotification.html.hbs        |  9 ++++----
 .../Mail/SecurityTaskNotificationViewModel.cs |  2 +-
 .../Implementations/HandlebarsMailService.cs  | 21 ++++++++++++++++---
 .../CreateManyTaskNotificationsCommand.cs     | 13 +++++++++---
 4 files changed, 33 insertions(+), 12 deletions(-)

diff --git a/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs b/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs
index ca015e3e83..79c3893785 100644
--- a/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs
@@ -14,18 +14,17 @@
     </td>
   </tr>
 </table>
-<table width="100%" border="0" cellpadding="0" cellspacing="0"
-  style="display: table; width:100%; padding-bottom: 24px; text-align: center;" align="center">
+<table width="100%" border="0" cellpadding="0" cellspacing="0" style="padding-bottom: 24px; padding-left: 24px; padding-right: 24px; text-align: center;" align="center">
   <tr>
-    <td display="display: table-cell">
+    <td>
       <a href="{{ReviewPasswordsUrl}}" clicktracking=off target="_blank"
         style="display: inline-block; font-weight: bold; color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; border-radius: 999px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
         Review at-risk passwords
       </a>
     </td>
   </tr>
-<table width="100%" border="0" cellpadding="0" cellspacing="0"
-  style="display: table; width:100%; padding-bottom: 24px; text-align: center;" align="center">
+</table>
+<table width="100%" border="0" cellpadding="0" cellspacing="0" style="padding-bottom: 24px; padding-left: 24px; padding-right: 24px; text-align: center;" align="center">
   <tr>
     <td display="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 12px; line-height: 16px;">
       {{formatAdminOwnerEmails AdminOwnerEmails}}
diff --git a/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs b/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs
index 8871a53424..9b4ede6e01 100644
--- a/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs
+++ b/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs
@@ -8,7 +8,7 @@ public class SecurityTaskNotificationViewModel : BaseMailModel
 
     public bool TaskCountPlural => TaskCount != 1;
 
-    public IEnumerable<string> AdminOwnerEmails { get; set; }
+    public List<string> AdminOwnerEmails { get; set; }
 
     public string ReviewPasswordsUrl => $"{WebVaultUrl}/browser-extension-prompt";
 }
diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index edb99809f7..430636f44d 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -1,5 +1,6 @@
 using System.Net;
 using System.Reflection;
+using System.Text.Json;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Models.Mail;
@@ -752,7 +753,21 @@ public class HandlebarsMailService : IMailService
                 return;
             }
 
-            var emailList = ((IEnumerable<string>)parameters[0]).ToList();
+            var emailList = new List<string>();
+            if (parameters[0] is JsonElement jsonElement && jsonElement.ValueKind == JsonValueKind.Array)
+            {
+                emailList = jsonElement.EnumerateArray().Select(e => e.GetString()).ToList();
+            }
+            else if (parameters[0] is IEnumerable<string> emails)
+            {
+                emailList = emails.ToList();
+            }
+            else
+            {
+                writer.WriteSafeString(string.Empty);
+                return;
+            }
+
             if (emailList.Count == 0)
             {
                 writer.WriteSafeString(string.Empty);
@@ -774,7 +789,7 @@ public class HandlebarsMailService : IMailService
             {
                 outputMessage += string.Join(", ", emailList.Take(emailList.Count - 1)
                     .Select(email => constructAnchorElement(email)));
-                outputMessage += $", and {constructAnchorElement(emailList.Last())}.";
+                outputMessage += $" and {constructAnchorElement(emailList.Last())}.";
             }
 
             writer.WriteSafeString($"{outputMessage}");
@@ -1250,7 +1265,7 @@ public class HandlebarsMailService : IMailService
             {
                 OrgName = CoreHelpers.SanitizeForEmail(sanitizedOrgName, false),
                 TaskCount = notification.TaskCount,
-                AdminOwnerEmails = adminOwnerEmails,
+                AdminOwnerEmails = adminOwnerEmails.ToList(),
                 WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
             };
             message.Category = "SecurityTasksNotification";
diff --git a/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs b/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs
index a335b059a4..e68a2ed726 100644
--- a/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs
+++ b/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs
@@ -48,9 +48,16 @@ public class CreateManyTaskNotificationsCommand : ICreateManyTaskNotificationsCo
         }).ToList();
 
         var organization = await _organizationRepository.GetByIdAsync(orgId);
-        var orgAdminEmails = await _organizationUserRepository.GetManyDetailsByRoleAsync(orgId, OrganizationUserType.Admin);
-        var orgOwnerEmails = await _organizationUserRepository.GetManyDetailsByRoleAsync(orgId, OrganizationUserType.Owner);
-        var orgAdminAndOwnerEmails = orgAdminEmails.Concat(orgOwnerEmails).Select(x => x.Email).Distinct().ToList();
+        var orgAdminEmails = (await _organizationUserRepository.GetManyDetailsByRoleAsync(orgId, OrganizationUserType.Admin))
+            .Select(u => u.Email)
+            .ToList();
+
+        var orgOwnerEmails = (await _organizationUserRepository.GetManyDetailsByRoleAsync(orgId, OrganizationUserType.Owner))
+            .Select(u => u.Email)
+            .ToList();
+
+        // Ensure proper deserialization of emails
+        var orgAdminAndOwnerEmails = orgAdminEmails.Concat(orgOwnerEmails).Distinct().ToList();
 
         await _mailService.SendBulkSecurityTaskNotificationsAsync(organization, userTaskCount, orgAdminAndOwnerEmails);
 

From 0ca1b319fd4cb70e9eccddd33900f79543bf3571 Mon Sep 17 00:00:00 2001
From: Conner Turnbull <133619638+cturnbull-bitwarden@users.noreply.github.com>
Date: Mon, 31 Mar 2025 15:20:31 -0400
Subject: [PATCH 142/184] Fix PayPal to Stripe credit truncation bug (#5561)

---
 .../Services/Implementations/PremiumUserBillingService.cs       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
index 57be92ba94..c00a151aa1 100644
--- a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
@@ -32,7 +32,7 @@ public class PremiumUserBillingService(
         var customer = await subscriberService.GetCustomer(user);
 
         // Negative credit represents a balance and all Stripe denomination is in cents.
-        var credit = (long)amount * -100;
+        var credit = (long)(amount * -100);
 
         if (customer == null)
         {

From 1beb5dc5c0e834f7700dc509ffc8cbdb06ac3c23 Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Tue, 1 Apr 2025 10:06:30 -0400
Subject: [PATCH 143/184] Separate desktop and CLI for ClientType checks
 (#5441)

---
 src/Core/Enums/ClientType.cs      | 4 +++-
 src/Core/Utilities/DeviceTypes.cs | 7 ++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/Core/Enums/ClientType.cs b/src/Core/Enums/ClientType.cs
index 4e95584e8d..0e0cfe4b26 100644
--- a/src/Core/Enums/ClientType.cs
+++ b/src/Core/Enums/ClientType.cs
@@ -14,5 +14,7 @@ public enum ClientType : byte
     [Display(Name = "Desktop App")]
     Desktop = 3,
     [Display(Name = "Mobile App")]
-    Mobile = 4
+    Mobile = 4,
+    [Display(Name = "CLI")]
+    Cli = 5
 }
diff --git a/src/Core/Utilities/DeviceTypes.cs b/src/Core/Utilities/DeviceTypes.cs
index a1cca75757..f42d1d9a2b 100644
--- a/src/Core/Utilities/DeviceTypes.cs
+++ b/src/Core/Utilities/DeviceTypes.cs
@@ -16,7 +16,11 @@ public static class DeviceTypes
         DeviceType.LinuxDesktop,
         DeviceType.MacOsDesktop,
         DeviceType.WindowsDesktop,
-        DeviceType.UWP,
+        DeviceType.UWP
+    ];
+
+    public static IReadOnlyCollection<DeviceType> CliTypes { get; } =
+    [
         DeviceType.WindowsCLI,
         DeviceType.MacOsCLI,
         DeviceType.LinuxCLI
@@ -50,6 +54,7 @@ public static class DeviceTypes
         {
             not null when MobileTypes.Contains(deviceType.Value) => ClientType.Mobile,
             not null when DesktopTypes.Contains(deviceType.Value) => ClientType.Desktop,
+            not null when CliTypes.Contains(deviceType.Value) => ClientType.Cli,
             not null when BrowserExtensionTypes.Contains(deviceType.Value) => ClientType.Browser,
             not null when BrowserTypes.Contains(deviceType.Value) => ClientType.Web,
             _ => ClientType.All

From fd781415c4d013a3f3ea99b801a6c1676e6cc4b7 Mon Sep 17 00:00:00 2001
From: Vijay Oommen <voommen@livefront.com>
Date: Tue, 1 Apr 2025 09:19:42 -0500
Subject: [PATCH 144/184] [PM-19222] Include UseRiskInsights in license file
 (#5528)

---
 .../Services/Implementations/OrganizationService.cs          | 1 +
 src/Core/Models/Business/OrganizationLicense.cs              | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 64bd434327..32fcbb0608 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -575,6 +575,7 @@ public class OrganizationService : IOrganizationService
             UseSecretsManager = license.UseSecretsManager,
             SmSeats = license.SmSeats,
             SmServiceAccounts = license.SmServiceAccounts,
+            UseRiskInsights = license.UseRiskInsights,
         };
 
         var result = await SignUpAsync(organization, owner.Id, ownerKey, collectionName, false);
diff --git a/src/Core/Models/Business/OrganizationLicense.cs b/src/Core/Models/Business/OrganizationLicense.cs
index d280a81023..a23e18e2b7 100644
--- a/src/Core/Models/Business/OrganizationLicense.cs
+++ b/src/Core/Models/Business/OrganizationLicense.cs
@@ -55,6 +55,7 @@ public class OrganizationLicense : ILicense
         UseSecretsManager = org.UseSecretsManager;
         SmSeats = org.SmSeats;
         SmServiceAccounts = org.SmServiceAccounts;
+        UseRiskInsights = org.UseRiskInsights;
 
         // Deprecated. Left for backwards compatibility with old license versions.
         LimitCollectionCreationDeletion = org.LimitCollectionCreation || org.LimitCollectionDeletion;
@@ -143,6 +144,7 @@ public class OrganizationLicense : ILicense
     public bool UseSecretsManager { get; set; }
     public int? SmSeats { get; set; }
     public int? SmServiceAccounts { get; set; }
+    public bool UseRiskInsights { get; set; }
 
     // Deprecated. Left for backwards compatibility with old license versions.
     public bool LimitCollectionCreationDeletion { get; set; } = true;
@@ -218,7 +220,8 @@ public class OrganizationLicense : ILicense
                             !p.Name.Equals(nameof(Issued)) &&
                             !p.Name.Equals(nameof(Refresh))
                         )
-                    ))
+                    ) &&
+                    !p.Name.Equals(nameof(UseRiskInsights)))
                 .OrderBy(p => p.Name)
                 .Select(p => $"{p.Name}:{Utilities.CoreHelpers.FormatLicenseSignatureValue(p.GetValue(this, null))}")
                 .Aggregate((c, n) => $"{c}|{n}");

From f90bcd44ded104af16688f801ee70a6415097d9b Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Tue, 1 Apr 2025 10:28:57 -0400
Subject: [PATCH 145/184] [PM-19575] Allow enabling Single Org policy when the
 organization has claimed domains. (#5565)

---
 .../Response/Helpers/PolicyDetailResponses.cs     | 12 +++++++++++-
 .../Helpers/PolicyDetailResponsesTests.cs         | 15 ++++++++++-----
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/src/Api/AdminConsole/Models/Response/Helpers/PolicyDetailResponses.cs b/src/Api/AdminConsole/Models/Response/Helpers/PolicyDetailResponses.cs
index 14b9642f61..dded6a4c89 100644
--- a/src/Api/AdminConsole/Models/Response/Helpers/PolicyDetailResponses.cs
+++ b/src/Api/AdminConsole/Models/Response/Helpers/PolicyDetailResponses.cs
@@ -13,7 +13,17 @@ public static class PolicyDetailResponses
         {
             throw new ArgumentException($"'{nameof(policy)}' must be of type '{nameof(PolicyType.SingleOrg)}'.", nameof(policy));
         }
+        return new PolicyDetailResponseModel(policy, await CanToggleState());
 
-        return new PolicyDetailResponseModel(policy, !await hasVerifiedDomainsQuery.HasVerifiedDomainsAsync(policy.OrganizationId));
+        async Task<bool> CanToggleState()
+        {
+            if (!await hasVerifiedDomainsQuery.HasVerifiedDomainsAsync(policy.OrganizationId))
+            {
+                return true;
+            }
+
+            return !policy.Enabled;
+        }
     }
+
 }
diff --git a/test/Api.Test/AdminConsole/Models/Response/Helpers/PolicyDetailResponsesTests.cs b/test/Api.Test/AdminConsole/Models/Response/Helpers/PolicyDetailResponsesTests.cs
index c380185a70..9b863091db 100644
--- a/test/Api.Test/AdminConsole/Models/Response/Helpers/PolicyDetailResponsesTests.cs
+++ b/test/Api.Test/AdminConsole/Models/Response/Helpers/PolicyDetailResponsesTests.cs
@@ -10,14 +10,19 @@ namespace Bit.Api.Test.AdminConsole.Models.Response.Helpers;
 
 public class PolicyDetailResponsesTests
 {
-    [Fact]
-    public async Task GetSingleOrgPolicyDetailResponseAsync_GivenPolicyEntity_WhenIsSingleOrgTypeAndHasVerifiedDomains_ThenShouldNotBeAbleToToggle()
+    [Theory]
+    [InlineData(true, false)]
+    [InlineData(false, true)]
+    public async Task GetSingleOrgPolicyDetailResponseAsync_WhenIsSingleOrgTypeAndHasVerifiedDomains_ShouldReturnExpectedToggleState(
+        bool policyEnabled,
+        bool expectedCanToggle)
     {
         var fixture = new Fixture();
 
         var policy = fixture.Build<Policy>()
             .Without(p => p.Data)
             .With(p => p.Type, PolicyType.SingleOrg)
+            .With(p => p.Enabled, policyEnabled)
             .Create();
 
         var querySub = Substitute.For<IOrganizationHasVerifiedDomainsQuery>();
@@ -26,11 +31,11 @@ public class PolicyDetailResponsesTests
 
         var result = await policy.GetSingleOrgPolicyDetailResponseAsync(querySub);
 
-        Assert.False(result.CanToggleState);
+        Assert.Equal(expectedCanToggle, result.CanToggleState);
     }
 
     [Fact]
-    public async Task GetSingleOrgPolicyDetailResponseAsync_GivenPolicyEntity_WhenIsNotSingleOrgType_ThenShouldThrowArgumentException()
+    public async Task GetSingleOrgPolicyDetailResponseAsync_WhenIsNotSingleOrgType_ThenShouldThrowArgumentException()
     {
         var fixture = new Fixture();
 
@@ -49,7 +54,7 @@ public class PolicyDetailResponsesTests
     }
 
     [Fact]
-    public async Task GetSingleOrgPolicyDetailResponseAsync_GivenPolicyEntity_WhenIsSingleOrgTypeAndDoesNotHaveVerifiedDomains_ThenShouldBeAbleToToggle()
+    public async Task GetSingleOrgPolicyDetailResponseAsync_WhenIsSingleOrgTypeAndDoesNotHaveVerifiedDomains_ThenShouldBeAbleToToggle()
     {
         var fixture = new Fixture();
 

From abe593d22122cda682b7b789a4eadb6ceccfad85 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Wed, 2 Apr 2025 10:52:23 +0100
Subject: [PATCH 146/184] [PM-18088] Implement LimitItemDeletion permission
 checks for all cipher operations (#5476)

* Implement enhanced cipher deletion and restore permissions with feature flag support

- Add new method `CanDeleteOrRestoreCipherAsAdminAsync` in CiphersController
- Update NormalCipherPermissions to support more flexible cipher type checking
- Modify CipherService to use new permission checks with feature flag
- Refactor test methods to support new permission logic
- Improve authorization checks for organization cipher management

* Refactor cipher methods to use CipherDetails and simplify type handling

- Update CiphersController to use GetByIdAsync with userId
- Modify NormalCipherPermissions to remove unnecessary type casting
- Update ICipherService and CipherService method signatures to use CipherDetails
- Remove redundant type checking in CipherService methods
- Improve type consistency in cipher-related operations

* Enhance CiphersControllerTests with detailed permission and feature flag scenarios

- Add test methods for DeleteAdmin with edit and manage permission checks
- Implement tests for LimitItemDeletion feature flag scenarios
- Update test method names to reflect more precise permission conditions
- Improve test coverage for admin cipher deletion with granular permission handling

* Add comprehensive test coverage for admin cipher restore operations

- Implement test methods for PutRestoreAdmin and PutRestoreManyAdmin
- Add scenarios for owner and admin roles with LimitItemDeletion feature flag
- Cover permission checks for manage and edit permissions
- Enhance test coverage for single and bulk cipher restore admin operations
- Verify correct invocation of RestoreAsync and RestoreManyAsync methods

* Refactor CiphersControllerTests to remove redundant assertions and mocking

- Remove unnecessary assertions for null checks
- Simplify mocking setup for cipher repository and service methods
- Clean up redundant type and data setup in test methods
- Improve test method clarity by removing extraneous code

* Add comprehensive test coverage for cipher restore, delete, and soft delete operations

- Implement test methods for RestoreAsync with org admin override and LimitItemDeletion feature flag
- Add scenarios for checking manage and edit permissions during restore operations
- Extend test coverage for DeleteAsync with similar permission and feature flag checks
- Enhance SoftDeleteAsync tests with org admin override and permission validation
- Improve test method names to reflect precise permission conditions

* Add comprehensive test coverage for cipher restore, delete, and soft delete operations

- Extend test methods for RestoreManyAsync with various permission scenarios
- Add test coverage for personal and organization ciphers in restore operations
- Implement tests for RestoreManyAsync with LimitItemDeletion feature flag
- Add detailed test scenarios for delete and soft delete operations
- Improve test method names to reflect precise permission and feature flag conditions

* Refactor authorization checks in CiphersController to use All() method for improved readability

* Refactor filtering of ciphers in CipherService to streamline organization ability checks and improve readability
---
 .../Vault/Controllers/CiphersController.cs    |   96 +-
 src/Core/Vault/Services/ICipherService.cs     |    6 +-
 .../Services/Implementations/CipherService.cs |  131 +-
 .../Controllers/CiphersControllerTests.cs     |  957 +++++++++++---
 .../Vault/Services/CipherServiceTests.cs      | 1155 +++++++++++++++--
 5 files changed, 2067 insertions(+), 278 deletions(-)

diff --git a/src/Api/Vault/Controllers/CiphersController.cs b/src/Api/Vault/Controllers/CiphersController.cs
index daaf8a03fb..0f03f54be1 100644
--- a/src/Api/Vault/Controllers/CiphersController.cs
+++ b/src/Api/Vault/Controllers/CiphersController.cs
@@ -16,6 +16,7 @@ using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Tools.Services;
 using Bit.Core.Utilities;
+using Bit.Core.Vault.Authorization.Permissions;
 using Bit.Core.Vault.Entities;
 using Bit.Core.Vault.Models.Data;
 using Bit.Core.Vault.Queries;
@@ -345,6 +346,77 @@ public class CiphersController : Controller
         return await CanEditCiphersAsync(organizationId, cipherIds);
     }
 
+    private async Task<bool> CanDeleteOrRestoreCipherAsAdminAsync(Guid organizationId, IEnumerable<Guid> cipherIds)
+    {
+        if (!_featureService.IsEnabled(FeatureFlagKeys.LimitItemDeletion))
+        {
+            return await CanEditCipherAsAdminAsync(organizationId, cipherIds);
+        }
+
+        var org = _currentContext.GetOrganization(organizationId);
+
+        // If we're not an "admin", we don't need to check the ciphers
+        if (org is not ({ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or { Permissions.EditAnyCollection: true }))
+        {
+            // Are we a provider user? If so, we need to be sure we're not restricted
+            // Once the feature flag is removed, this check can be combined with the above
+            if (await _currentContext.ProviderUserForOrgAsync(organizationId))
+            {
+                // Provider is restricted from editing ciphers, so we're not an "admin"
+                if (_featureService.IsEnabled(FeatureFlagKeys.RestrictProviderAccess))
+                {
+                    return false;
+                }
+
+                // Provider is unrestricted, so we're an "admin", don't return early
+            }
+            else
+            {
+                // Not a provider or admin
+                return false;
+            }
+        }
+
+        // If the user can edit all ciphers for the organization, just check they all belong to the org
+        if (await CanEditAllCiphersAsync(organizationId))
+        {
+            // TODO: This can likely be optimized to only query the requested ciphers and then checking they belong to the org
+            var orgCiphers = (await _cipherRepository.GetManyByOrganizationIdAsync(organizationId)).ToDictionary(c => c.Id);
+
+            // Ensure all requested ciphers are in orgCiphers
+            return cipherIds.All(c => orgCiphers.ContainsKey(c));
+        }
+
+        // The user cannot access any ciphers for the organization, we're done
+        if (!await CanAccessOrganizationCiphersAsync(organizationId))
+        {
+            return false;
+        }
+
+        var user = await _userService.GetUserByPrincipalAsync(User);
+        // Select all deletable ciphers for this user belonging to the organization
+        var deletableOrgCipherList = (await _cipherRepository.GetManyByUserIdAsync(user.Id, true))
+            .Where(c => c.OrganizationId == organizationId && c.UserId == null).ToList();
+
+        // Special case for unassigned ciphers
+        if (await CanAccessUnassignedCiphersAsync(organizationId))
+        {
+            var unassignedCiphers =
+                (await _cipherRepository.GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(
+                    organizationId));
+
+            // Users that can access unassigned ciphers can also delete them
+            deletableOrgCipherList.AddRange(unassignedCiphers.Select(c => new CipherDetails(c) { Manage = true }));
+        }
+
+        var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId);
+        var deletableOrgCiphers = deletableOrgCipherList
+            .Where(c => NormalCipherPermissions.CanDelete(user, c, organizationAbility))
+            .ToDictionary(c => c.Id);
+
+        return cipherIds.All(c => deletableOrgCiphers.ContainsKey(c));
+    }
+
     /// <summary>
     /// TODO: Move this to its own authorization handler or equivalent service - AC-2062
     /// </summary>
@@ -763,12 +835,12 @@ public class CiphersController : Controller
 
     [HttpDelete("{id}/admin")]
     [HttpPost("{id}/delete-admin")]
-    public async Task DeleteAdmin(string id)
+    public async Task DeleteAdmin(Guid id)
     {
         var userId = _userService.GetProperUserId(User).Value;
-        var cipher = await _cipherRepository.GetByIdAsync(new Guid(id));
+        var cipher = await GetByIdAsync(id, userId);
         if (cipher == null || !cipher.OrganizationId.HasValue ||
-            !await CanEditCipherAsAdminAsync(cipher.OrganizationId.Value, new[] { cipher.Id }))
+            !await CanDeleteOrRestoreCipherAsAdminAsync(cipher.OrganizationId.Value, new[] { cipher.Id }))
         {
             throw new NotFoundException();
         }
@@ -808,7 +880,7 @@ public class CiphersController : Controller
         var cipherIds = model.Ids.Select(i => new Guid(i)).ToList();
 
         if (string.IsNullOrWhiteSpace(model.OrganizationId) ||
-            !await CanEditCipherAsAdminAsync(new Guid(model.OrganizationId), cipherIds))
+            !await CanDeleteOrRestoreCipherAsAdminAsync(new Guid(model.OrganizationId), cipherIds))
         {
             throw new NotFoundException();
         }
@@ -830,12 +902,12 @@ public class CiphersController : Controller
     }
 
     [HttpPut("{id}/delete-admin")]
-    public async Task PutDeleteAdmin(string id)
+    public async Task PutDeleteAdmin(Guid id)
     {
         var userId = _userService.GetProperUserId(User).Value;
-        var cipher = await _cipherRepository.GetByIdAsync(new Guid(id));
+        var cipher = await GetByIdAsync(id, userId);
         if (cipher == null || !cipher.OrganizationId.HasValue ||
-            !await CanEditCipherAsAdminAsync(cipher.OrganizationId.Value, new[] { cipher.Id }))
+            !await CanDeleteOrRestoreCipherAsAdminAsync(cipher.OrganizationId.Value, new[] { cipher.Id }))
         {
             throw new NotFoundException();
         }
@@ -871,7 +943,7 @@ public class CiphersController : Controller
         var cipherIds = model.Ids.Select(i => new Guid(i)).ToList();
 
         if (string.IsNullOrWhiteSpace(model.OrganizationId) ||
-            !await CanEditCipherAsAdminAsync(new Guid(model.OrganizationId), cipherIds))
+            !await CanDeleteOrRestoreCipherAsAdminAsync(new Guid(model.OrganizationId), cipherIds))
         {
             throw new NotFoundException();
         }
@@ -899,12 +971,12 @@ public class CiphersController : Controller
     }
 
     [HttpPut("{id}/restore-admin")]
-    public async Task<CipherMiniResponseModel> PutRestoreAdmin(string id)
+    public async Task<CipherMiniResponseModel> PutRestoreAdmin(Guid id)
     {
         var userId = _userService.GetProperUserId(User).Value;
-        var cipher = await _cipherRepository.GetOrganizationDetailsByIdAsync(new Guid(id));
+        var cipher = await GetByIdAsync(id, userId);
         if (cipher == null || !cipher.OrganizationId.HasValue ||
-            !await CanEditCipherAsAdminAsync(cipher.OrganizationId.Value, new[] { cipher.Id }))
+            !await CanDeleteOrRestoreCipherAsAdminAsync(cipher.OrganizationId.Value, new[] { cipher.Id }))
         {
             throw new NotFoundException();
         }
@@ -944,7 +1016,7 @@ public class CiphersController : Controller
 
         var cipherIdsToRestore = new HashSet<Guid>(model.Ids.Select(i => new Guid(i)));
 
-        if (model.OrganizationId == default || !await CanEditCipherAsAdminAsync(model.OrganizationId, cipherIdsToRestore))
+        if (model.OrganizationId == default || !await CanDeleteOrRestoreCipherAsAdminAsync(model.OrganizationId, cipherIdsToRestore))
         {
             throw new NotFoundException();
         }
diff --git a/src/Core/Vault/Services/ICipherService.cs b/src/Core/Vault/Services/ICipherService.cs
index 17f55cb47d..7eeb6d2463 100644
--- a/src/Core/Vault/Services/ICipherService.cs
+++ b/src/Core/Vault/Services/ICipherService.cs
@@ -15,7 +15,7 @@ public interface ICipherService
         long requestLength, Guid savingUserId, bool orgAdmin = false);
     Task CreateAttachmentShareAsync(Cipher cipher, Stream stream, string fileName, string key, long requestLength,
         string attachmentId, Guid organizationShareId);
-    Task DeleteAsync(Cipher cipher, Guid deletingUserId, bool orgAdmin = false);
+    Task DeleteAsync(CipherDetails cipherDetails, Guid deletingUserId, bool orgAdmin = false);
     Task DeleteManyAsync(IEnumerable<Guid> cipherIds, Guid deletingUserId, Guid? organizationId = null, bool orgAdmin = false);
     Task<DeleteAttachmentResponseData> DeleteAttachmentAsync(Cipher cipher, string attachmentId, Guid deletingUserId, bool orgAdmin = false);
     Task PurgeAsync(Guid organizationId);
@@ -27,9 +27,9 @@ public interface ICipherService
     Task ShareManyAsync(IEnumerable<(Cipher cipher, DateTime? lastKnownRevisionDate)> ciphers, Guid organizationId,
         IEnumerable<Guid> collectionIds, Guid sharingUserId);
     Task SaveCollectionsAsync(Cipher cipher, IEnumerable<Guid> collectionIds, Guid savingUserId, bool orgAdmin);
-    Task SoftDeleteAsync(Cipher cipher, Guid deletingUserId, bool orgAdmin = false);
+    Task SoftDeleteAsync(CipherDetails cipherDetails, Guid deletingUserId, bool orgAdmin = false);
     Task SoftDeleteManyAsync(IEnumerable<Guid> cipherIds, Guid deletingUserId, Guid? organizationId = null, bool orgAdmin = false);
-    Task RestoreAsync(Cipher cipher, Guid restoringUserId, bool orgAdmin = false);
+    Task RestoreAsync(CipherDetails cipherDetails, Guid restoringUserId, bool orgAdmin = false);
     Task<ICollection<CipherOrganizationDetails>> RestoreManyAsync(IEnumerable<Guid> cipherIds, Guid restoringUserId, Guid? organizationId = null, bool orgAdmin = false);
     Task UploadFileForExistingAttachmentAsync(Stream stream, Cipher cipher, CipherAttachment.MetaData attachmentId);
     Task<AttachmentResponseData> GetAttachmentDownloadDataAsync(Cipher cipher, string attachmentId);
diff --git a/src/Core/Vault/Services/Implementations/CipherService.cs b/src/Core/Vault/Services/Implementations/CipherService.cs
index b9daafe599..989fbf43b8 100644
--- a/src/Core/Vault/Services/Implementations/CipherService.cs
+++ b/src/Core/Vault/Services/Implementations/CipherService.cs
@@ -14,6 +14,7 @@ using Bit.Core.Tools.Enums;
 using Bit.Core.Tools.Models.Business;
 using Bit.Core.Tools.Services;
 using Bit.Core.Utilities;
+using Bit.Core.Vault.Authorization.Permissions;
 using Bit.Core.Vault.Entities;
 using Bit.Core.Vault.Enums;
 using Bit.Core.Vault.Models.Data;
@@ -44,6 +45,7 @@ public class CipherService : ICipherService
     private readonly ICurrentContext _currentContext;
     private readonly IGetCipherPermissionsForUserQuery _getCipherPermissionsForUserQuery;
     private readonly IPolicyRequirementQuery _policyRequirementQuery;
+    private readonly IApplicationCacheService _applicationCacheService;
     private readonly IFeatureService _featureService;
 
     public CipherService(
@@ -64,6 +66,7 @@ public class CipherService : ICipherService
         ICurrentContext currentContext,
         IGetCipherPermissionsForUserQuery getCipherPermissionsForUserQuery,
         IPolicyRequirementQuery policyRequirementQuery,
+        IApplicationCacheService applicationCacheService,
         IFeatureService featureService)
     {
         _cipherRepository = cipherRepository;
@@ -83,6 +86,7 @@ public class CipherService : ICipherService
         _currentContext = currentContext;
         _getCipherPermissionsForUserQuery = getCipherPermissionsForUserQuery;
         _policyRequirementQuery = policyRequirementQuery;
+        _applicationCacheService = applicationCacheService;
         _featureService = featureService;
     }
 
@@ -421,19 +425,19 @@ public class CipherService : ICipherService
         return response;
     }
 
-    public async Task DeleteAsync(Cipher cipher, Guid deletingUserId, bool orgAdmin = false)
+    public async Task DeleteAsync(CipherDetails cipherDetails, Guid deletingUserId, bool orgAdmin = false)
     {
-        if (!orgAdmin && !(await UserCanEditAsync(cipher, deletingUserId)))
+        if (!orgAdmin && !await UserCanDeleteAsync(cipherDetails, deletingUserId))
         {
             throw new BadRequestException("You do not have permissions to delete this.");
         }
 
-        await _cipherRepository.DeleteAsync(cipher);
-        await _attachmentStorageService.DeleteAttachmentsForCipherAsync(cipher.Id);
-        await _eventService.LogCipherEventAsync(cipher, EventType.Cipher_Deleted);
+        await _cipherRepository.DeleteAsync(cipherDetails);
+        await _attachmentStorageService.DeleteAttachmentsForCipherAsync(cipherDetails.Id);
+        await _eventService.LogCipherEventAsync(cipherDetails, EventType.Cipher_Deleted);
 
         // push
-        await _pushService.PushSyncCipherDeleteAsync(cipher);
+        await _pushService.PushSyncCipherDeleteAsync(cipherDetails);
     }
 
     public async Task DeleteManyAsync(IEnumerable<Guid> cipherIds, Guid deletingUserId, Guid? organizationId = null, bool orgAdmin = false)
@@ -450,8 +454,8 @@ public class CipherService : ICipherService
         else
         {
             var ciphers = await _cipherRepository.GetManyByUserIdAsync(deletingUserId);
-            deletingCiphers = ciphers.Where(c => cipherIdsSet.Contains(c.Id) && c.Edit).Select(x => (Cipher)x).ToList();
-
+            var filteredCiphers = await FilterCiphersByDeletePermission(ciphers, cipherIdsSet, deletingUserId);
+            deletingCiphers = filteredCiphers.Select(c => (Cipher)c).ToList();
             await _cipherRepository.DeleteAsync(deletingCiphers.Select(c => c.Id), deletingUserId);
         }
 
@@ -703,33 +707,26 @@ public class CipherService : ICipherService
         await _pushService.PushSyncCipherUpdateAsync(cipher, collectionIds);
     }
 
-    public async Task SoftDeleteAsync(Cipher cipher, Guid deletingUserId, bool orgAdmin = false)
+    public async Task SoftDeleteAsync(CipherDetails cipherDetails, Guid deletingUserId, bool orgAdmin = false)
     {
-        if (!orgAdmin && !(await UserCanEditAsync(cipher, deletingUserId)))
+        if (!orgAdmin && !await UserCanDeleteAsync(cipherDetails, deletingUserId))
         {
             throw new BadRequestException("You do not have permissions to soft delete this.");
         }
 
-        if (cipher.DeletedDate.HasValue)
+        if (cipherDetails.DeletedDate.HasValue)
         {
             // Already soft-deleted, we can safely ignore this
             return;
         }
 
-        cipher.DeletedDate = cipher.RevisionDate = DateTime.UtcNow;
+        cipherDetails.DeletedDate = cipherDetails.RevisionDate = DateTime.UtcNow;
 
-        if (cipher is CipherDetails details)
-        {
-            await _cipherRepository.UpsertAsync(details);
-        }
-        else
-        {
-            await _cipherRepository.UpsertAsync(cipher);
-        }
-        await _eventService.LogCipherEventAsync(cipher, EventType.Cipher_SoftDeleted);
+        await _cipherRepository.UpsertAsync(cipherDetails);
+        await _eventService.LogCipherEventAsync(cipherDetails, EventType.Cipher_SoftDeleted);
 
         // push
-        await _pushService.PushSyncCipherUpdateAsync(cipher, null);
+        await _pushService.PushSyncCipherUpdateAsync(cipherDetails, null);
     }
 
     public async Task SoftDeleteManyAsync(IEnumerable<Guid> cipherIds, Guid deletingUserId, Guid? organizationId, bool orgAdmin)
@@ -746,8 +743,8 @@ public class CipherService : ICipherService
         else
         {
             var ciphers = await _cipherRepository.GetManyByUserIdAsync(deletingUserId);
-            deletingCiphers = ciphers.Where(c => cipherIdsSet.Contains(c.Id) && c.Edit).Select(x => (Cipher)x).ToList();
-
+            var filteredCiphers = await FilterCiphersByDeletePermission(ciphers, cipherIdsSet, deletingUserId);
+            deletingCiphers = filteredCiphers.Select(c => (Cipher)c).ToList();
             await _cipherRepository.SoftDeleteAsync(deletingCiphers.Select(c => c.Id), deletingUserId);
         }
 
@@ -762,34 +759,27 @@ public class CipherService : ICipherService
         await _pushService.PushSyncCiphersAsync(deletingUserId);
     }
 
-    public async Task RestoreAsync(Cipher cipher, Guid restoringUserId, bool orgAdmin = false)
+    public async Task RestoreAsync(CipherDetails cipherDetails, Guid restoringUserId, bool orgAdmin = false)
     {
-        if (!orgAdmin && !(await UserCanEditAsync(cipher, restoringUserId)))
+        if (!orgAdmin && !await UserCanRestoreAsync(cipherDetails, restoringUserId))
         {
             throw new BadRequestException("You do not have permissions to delete this.");
         }
 
-        if (!cipher.DeletedDate.HasValue)
+        if (!cipherDetails.DeletedDate.HasValue)
         {
             // Already restored, we can safely ignore this
             return;
         }
 
-        cipher.DeletedDate = null;
-        cipher.RevisionDate = DateTime.UtcNow;
+        cipherDetails.DeletedDate = null;
+        cipherDetails.RevisionDate = DateTime.UtcNow;
 
-        if (cipher is CipherDetails details)
-        {
-            await _cipherRepository.UpsertAsync(details);
-        }
-        else
-        {
-            await _cipherRepository.UpsertAsync(cipher);
-        }
-        await _eventService.LogCipherEventAsync(cipher, EventType.Cipher_Restored);
+        await _cipherRepository.UpsertAsync(cipherDetails);
+        await _eventService.LogCipherEventAsync(cipherDetails, EventType.Cipher_Restored);
 
         // push
-        await _pushService.PushSyncCipherUpdateAsync(cipher, null);
+        await _pushService.PushSyncCipherUpdateAsync(cipherDetails, null);
     }
 
     public async Task<ICollection<CipherOrganizationDetails>> RestoreManyAsync(IEnumerable<Guid> cipherIds, Guid restoringUserId, Guid? organizationId = null, bool orgAdmin = false)
@@ -812,8 +802,8 @@ public class CipherService : ICipherService
         else
         {
             var ciphers = await _cipherRepository.GetManyByUserIdAsync(restoringUserId);
-            restoringCiphers = ciphers.Where(c => cipherIdsSet.Contains(c.Id) && c.Edit).Select(c => (CipherOrganizationDetails)c).ToList();
-
+            var filteredCiphers = await FilterCiphersByDeletePermission(ciphers, cipherIdsSet, restoringUserId);
+            restoringCiphers = filteredCiphers.Select(c => (CipherOrganizationDetails)c).ToList();
             revisionDate = await _cipherRepository.RestoreAsync(restoringCiphers.Select(c => c.Id), restoringUserId);
         }
 
@@ -844,6 +834,34 @@ public class CipherService : ICipherService
         return await _cipherRepository.GetCanEditByIdAsync(userId, cipher.Id);
     }
 
+    private async Task<bool> UserCanDeleteAsync(CipherDetails cipher, Guid userId)
+    {
+        if (!_featureService.IsEnabled(FeatureFlagKeys.LimitItemDeletion))
+        {
+            return await UserCanEditAsync(cipher, userId);
+        }
+
+        var user = await _userService.GetUserByIdAsync(userId);
+        var organizationAbility = cipher.OrganizationId.HasValue ?
+            await _applicationCacheService.GetOrganizationAbilityAsync(cipher.OrganizationId.Value) : null;
+
+        return NormalCipherPermissions.CanDelete(user, cipher, organizationAbility);
+    }
+
+    private async Task<bool> UserCanRestoreAsync(CipherDetails cipher, Guid userId)
+    {
+        if (!_featureService.IsEnabled(FeatureFlagKeys.LimitItemDeletion))
+        {
+            return await UserCanEditAsync(cipher, userId);
+        }
+
+        var user = await _userService.GetUserByIdAsync(userId);
+        var organizationAbility = cipher.OrganizationId.HasValue ?
+            await _applicationCacheService.GetOrganizationAbilityAsync(cipher.OrganizationId.Value) : null;
+
+        return NormalCipherPermissions.CanRestore(user, cipher, organizationAbility);
+    }
+
     private void ValidateCipherLastKnownRevisionDateAsync(Cipher cipher, DateTime? lastKnownRevisionDate)
     {
         if (cipher.Id == default || !lastKnownRevisionDate.HasValue)
@@ -1010,4 +1028,35 @@ public class CipherService : ICipherService
             cipher.Data = JsonSerializer.Serialize(newCipherData);
         }
     }
+
+    // This method is used to filter ciphers based on the user's permissions to delete them.
+    // It supports both the old and new logic depending on the feature flag.
+    private async Task<List<T>> FilterCiphersByDeletePermission<T>(
+        IEnumerable<T> ciphers,
+        HashSet<Guid> cipherIdsSet,
+        Guid userId) where T : CipherDetails
+    {
+        if (!_featureService.IsEnabled(FeatureFlagKeys.LimitItemDeletion))
+        {
+            return ciphers.Where(c => cipherIdsSet.Contains(c.Id) && c.Edit).ToList();
+        }
+
+        var user = await _userService.GetUserByIdAsync(userId);
+        var organizationAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync();
+
+        var filteredCiphers = ciphers
+            .Where(c => cipherIdsSet.Contains(c.Id))
+            .GroupBy(c => c.OrganizationId)
+            .SelectMany(group =>
+            {
+                var organizationAbility = group.Key.HasValue &&
+                    organizationAbilities.TryGetValue(group.Key.Value, out var ability) ?
+                    ability : null;
+
+                return group.Where(c => NormalCipherPermissions.CanDelete(user, c, organizationAbility));
+            })
+            .ToList();
+
+        return filteredCiphers;
+    }
 }
diff --git a/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs b/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs
index 14013d9c1c..0bdc6ab545 100644
--- a/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs
+++ b/test/Api.Test/Vault/Controllers/CiphersControllerTests.cs
@@ -157,9 +157,9 @@ public class CiphersControllerTests
     [BitAutoData(OrganizationUserType.Custom, false, false)]
     public async Task CanEditCiphersAsAdminAsync_FlexibleCollections_Success(
         OrganizationUserType userType, bool allowAdminsAccessToAllItems, bool shouldSucceed,
-        CurrentContextOrganization organization, Guid userId, Cipher cipher, SutProvider<CiphersController> sutProvider)
+        CurrentContextOrganization organization, Guid userId, CipherDetails cipherDetails, SutProvider<CiphersController> sutProvider)
     {
-        cipher.OrganizationId = organization.Id;
+        cipherDetails.OrganizationId = organization.Id;
         organization.Type = userType;
         if (userType == OrganizationUserType.Custom)
         {
@@ -169,8 +169,9 @@ public class CiphersControllerTests
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
 
-        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
-        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipher });
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
+
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipherDetails });
 
         sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(new OrganizationAbility
         {
@@ -180,13 +181,13 @@ public class CiphersControllerTests
 
         if (shouldSucceed)
         {
-            await sutProvider.Sut.DeleteAdmin(cipher.Id.ToString());
+            await sutProvider.Sut.DeleteAdmin(cipherDetails.Id);
             await sutProvider.GetDependency<ICipherService>().ReceivedWithAnyArgs()
                 .DeleteAsync(default, default);
         }
         else
         {
-            await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteAdmin(cipher.Id.ToString()));
+            await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteAdmin(cipherDetails.Id));
             await sutProvider.GetDependency<ICipherService>().DidNotReceiveWithAnyArgs()
                 .DeleteAsync(default, default);
         }
@@ -197,10 +198,10 @@ public class CiphersControllerTests
     [BitAutoData(false)]
     [BitAutoData(true)]
     public async Task CanEditCiphersAsAdminAsync_Providers(
-        bool restrictProviders, Cipher cipher, CurrentContextOrganization organization, Guid userId, SutProvider<CiphersController> sutProvider
+        bool restrictProviders, CipherDetails cipherDetails, CurrentContextOrganization organization, Guid userId, SutProvider<CiphersController> sutProvider
     )
     {
-        cipher.OrganizationId = organization.Id;
+        cipherDetails.OrganizationId = organization.Id;
 
         // Simulate that the user is a provider for the organization
         sutProvider.GetDependency<ICurrentContext>().EditAnyCollection(organization.Id).Returns(true);
@@ -208,8 +209,8 @@ public class CiphersControllerTests
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
 
-        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
-        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipher });
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipherDetails });
 
         sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(new OrganizationAbility
         {
@@ -221,13 +222,13 @@ public class CiphersControllerTests
         // Non restricted providers should succeed
         if (!restrictProviders)
         {
-            await sutProvider.Sut.DeleteAdmin(cipher.Id.ToString());
+            await sutProvider.Sut.DeleteAdmin(cipherDetails.Id);
             await sutProvider.GetDependency<ICipherService>().ReceivedWithAnyArgs()
                 .DeleteAsync(default, default);
         }
         else // Otherwise, they should fail
         {
-            await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteAdmin(cipher.Id.ToString()));
+            await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteAdmin(cipherDetails.Id));
             await sutProvider.GetDependency<ICipherService>().DidNotReceiveWithAnyArgs()
                 .DeleteAsync(default, default);
         }
@@ -238,93 +239,202 @@ public class CiphersControllerTests
     [Theory]
     [BitAutoData(OrganizationUserType.Owner)]
     [BitAutoData(OrganizationUserType.Admin)]
-    public async Task DeleteAdmin_WithOwnerOrAdmin_WithAccessToSpecificCipher_DeletesCipher(
-        OrganizationUserType organizationUserType, Cipher cipher, Guid userId,
+    public async Task DeleteAdmin_WithOwnerOrAdmin_WithEditPermission_DeletesCipher(
+        OrganizationUserType organizationUserType, CipherDetails cipherDetails, Guid userId,
         CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
     {
-        cipher.OrganizationId = organization.Id;
+        cipherDetails.UserId = null;
+        cipherDetails.OrganizationId = organization.Id;
+        cipherDetails.Edit = true;
+        cipherDetails.Manage = false;
+
         organization.Type = organizationUserType;
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
         sutProvider.GetDependency<ICipherRepository>()
             .GetManyByUserIdAsync(userId)
             .Returns(new List<CipherDetails>
             {
-                new() { Id = cipher.Id, OrganizationId = cipher.OrganizationId, Edit = true }
+                cipherDetails
             });
 
-        await sutProvider.Sut.DeleteAdmin(cipher.Id.ToString());
+        await sutProvider.Sut.DeleteAdmin(cipherDetails.Id);
 
-        await sutProvider.GetDependency<ICipherService>().Received(1).DeleteAsync(cipher, userId, true);
+        await sutProvider.GetDependency<ICipherService>().Received(1).DeleteAsync(cipherDetails, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task DeleteAdmin_WithOwnerOrAdmin_WithoutEditPermission_ThrowsNotFoundException(
+        OrganizationUserType organizationUserType, CipherDetails cipherDetails, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipherDetails.UserId = null;
+        cipherDetails.OrganizationId = organization.Id;
+        cipherDetails.Edit = false;
+        cipherDetails.Manage = false;
+
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(new List<CipherDetails>
+            {
+                cipherDetails
+            });
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteAdmin(cipherDetails.Id));
+
+        await sutProvider.GetDependency<ICipherService>().DidNotReceive().DeleteAsync(Arg.Any<CipherDetails>(), Arg.Any<Guid>(), Arg.Any<bool>());
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task DeleteAdmin_WithLimitItemDeletionEnabled_WithOwnerOrAdmin_WithManagePermission_DeletesCipher(
+        OrganizationUserType organizationUserType, CipherDetails cipherDetails, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipherDetails.UserId = null;
+        cipherDetails.OrganizationId = organization.Id;
+        cipherDetails.Edit = true;
+        cipherDetails.Manage = true;
+
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitItemDeletion).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(new User { Id = userId });
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(new List<CipherDetails>
+            {
+                cipherDetails
+            });
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(organization.Id)
+            .Returns(new OrganizationAbility
+            {
+                Id = organization.Id,
+                LimitItemDeletion = true
+            });
+
+        await sutProvider.Sut.DeleteAdmin(cipherDetails.Id);
+
+        await sutProvider.GetDependency<ICipherService>().Received(1).DeleteAsync(cipherDetails, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task DeleteAdmin_WithLimitItemDeletionEnabled_WithOwnerOrAdmin_WithoutManagePermission_ThrowsNotFoundException(
+        OrganizationUserType organizationUserType, CipherDetails cipherDetails, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipherDetails.UserId = null;
+        cipherDetails.OrganizationId = organization.Id;
+        cipherDetails.Edit = true;
+        cipherDetails.Manage = false;
+
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitItemDeletion).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(new User { Id = userId });
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(new List<CipherDetails>
+            {
+                cipherDetails
+            });
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(organization.Id)
+            .Returns(new OrganizationAbility
+            {
+                Id = organization.Id,
+                LimitItemDeletion = true
+            });
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteAdmin(cipherDetails.Id));
+
+        await sutProvider.GetDependency<ICipherService>().DidNotReceive().DeleteAsync(Arg.Any<CipherDetails>(), Arg.Any<Guid>(), Arg.Any<bool>());
     }
 
     [Theory]
     [BitAutoData(OrganizationUserType.Owner)]
     [BitAutoData(OrganizationUserType.Admin)]
     public async Task DeleteAdmin_WithOwnerOrAdmin_WithAccessToUnassignedCipher_DeletesCipher(
-        OrganizationUserType organizationUserType, Cipher cipher, Guid userId,
+        OrganizationUserType organizationUserType, CipherDetails cipherDetails, Guid userId,
         CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
     {
-        cipher.OrganizationId = organization.Id;
+        cipherDetails.OrganizationId = organization.Id;
         organization.Type = organizationUserType;
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
         sutProvider.GetDependency<ICipherRepository>()
             .GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organization.Id)
-            .Returns(new List<CipherOrganizationDetails> { new() { Id = cipher.Id } });
+            .Returns(new List<CipherOrganizationDetails> { new() { Id = cipherDetails.Id } });
 
-        await sutProvider.Sut.DeleteAdmin(cipher.Id.ToString());
+        await sutProvider.Sut.DeleteAdmin(cipherDetails.Id);
 
-        await sutProvider.GetDependency<ICipherService>().Received(1).DeleteAsync(cipher, userId, true);
+        await sutProvider.GetDependency<ICipherService>().Received(1).DeleteAsync(cipherDetails, userId, true);
     }
 
     [Theory]
     [BitAutoData(OrganizationUserType.Owner)]
     [BitAutoData(OrganizationUserType.Admin)]
-    public async Task DeleteAdmin_WithAdminOrOwnerAndAccessToAllCollectionItems_DeletesCipher(
-        OrganizationUserType organizationUserType, Cipher cipher, Guid userId,
+    public async Task DeleteAdmin_WithAdminOrOwner_WithAccessToAllCollectionItems_DeletesCipher(
+        OrganizationUserType organizationUserType, CipherDetails cipherDetails, Guid userId,
         CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
     {
-        cipher.OrganizationId = organization.Id;
+        cipherDetails.OrganizationId = organization.Id;
         organization.Type = organizationUserType;
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
-        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipher });
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipherDetails });
         sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(new OrganizationAbility
         {
             Id = organization.Id,
             AllowAdminAccessToAllCollectionItems = true
         });
 
-        await sutProvider.Sut.DeleteAdmin(cipher.Id.ToString());
+        await sutProvider.Sut.DeleteAdmin(cipherDetails.Id);
 
-        await sutProvider.GetDependency<ICipherService>().Received(1).DeleteAsync(cipher, userId, true);
+        await sutProvider.GetDependency<ICipherService>().Received(1).DeleteAsync(cipherDetails, userId, true);
     }
 
     [Theory]
     [BitAutoData]
     public async Task DeleteAdmin_WithCustomUser_WithEditAnyCollectionTrue_DeletesCipher(
-        Cipher cipher, Guid userId,
+        CipherDetails cipherDetails, Guid userId,
         CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
     {
-        cipher.OrganizationId = organization.Id;
+        cipherDetails.OrganizationId = organization.Id;
         organization.Type = OrganizationUserType.Custom;
         organization.Permissions.EditAnyCollection = true;
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
-        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipher });
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipherDetails });
 
-        await sutProvider.Sut.DeleteAdmin(cipher.Id.ToString());
+        await sutProvider.Sut.DeleteAdmin(cipherDetails.Id);
 
-        await sutProvider.GetDependency<ICipherService>().Received(1).DeleteAsync(cipher, userId, true);
+        await sutProvider.GetDependency<ICipherService>().Received(1).DeleteAsync(cipherDetails, userId, true);
     }
 
     [Theory]
@@ -341,24 +451,24 @@ public class CiphersControllerTests
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
         sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
 
-        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteAdmin(cipher.Id.ToString()));
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteAdmin(cipher.Id));
     }
 
     [Theory]
     [BitAutoData]
     public async Task DeleteAdmin_WithProviderUser_DeletesCipher(
-        Cipher cipher, Guid userId, SutProvider<CiphersController> sutProvider)
+        CipherDetails cipherDetails, Guid userId, SutProvider<CiphersController> sutProvider)
     {
-        cipher.OrganizationId = Guid.NewGuid();
+        cipherDetails.OrganizationId = Guid.NewGuid();
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
-        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(cipher.OrganizationId.Value).Returns(true);
-        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
-        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(cipher.OrganizationId.Value).Returns(new List<Cipher> { cipher });
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(cipherDetails.OrganizationId.Value).Returns(true);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(cipherDetails.OrganizationId.Value).Returns(new List<Cipher> { cipherDetails });
 
-        await sutProvider.Sut.DeleteAdmin(cipher.Id.ToString());
+        await sutProvider.Sut.DeleteAdmin(cipherDetails.Id);
 
-        await sutProvider.GetDependency<ICipherService>().Received(1).DeleteAsync(cipher, userId, true);
+        await sutProvider.GetDependency<ICipherService>().Received(1).DeleteAsync(cipherDetails, userId, true);
     }
 
     [Theory]
@@ -373,13 +483,13 @@ public class CiphersControllerTests
         sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
         sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.RestrictProviderAccess).Returns(true);
 
-        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteAdmin(cipher.Id.ToString()));
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteAdmin(cipher.Id));
     }
 
     [Theory]
     [BitAutoData(OrganizationUserType.Owner)]
     [BitAutoData(OrganizationUserType.Admin)]
-    public async Task DeleteManyAdmin_WithOwnerOrAdmin_WithAccessToSpecificCiphers_DeletesCiphers(
+    public async Task DeleteManyAdmin_WithOwnerOrAdmin_WithEditPermission_DeletesCiphers(
         OrganizationUserType organizationUserType, CipherBulkDeleteRequestModel model, Guid userId, List<Cipher> ciphers,
         CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
     {
@@ -408,6 +518,122 @@ public class CiphersControllerTests
                 userId, organization.Id, true);
     }
 
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task DeleteManyAdmin_WithOwnerOrAdmin_WithoutEditPermission_ThrowsNotFoundException(
+        OrganizationUserType organizationUserType, CipherBulkDeleteRequestModel model, Guid userId, List<Cipher> ciphers,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id.ToString();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>()
+            .GetProperUserId(default)
+            .ReturnsForAnyArgs(userId);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .GetOrganization(new Guid(model.OrganizationId))
+            .Returns(organization);
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByOrganizationIdAsync(new Guid(model.OrganizationId))
+            .Returns(ciphers);
+
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(new Guid(model.OrganizationId))
+            .Returns(new OrganizationAbility
+            {
+                Id = new Guid(model.OrganizationId),
+                AllowAdminAccessToAllCollectionItems = false,
+            });
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteManyAdmin(model));
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task DeleteManyAdmin_WithLimitItemDeletionEnabled_WithOwnerOrAdmin_WithManagePermission_DeletesCiphers(
+        OrganizationUserType organizationUserType, CipherBulkDeleteRequestModel model, Guid userId, List<Cipher> ciphers,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id.ToString();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitItemDeletion).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(new User { Id = userId });
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(ciphers.Select(c => new CipherDetails
+            {
+                Id = c.Id,
+                OrganizationId = organization.Id,
+                Edit = true,
+                Manage = true
+            }).ToList());
+
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(organization.Id)
+            .Returns(new OrganizationAbility
+            {
+                Id = organization.Id,
+                LimitItemDeletion = true
+            });
+
+        await sutProvider.Sut.DeleteManyAdmin(model);
+
+        await sutProvider.GetDependency<ICipherService>()
+            .Received(1)
+            .DeleteManyAsync(
+                Arg.Is<IEnumerable<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count() == model.Ids.Count()),
+                userId, organization.Id, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task DeleteManyAdmin_WithLimitItemDeletionEnabled_WithOwnerOrAdmin_WithoutManagePermission_ThrowsNotFoundException(
+        OrganizationUserType organizationUserType, CipherBulkDeleteRequestModel model, Guid userId, List<Cipher> ciphers,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id.ToString();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitItemDeletion).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(new User { Id = userId });
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(ciphers.Select(c => new CipherDetails
+            {
+                Id = c.Id,
+                OrganizationId = organization.Id,
+                Edit = true,
+                Manage = false
+            }).ToList());
+
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(organization.Id)
+            .Returns(new OrganizationAbility
+            {
+                Id = organization.Id,
+                LimitItemDeletion = true
+            });
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteManyAdmin(model));
+    }
+
     [Theory]
     [BitAutoData(OrganizationUserType.Owner)]
     [BitAutoData(OrganizationUserType.Admin)]
@@ -555,94 +781,203 @@ public class CiphersControllerTests
     [Theory]
     [BitAutoData(OrganizationUserType.Owner)]
     [BitAutoData(OrganizationUserType.Admin)]
-    public async Task PutDeleteAdmin_WithOwnerOrAdmin_WithAccessToSpecificCipher_SoftDeletesCipher(
-        OrganizationUserType organizationUserType, Cipher cipher, Guid userId,
+    public async Task PutDeleteAdmin_WithOwnerOrAdmin_WithEditPermission_SoftDeletesCipher(
+        OrganizationUserType organizationUserType, CipherDetails cipherDetails, Guid userId,
         CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
     {
-        cipher.OrganizationId = organization.Id;
+        cipherDetails.UserId = null;
+        cipherDetails.OrganizationId = organization.Id;
+        cipherDetails.Edit = true;
+
         organization.Type = organizationUserType;
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
-        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
         sutProvider.GetDependency<ICipherRepository>()
             .GetManyByUserIdAsync(userId)
             .Returns(new List<CipherDetails>
             {
-                new() { Id = cipher.Id, OrganizationId = cipher.OrganizationId, Edit = true }
+                cipherDetails
             });
 
-        await sutProvider.Sut.PutDeleteAdmin(cipher.Id.ToString());
+        await sutProvider.Sut.PutDeleteAdmin(cipherDetails.Id);
 
-        await sutProvider.GetDependency<ICipherService>().Received(1).SoftDeleteAsync(cipher, userId, true);
+        await sutProvider.GetDependency<ICipherService>().Received(1).SoftDeleteAsync(cipherDetails, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutDeleteAdmin_WithOwnerOrAdmin_WithoutEditPermission_ThrowsNotFoundException(
+        OrganizationUserType organizationUserType, CipherDetails cipherDetails, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipherDetails.UserId = null;
+        cipherDetails.OrganizationId = organization.Id;
+        cipherDetails.Edit = false;
+        cipherDetails.Manage = false;
+
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(new List<CipherDetails>
+            {
+                cipherDetails
+            });
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutDeleteAdmin(cipherDetails.Id));
+
+        await sutProvider.GetDependency<ICipherService>().DidNotReceive().SoftDeleteAsync(Arg.Any<CipherDetails>(), Arg.Any<Guid>(), Arg.Any<bool>());
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutDeleteAdmin_WithLimitItemDeletionEnabled_WithOwnerOrAdmin_WithManagePermission_SoftDeletesCipher(
+        OrganizationUserType organizationUserType, CipherDetails cipherDetails, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipherDetails.UserId = null;
+        cipherDetails.OrganizationId = organization.Id;
+        cipherDetails.Edit = true;
+        cipherDetails.Manage = true;
+
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitItemDeletion).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(new User { Id = userId });
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(new List<CipherDetails>
+            {
+                cipherDetails
+            });
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(organization.Id)
+            .Returns(new OrganizationAbility
+            {
+                Id = organization.Id,
+                LimitItemDeletion = true
+            });
+
+        await sutProvider.Sut.PutDeleteAdmin(cipherDetails.Id);
+
+        await sutProvider.GetDependency<ICipherService>().Received(1).SoftDeleteAsync(cipherDetails, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutDeleteAdmin_WithLimitItemDeletionEnabled_WithOwnerOrAdmin_WithoutManagePermission_ThrowsNotFoundException(
+        OrganizationUserType organizationUserType, CipherDetails cipherDetails, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipherDetails.UserId = null;
+        cipherDetails.OrganizationId = organization.Id;
+        cipherDetails.Edit = true;
+        cipherDetails.Manage = false;
+
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitItemDeletion).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(new User { Id = userId });
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(new List<CipherDetails>
+            {
+                cipherDetails
+            });
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(organization.Id)
+            .Returns(new OrganizationAbility
+            {
+                Id = organization.Id,
+                LimitItemDeletion = true
+            });
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutDeleteAdmin(cipherDetails.Id));
+
+        await sutProvider.GetDependency<ICipherService>()
+            .DidNotReceiveWithAnyArgs()
+            .SoftDeleteManyAsync(default, default, default, default);
     }
 
     [Theory]
     [BitAutoData(OrganizationUserType.Owner)]
     [BitAutoData(OrganizationUserType.Admin)]
     public async Task PutDeleteAdmin_WithOwnerOrAdmin_WithAccessToUnassignedCipher_SoftDeletesCipher(
-        OrganizationUserType organizationUserType, Cipher cipher, Guid userId,
+        OrganizationUserType organizationUserType, CipherDetails cipherDetails, Guid userId,
         CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
     {
-        cipher.OrganizationId = organization.Id;
+        cipherDetails.OrganizationId = organization.Id;
         organization.Type = organizationUserType;
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
-        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
 
         sutProvider.GetDependency<ICipherRepository>()
             .GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organization.Id)
-            .Returns(new List<CipherOrganizationDetails> { new() { Id = cipher.Id } });
+            .Returns(new List<CipherOrganizationDetails> { new() { Id = cipherDetails.Id } });
 
-        await sutProvider.Sut.PutDeleteAdmin(cipher.Id.ToString());
+        await sutProvider.Sut.PutDeleteAdmin(cipherDetails.Id);
 
-        await sutProvider.GetDependency<ICipherService>().Received(1).SoftDeleteAsync(cipher, userId, true);
+        await sutProvider.GetDependency<ICipherService>().Received(1).SoftDeleteAsync(cipherDetails, userId, true);
     }
 
     [Theory]
     [BitAutoData(OrganizationUserType.Owner)]
     [BitAutoData(OrganizationUserType.Admin)]
     public async Task PutDeleteAdmin_WithOwnerOrAdmin_WithAccessToAllCollectionItems_SoftDeletesCipher(
-        OrganizationUserType organizationUserType, Cipher cipher, Guid userId,
+        OrganizationUserType organizationUserType, CipherDetails cipherDetails, Guid userId,
         CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
     {
-        cipher.OrganizationId = organization.Id;
+        cipherDetails.OrganizationId = organization.Id;
         organization.Type = organizationUserType;
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
-        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipher });
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipherDetails });
         sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(new OrganizationAbility
         {
             Id = organization.Id,
             AllowAdminAccessToAllCollectionItems = true
         });
 
-        await sutProvider.Sut.PutDeleteAdmin(cipher.Id.ToString());
+        await sutProvider.Sut.PutDeleteAdmin(cipherDetails.Id);
 
-        await sutProvider.GetDependency<ICipherService>().Received(1).SoftDeleteAsync(cipher, userId, true);
+        await sutProvider.GetDependency<ICipherService>().Received(1).SoftDeleteAsync(cipherDetails, userId, true);
     }
 
     [Theory]
     [BitAutoData]
     public async Task PutDeleteAdmin_WithCustomUser_WithEditAnyCollectionTrue_SoftDeletesCipher(
-        Cipher cipher, Guid userId,
+        CipherDetails cipherDetails, Guid userId,
         CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
     {
-        cipher.OrganizationId = organization.Id;
+        cipherDetails.OrganizationId = organization.Id;
         organization.Type = OrganizationUserType.Custom;
         organization.Permissions.EditAnyCollection = true;
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
-        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipher });
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipherDetails });
 
-        await sutProvider.Sut.PutDeleteAdmin(cipher.Id.ToString());
+        await sutProvider.Sut.PutDeleteAdmin(cipherDetails.Id);
 
-        await sutProvider.GetDependency<ICipherService>().Received(1).SoftDeleteAsync(cipher, userId, true);
+        await sutProvider.GetDependency<ICipherService>().Received(1).SoftDeleteAsync(cipherDetails, userId, true);
     }
 
     [Theory]
@@ -660,24 +995,24 @@ public class CiphersControllerTests
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
         sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipher });
 
-        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutDeleteAdmin(cipher.Id.ToString()));
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutDeleteAdmin(cipher.Id));
     }
 
     [Theory]
     [BitAutoData]
     public async Task PutDeleteAdmin_WithProviderUser_SoftDeletesCipher(
-        Cipher cipher, Guid userId, SutProvider<CiphersController> sutProvider)
+        CipherDetails cipherDetails, Guid userId, SutProvider<CiphersController> sutProvider)
     {
-        cipher.OrganizationId = Guid.NewGuid();
+        cipherDetails.OrganizationId = Guid.NewGuid();
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
-        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(cipher.OrganizationId.Value).Returns(true);
-        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
-        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(cipher.OrganizationId.Value).Returns(new List<Cipher> { cipher });
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(cipherDetails.OrganizationId.Value).Returns(true);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(cipherDetails.OrganizationId.Value).Returns(new List<Cipher> { cipherDetails });
 
-        await sutProvider.Sut.PutDeleteAdmin(cipher.Id.ToString());
+        await sutProvider.Sut.PutDeleteAdmin(cipherDetails.Id);
 
-        await sutProvider.GetDependency<ICipherService>().Received(1).SoftDeleteAsync(cipher, userId, true);
+        await sutProvider.GetDependency<ICipherService>().Received(1).SoftDeleteAsync(cipherDetails, userId, true);
     }
 
     [Theory]
@@ -692,13 +1027,13 @@ public class CiphersControllerTests
         sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipher.Id).Returns(cipher);
         sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.RestrictProviderAccess).Returns(true);
 
-        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutDeleteAdmin(cipher.Id.ToString()));
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutDeleteAdmin(cipher.Id));
     }
 
     [Theory]
     [BitAutoData(OrganizationUserType.Owner)]
     [BitAutoData(OrganizationUserType.Admin)]
-    public async Task PutDeleteManyAdmin_WithOwnerOrAdmin_WithAccessToSpecificCiphers_SoftDeletesCiphers(
+    public async Task PutDeleteManyAdmin_WithOwnerOrAdmin_WithEditPermission_SoftDeletesCiphers(
         OrganizationUserType organizationUserType, CipherBulkDeleteRequestModel model, Guid userId, List<Cipher> ciphers,
         CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
     {
@@ -727,6 +1062,113 @@ public class CiphersControllerTests
                 userId, organization.Id, true);
     }
 
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutDeleteManyAdmin_WithOwnerOrAdmin_WithoutEditPermission_ThrowsNotFoundException(
+        OrganizationUserType organizationUserType, CipherBulkDeleteRequestModel model, Guid userId, List<Cipher> ciphers,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id.ToString();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(ciphers.Select(c => new CipherDetails
+            {
+                Id = c.Id,
+                OrganizationId = organization.Id,
+                Edit = false
+            }).ToList());
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutDeleteManyAdmin(model));
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutDeleteManyAdmin_WithLimitItemDeletionEnabled_WithOwnerOrAdmin_WithManagePermission_SoftDeletesCiphers(
+        OrganizationUserType organizationUserType, CipherBulkDeleteRequestModel model, Guid userId, List<Cipher> ciphers,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id.ToString();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitItemDeletion).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(new User { Id = userId });
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(ciphers.Select(c => new CipherDetails
+            {
+                Id = c.Id,
+                OrganizationId = organization.Id,
+                Edit = true,
+                Manage = true
+            }).ToList());
+
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(organization.Id)
+            .Returns(new OrganizationAbility
+            {
+                Id = organization.Id,
+                LimitItemDeletion = true
+            });
+
+        await sutProvider.Sut.PutDeleteManyAdmin(model);
+
+        await sutProvider.GetDependency<ICipherService>()
+            .Received(1)
+            .SoftDeleteManyAsync(
+                Arg.Is<IEnumerable<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count() == model.Ids.Count()),
+                userId, organization.Id, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutDeleteManyAdmin_WithLimitItemDeletionEnabled_WithOwnerOrAdmin_WithoutManagePermission_ThrowsNotFoundException(
+        OrganizationUserType organizationUserType, CipherBulkDeleteRequestModel model, Guid userId, List<Cipher> ciphers,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id.ToString();
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitItemDeletion).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(new User { Id = userId });
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(ciphers.Select(c => new CipherDetails
+            {
+                Id = c.Id,
+                OrganizationId = organization.Id,
+                Edit = true,
+                Manage = false
+            }).ToList());
+
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(organization.Id)
+            .Returns(new OrganizationAbility
+            {
+                Id = organization.Id,
+                LimitItemDeletion = true
+            });
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutDeleteManyAdmin(model));
+    }
+
     [Theory]
     [BitAutoData(OrganizationUserType.Owner)]
     [BitAutoData(OrganizationUserType.Admin)]
@@ -874,170 +1316,273 @@ public class CiphersControllerTests
     [Theory]
     [BitAutoData(OrganizationUserType.Owner)]
     [BitAutoData(OrganizationUserType.Admin)]
-    public async Task PutRestoreAdmin_WithOwnerOrAdmin_WithAccessToSpecificCipher_RestoresCipher(
-        OrganizationUserType organizationUserType, CipherDetails cipher, Guid userId,
+    public async Task PutRestoreAdmin_WithOwnerOrAdmin_WithEditPermission_RestoresCipher(
+        OrganizationUserType organizationUserType, CipherDetails cipherDetails, Guid userId,
         CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
     {
-        cipher.OrganizationId = organization.Id;
-        cipher.Type = CipherType.Login;
-        cipher.Data = JsonSerializer.Serialize(new CipherLoginData());
+        cipherDetails.UserId = null;
+        cipherDetails.OrganizationId = organization.Id;
+        cipherDetails.Type = CipherType.Login;
+        cipherDetails.Data = JsonSerializer.Serialize(new CipherLoginData());
+        cipherDetails.Edit = true;
+
         organization.Type = organizationUserType;
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
-        sutProvider.GetDependency<ICipherRepository>().GetOrganizationDetailsByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
         sutProvider.GetDependency<ICipherRepository>()
             .GetManyByUserIdAsync(userId)
             .Returns(new List<CipherDetails>
             {
-                new() { Id = cipher.Id, OrganizationId = cipher.OrganizationId, Edit = true }
+                cipherDetails
             });
 
-        var result = await sutProvider.Sut.PutRestoreAdmin(cipher.Id.ToString());
+        var result = await sutProvider.Sut.PutRestoreAdmin(cipherDetails.Id);
 
-        Assert.NotNull(result);
         Assert.IsType<CipherMiniResponseModel>(result);
-        await sutProvider.GetDependency<ICipherService>().Received(1).RestoreAsync(cipher, userId, true);
+        await sutProvider.GetDependency<ICipherService>().Received(1).RestoreAsync(cipherDetails, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutRestoreAdmin_WithOwnerOrAdmin_WithoutEditPermission_ThrowsNotFoundException(
+        OrganizationUserType organizationUserType, CipherDetails cipherDetails, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipherDetails.UserId = null;
+        cipherDetails.OrganizationId = organization.Id;
+        cipherDetails.Edit = false;
+        cipherDetails.Manage = false;
+
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(new List<CipherDetails>
+            {
+                cipherDetails
+            });
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutRestoreAdmin(cipherDetails.Id));
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutRestoreAdmin_WithLimitItemDeletionEnabled_WithOwnerOrAdmin_WithManagePermission_RestoresCipher(
+        OrganizationUserType organizationUserType, CipherDetails cipherDetails, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipherDetails.UserId = null;
+        cipherDetails.OrganizationId = organization.Id;
+        cipherDetails.Type = CipherType.Login;
+        cipherDetails.Data = JsonSerializer.Serialize(new CipherLoginData());
+        cipherDetails.Edit = true;
+        cipherDetails.Manage = true;
+
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitItemDeletion).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(new User { Id = userId });
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(new List<CipherDetails>
+            {
+                cipherDetails
+            });
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(organization.Id)
+            .Returns(new OrganizationAbility
+            {
+                Id = organization.Id,
+                LimitItemDeletion = true
+            });
+
+        var result = await sutProvider.Sut.PutRestoreAdmin(cipherDetails.Id);
+
+        Assert.IsType<CipherMiniResponseModel>(result);
+        await sutProvider.GetDependency<ICipherService>().Received(1).RestoreAsync(cipherDetails, userId, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutRestoreAdmin_WithLimitItemDeletionEnabled_WithOwnerOrAdmin_WithoutManagePermission_ThrowsNotFoundException(
+        OrganizationUserType organizationUserType, CipherDetails cipherDetails, Guid userId,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        cipherDetails.UserId = null;
+        cipherDetails.OrganizationId = organization.Id;
+        cipherDetails.Edit = true;
+        cipherDetails.Manage = false;
+
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitItemDeletion).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(new User { Id = userId });
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(new List<CipherDetails>
+            {
+                cipherDetails
+            });
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(organization.Id)
+            .Returns(new OrganizationAbility
+            {
+                Id = organization.Id,
+                LimitItemDeletion = true
+            });
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutRestoreAdmin(cipherDetails.Id));
     }
 
     [Theory]
     [BitAutoData(OrganizationUserType.Owner)]
     [BitAutoData(OrganizationUserType.Admin)]
     public async Task PutRestoreAdmin_WithOwnerOrAdmin_WithAccessToUnassignedCipher_RestoresCipher(
-        OrganizationUserType organizationUserType, CipherDetails cipher, Guid userId,
+        OrganizationUserType organizationUserType, CipherDetails cipherDetails, Guid userId,
         CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
     {
-        cipher.OrganizationId = organization.Id;
-        cipher.Type = CipherType.Login;
-        cipher.Data = JsonSerializer.Serialize(new CipherLoginData());
+        cipherDetails.OrganizationId = organization.Id;
+        cipherDetails.Type = CipherType.Login;
+        cipherDetails.Data = JsonSerializer.Serialize(new CipherLoginData());
         organization.Type = organizationUserType;
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
-        sutProvider.GetDependency<ICipherRepository>().GetOrganizationDetailsByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
         sutProvider.GetDependency<ICipherRepository>()
             .GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organization.Id)
-            .Returns(new List<CipherOrganizationDetails> { new() { Id = cipher.Id } });
+            .Returns(new List<CipherOrganizationDetails> { new() { Id = cipherDetails.Id } });
 
-        var result = await sutProvider.Sut.PutRestoreAdmin(cipher.Id.ToString());
+        var result = await sutProvider.Sut.PutRestoreAdmin(cipherDetails.Id);
 
-        Assert.NotNull(result);
         Assert.IsType<CipherMiniResponseModel>(result);
-        await sutProvider.GetDependency<ICipherService>().Received(1).RestoreAsync(cipher, userId, true);
+        await sutProvider.GetDependency<ICipherService>().Received(1).RestoreAsync(cipherDetails, userId, true);
     }
 
     [Theory]
     [BitAutoData(OrganizationUserType.Owner)]
     [BitAutoData(OrganizationUserType.Admin)]
     public async Task PutRestoreAdmin_WithOwnerOrAdmin_WithAccessToAllCollectionItems_RestoresCipher(
-        OrganizationUserType organizationUserType, CipherDetails cipher, Guid userId,
+        OrganizationUserType organizationUserType, CipherDetails cipherDetails, Guid userId,
         CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
     {
-        cipher.OrganizationId = organization.Id;
-        cipher.Type = CipherType.Login;
-        cipher.Data = JsonSerializer.Serialize(new CipherLoginData());
+        cipherDetails.OrganizationId = organization.Id;
+        cipherDetails.Type = CipherType.Login;
+        cipherDetails.Data = JsonSerializer.Serialize(new CipherLoginData());
         organization.Type = organizationUserType;
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
-        sutProvider.GetDependency<ICipherRepository>().GetOrganizationDetailsByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipher });
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipherDetails });
         sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(new OrganizationAbility
         {
             Id = organization.Id,
             AllowAdminAccessToAllCollectionItems = true
         });
 
-        var result = await sutProvider.Sut.PutRestoreAdmin(cipher.Id.ToString());
+        var result = await sutProvider.Sut.PutRestoreAdmin(cipherDetails.Id);
 
-        Assert.NotNull(result);
-        await sutProvider.GetDependency<ICipherService>().Received(1).RestoreAsync(cipher, userId, true);
+        Assert.IsType<CipherMiniResponseModel>(result);
+        await sutProvider.GetDependency<ICipherService>().Received(1).RestoreAsync(cipherDetails, userId, true);
     }
 
     [Theory]
     [BitAutoData]
     public async Task PutRestoreAdmin_WithCustomUser_WithEditAnyCollectionTrue_RestoresCipher(
-        CipherDetails cipher, Guid userId,
+        CipherDetails cipherDetails, Guid userId,
         CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
     {
-        cipher.OrganizationId = organization.Id;
-        cipher.Type = CipherType.Login;
-        cipher.Data = JsonSerializer.Serialize(new CipherLoginData());
+        cipherDetails.OrganizationId = organization.Id;
+        cipherDetails.Type = CipherType.Login;
+        cipherDetails.Data = JsonSerializer.Serialize(new CipherLoginData());
         organization.Type = OrganizationUserType.Custom;
         organization.Permissions.EditAnyCollection = true;
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
-        sutProvider.GetDependency<ICipherRepository>().GetOrganizationDetailsByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipher });
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipherDetails });
 
-        var result = await sutProvider.Sut.PutRestoreAdmin(cipher.Id.ToString());
+        var result = await sutProvider.Sut.PutRestoreAdmin(cipherDetails.Id);
 
-        Assert.NotNull(result);
         Assert.IsType<CipherMiniResponseModel>(result);
-        await sutProvider.GetDependency<ICipherService>().Received(1).RestoreAsync(cipher, userId, true);
+        await sutProvider.GetDependency<ICipherService>().Received(1).RestoreAsync(cipherDetails, userId, true);
     }
 
     [Theory]
     [BitAutoData]
     public async Task PutRestoreAdmin_WithCustomUser_WithEditAnyCollectionFalse_ThrowsNotFoundException(
-        CipherDetails cipher, Guid userId,
+        CipherDetails cipherDetails, Guid userId,
         CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
     {
-        cipher.OrganizationId = organization.Id;
-        cipher.Type = CipherType.Login;
-        cipher.Data = JsonSerializer.Serialize(new CipherLoginData());
+        cipherDetails.OrganizationId = organization.Id;
+        cipherDetails.Type = CipherType.Login;
+        cipherDetails.Data = JsonSerializer.Serialize(new CipherLoginData());
         organization.Type = OrganizationUserType.Custom;
         organization.Permissions.EditAnyCollection = false;
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
-        sutProvider.GetDependency<ICipherRepository>().GetOrganizationDetailsByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICipherRepository>().GetOrganizationDetailsByIdAsync(cipherDetails.Id).Returns(cipherDetails);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipher });
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(new List<Cipher> { cipherDetails });
 
-        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutRestoreAdmin(cipher.Id.ToString()));
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutRestoreAdmin(cipherDetails.Id));
     }
 
     [Theory]
     [BitAutoData]
     public async Task PutRestoreAdmin_WithProviderUser_RestoresCipher(
-        CipherDetails cipher, Guid userId, SutProvider<CiphersController> sutProvider)
+        CipherDetails cipherDetails, Guid userId, SutProvider<CiphersController> sutProvider)
     {
-        cipher.OrganizationId = Guid.NewGuid();
-        cipher.Type = CipherType.Login;
-        cipher.Data = JsonSerializer.Serialize(new CipherLoginData());
+        cipherDetails.OrganizationId = Guid.NewGuid();
+        cipherDetails.Type = CipherType.Login;
+        cipherDetails.Data = JsonSerializer.Serialize(new CipherLoginData());
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
-        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(cipher.OrganizationId.Value).Returns(true);
-        sutProvider.GetDependency<ICipherRepository>().GetOrganizationDetailsByIdAsync(cipher.Id).Returns(cipher);
-        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(cipher.OrganizationId.Value).Returns(new List<Cipher> { cipher });
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(cipherDetails.OrganizationId.Value).Returns(true);
+        sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherDetails.Id, userId).Returns(cipherDetails);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(cipherDetails.OrganizationId.Value).Returns(new List<Cipher> { cipherDetails });
 
-        var result = await sutProvider.Sut.PutRestoreAdmin(cipher.Id.ToString());
+        var result = await sutProvider.Sut.PutRestoreAdmin(cipherDetails.Id);
 
-        Assert.NotNull(result);
         Assert.IsType<CipherMiniResponseModel>(result);
-        await sutProvider.GetDependency<ICipherService>().Received(1).RestoreAsync(cipher, userId, true);
+        await sutProvider.GetDependency<ICipherService>().Received(1).RestoreAsync(cipherDetails, userId, true);
     }
 
     [Theory]
     [BitAutoData]
     public async Task PutRestoreAdmin_WithProviderUser_WithRestrictProviderAccessTrue_ThrowsNotFoundException(
-        CipherDetails cipher, Guid userId, SutProvider<CiphersController> sutProvider)
+        CipherDetails cipherDetails, Guid userId, SutProvider<CiphersController> sutProvider)
     {
-        cipher.OrganizationId = Guid.NewGuid();
+        cipherDetails.OrganizationId = Guid.NewGuid();
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
-        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(cipher.OrganizationId.Value).Returns(true);
-        sutProvider.GetDependency<ICipherRepository>().GetOrganizationDetailsByIdAsync(cipher.Id).Returns(cipher);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(cipherDetails.OrganizationId.Value).Returns(true);
+        sutProvider.GetDependency<ICipherRepository>().GetOrganizationDetailsByIdAsync(cipherDetails.Id).Returns(cipherDetails);
         sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.RestrictProviderAccess).Returns(true);
 
-        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutRestoreAdmin(cipher.Id.ToString()));
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutRestoreAdmin(cipherDetails.Id));
     }
 
     [Theory]
     [BitAutoData(OrganizationUserType.Owner)]
     [BitAutoData(OrganizationUserType.Admin)]
-    public async Task PutRestoreManyAdmin_WithOwnerOrAdmin_WithAccessToSpecificCiphers_RestoresCiphers(
+    public async Task PutRestoreManyAdmin_WithOwnerOrAdmin_WithEditPermission_RestoresCiphers(
         OrganizationUserType organizationUserType, CipherBulkRestoreRequestModel model, Guid userId, List<Cipher> ciphers,
         CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
     {
@@ -1047,7 +1592,6 @@ public class CiphersControllerTests
 
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICipherRepository>().GetManyByOrganizationIdAsync(organization.Id).Returns(ciphers);
         sutProvider.GetDependency<ICipherRepository>()
             .GetManyByUserIdAsync(userId)
             .Returns(ciphers.Select(c => new CipherDetails
@@ -1071,7 +1615,6 @@ public class CiphersControllerTests
 
         var result = await sutProvider.Sut.PutRestoreManyAdmin(model);
 
-        Assert.NotNull(result);
         await sutProvider.GetDependency<ICipherService>().Received(1)
             .RestoreManyAsync(
                 Arg.Is<HashSet<Guid>>(ids =>
@@ -1079,6 +1622,130 @@ public class CiphersControllerTests
                 userId, organization.Id, true);
     }
 
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutRestoreManyAdmin_WithOwnerOrAdmin_WithoutEditPermission_ThrowsNotFoundException(
+        OrganizationUserType organizationUserType, CipherBulkRestoreRequestModel model, Guid userId, List<Cipher> ciphers,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id;
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(ciphers.Select(c => new CipherDetails
+            {
+                Id = c.Id,
+                OrganizationId = organization.Id,
+                Edit = false,
+                Type = CipherType.Login,
+                Data = JsonSerializer.Serialize(new CipherLoginData())
+            }).ToList());
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutRestoreManyAdmin(model));
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutRestoreManyAdmin_WithLimitItemDeletionEnabled_WithOwnerOrAdmin_WithManagePermission_RestoresCiphers(
+        OrganizationUserType organizationUserType, CipherBulkRestoreRequestModel model, Guid userId, List<Cipher> ciphers,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id;
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitItemDeletion).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(new User { Id = userId });
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(ciphers.Select(c => new CipherDetails
+            {
+                Id = c.Id,
+                OrganizationId = organization.Id,
+                Edit = true,
+                Manage = true
+            }).ToList());
+
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(organization.Id)
+            .Returns(new OrganizationAbility
+            {
+                Id = organization.Id,
+                LimitItemDeletion = true
+            });
+
+        var cipherOrgDetails = ciphers.Select(c => new CipherOrganizationDetails
+        {
+            Id = c.Id,
+            OrganizationId = organization.Id,
+            Type = CipherType.Login,
+            Data = JsonSerializer.Serialize(new CipherLoginData())
+        }).ToList();
+
+        sutProvider.GetDependency<ICipherService>()
+            .RestoreManyAsync(
+                Arg.Is<HashSet<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count == model.Ids.Count()),
+                userId, organization.Id, true)
+            .Returns(cipherOrgDetails);
+
+        var result = await sutProvider.Sut.PutRestoreManyAdmin(model);
+
+        Assert.Equal(ciphers.Count, result.Data.Count());
+        await sutProvider.GetDependency<ICipherService>()
+            .Received(1)
+            .RestoreManyAsync(
+                Arg.Is<HashSet<Guid>>(ids =>
+                    ids.All(id => model.Ids.Contains(id.ToString())) && ids.Count == model.Ids.Count()),
+                userId, organization.Id, true);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task PutRestoreManyAdmin_WithLimitItemDeletionEnabled_WithOwnerOrAdmin_WithoutManagePermission_ThrowsNotFoundException(
+        OrganizationUserType organizationUserType, CipherBulkRestoreRequestModel model, Guid userId, List<Cipher> ciphers,
+        CurrentContextOrganization organization, SutProvider<CiphersController> sutProvider)
+    {
+        model.OrganizationId = organization.Id;
+        model.Ids = ciphers.Select(c => c.Id.ToString()).ToList();
+        organization.Type = organizationUserType;
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.LimitItemDeletion).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(new User { Id = userId });
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(userId)
+            .Returns(ciphers.Select(c => new CipherDetails
+            {
+                Id = c.Id,
+                OrganizationId = organization.Id,
+                Edit = true,
+                Manage = false,
+                Type = CipherType.Login,
+                Data = JsonSerializer.Serialize(new CipherLoginData())
+            }).ToList());
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(organization.Id)
+            .Returns(new OrganizationAbility
+            {
+                Id = organization.Id,
+                LimitItemDeletion = true
+            });
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PutRestoreManyAdmin(model));
+    }
+
     [Theory]
     [BitAutoData(OrganizationUserType.Owner)]
     [BitAutoData(OrganizationUserType.Admin)]
diff --git a/test/Core.Test/Vault/Services/CipherServiceTests.cs b/test/Core.Test/Vault/Services/CipherServiceTests.cs
index a7dcbddcea..ed07799c93 100644
--- a/test/Core.Test/Vault/Services/CipherServiceTests.cs
+++ b/test/Core.Test/Vault/Services/CipherServiceTests.cs
@@ -8,6 +8,7 @@ using Bit.Core.Billing.Enums;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -670,7 +671,7 @@ public class CipherServiceTests
 
     [Theory]
     [BitAutoData]
-    public async Task RestoreAsync_UpdatesUserCipher(Guid restoringUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+    public async Task RestoreAsync_UpdatesUserCipher(Guid restoringUserId, CipherDetails cipher, SutProvider<CipherService> sutProvider)
     {
         sutProvider.GetDependency<ICipherRepository>().GetCanEditByIdAsync(restoringUserId, cipher.Id).Returns(true);
 
@@ -687,7 +688,7 @@ public class CipherServiceTests
     [Theory]
     [OrganizationCipherCustomize]
     [BitAutoData]
-    public async Task RestoreAsync_UpdatesOrganizationCipher(Guid restoringUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+    public async Task RestoreAsync_UpdatesOrganizationCipher(Guid restoringUserId, CipherDetails cipher, SutProvider<CipherService> sutProvider)
     {
         sutProvider.GetDependency<ICipherRepository>().GetCanEditByIdAsync(restoringUserId, cipher.Id).Returns(true);
 
@@ -704,11 +705,11 @@ public class CipherServiceTests
     [Theory]
     [BitAutoData]
     public async Task RestoreAsync_WithAlreadyRestoredCipher_SkipsOperation(
-        Guid restoringUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+        Guid restoringUserId, CipherDetails cipherDetails, SutProvider<CipherService> sutProvider)
     {
-        cipher.DeletedDate = null;
+        cipherDetails.DeletedDate = null;
 
-        await sutProvider.Sut.RestoreAsync(cipher, restoringUserId, true);
+        await sutProvider.Sut.RestoreAsync(cipherDetails, restoringUserId, true);
 
         await sutProvider.GetDependency<ICipherRepository>().DidNotReceiveWithAnyArgs().UpsertAsync(default);
         await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs().LogCipherEventAsync(default, default);
@@ -718,13 +719,13 @@ public class CipherServiceTests
     [Theory]
     [BitAutoData]
     public async Task RestoreAsync_WithPersonalCipherBelongingToDifferentUser_ThrowsBadRequestException(
-        Guid restoringUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+        Guid restoringUserId, CipherDetails cipherDetails, SutProvider<CipherService> sutProvider)
     {
-        cipher.UserId = Guid.NewGuid();
-        cipher.OrganizationId = null;
+        cipherDetails.UserId = Guid.NewGuid();
+        cipherDetails.OrganizationId = null;
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.RestoreAsync(cipher, restoringUserId));
+            () => sutProvider.Sut.RestoreAsync(cipherDetails, restoringUserId));
 
         Assert.Contains("do not have permissions", exception.Message);
         await sutProvider.GetDependency<ICipherRepository>().DidNotReceiveWithAnyArgs().UpsertAsync(default);
@@ -736,14 +737,14 @@ public class CipherServiceTests
     [OrganizationCipherCustomize]
     [BitAutoData]
     public async Task RestoreAsync_WithOrgCipherLackingEditPermission_ThrowsBadRequestException(
-        Guid restoringUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+        Guid restoringUserId, CipherDetails cipherDetails, SutProvider<CipherService> sutProvider)
     {
         sutProvider.GetDependency<ICipherRepository>()
-            .GetCanEditByIdAsync(restoringUserId, cipher.Id)
+            .GetCanEditByIdAsync(restoringUserId, cipherDetails.Id)
             .Returns(false);
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.RestoreAsync(cipher, restoringUserId));
+            () => sutProvider.Sut.RestoreAsync(cipherDetails, restoringUserId));
 
         Assert.Contains("do not have permissions", exception.Message);
         await sutProvider.GetDependency<ICipherRepository>().DidNotReceiveWithAnyArgs().UpsertAsync(default);
@@ -753,7 +754,7 @@ public class CipherServiceTests
 
     [Theory]
     [BitAutoData]
-    public async Task RestoreAsync_WithCipherDetailsType_RestoresCipherDetails(
+    public async Task RestoreAsync_WithEditPermission_RestoresCipherDetails(
         Guid restoringUserId, CipherDetails cipherDetails, SutProvider<CipherService> sutProvider)
     {
         sutProvider.GetDependency<ICipherRepository>()
@@ -773,6 +774,91 @@ public class CipherServiceTests
         await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherUpdateAsync(cipherDetails, null);
     }
 
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task RestoreAsync_WithOrgAdminOverride_RestoresCipher(
+        Guid restoringUserId, CipherDetails cipherDetails, SutProvider<CipherService> sutProvider)
+    {
+        cipherDetails.DeletedDate = DateTime.UtcNow;
+
+        await sutProvider.Sut.RestoreAsync(cipherDetails, restoringUserId, true);
+
+        Assert.Null(cipherDetails.DeletedDate);
+        Assert.NotEqual(DateTime.UtcNow, cipherDetails.RevisionDate);
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).UpsertAsync(cipherDetails);
+        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipherDetails, EventType.Cipher_Restored);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherUpdateAsync(cipherDetails, null);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task RestoreAsync_WithLimitItemDeletionEnabled_WithManagePermission_RestoresCipher(
+        Guid restoringUserId, CipherDetails cipherDetails, User user, SutProvider<CipherService> sutProvider)
+    {
+        cipherDetails.OrganizationId = Guid.NewGuid();
+        cipherDetails.DeletedDate = DateTime.UtcNow;
+        cipherDetails.Edit = false;
+        cipherDetails.Manage = true;
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.LimitItemDeletion)
+            .Returns(true);
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByIdAsync(restoringUserId)
+            .Returns(user);
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(cipherDetails.OrganizationId.Value)
+            .Returns(new OrganizationAbility
+            {
+                Id = cipherDetails.OrganizationId.Value,
+                LimitItemDeletion = true
+            });
+
+        await sutProvider.Sut.RestoreAsync(cipherDetails, restoringUserId);
+
+        Assert.Null(cipherDetails.DeletedDate);
+        Assert.NotEqual(DateTime.UtcNow, cipherDetails.RevisionDate);
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).UpsertAsync(cipherDetails);
+        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipherDetails, EventType.Cipher_Restored);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherUpdateAsync(cipherDetails, null);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task RestoreAsync_WithLimitItemDeletionEnabled_WithoutManagePermission_ThrowsBadRequestException(
+        Guid restoringUserId, CipherDetails cipherDetails, User user, SutProvider<CipherService> sutProvider)
+    {
+        cipherDetails.OrganizationId = Guid.NewGuid();
+        cipherDetails.DeletedDate = DateTime.UtcNow;
+        cipherDetails.Edit = true;
+        cipherDetails.Manage = false;
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.LimitItemDeletion)
+            .Returns(true);
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByIdAsync(restoringUserId)
+            .Returns(user);
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(cipherDetails.OrganizationId.Value)
+            .Returns(new OrganizationAbility
+            {
+                Id = cipherDetails.OrganizationId.Value,
+                LimitItemDeletion = true
+            });
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RestoreAsync(cipherDetails, restoringUserId));
+
+        Assert.Contains("do not have permissions", exception.Message);
+        await sutProvider.GetDependency<ICipherRepository>().DidNotReceiveWithAnyArgs().UpsertAsync(default);
+        await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs().LogCipherEventAsync(default, default);
+        await sutProvider.GetDependency<IPushNotificationService>().DidNotReceiveWithAnyArgs().PushSyncCipherUpdateAsync(default, default);
+    }
+
     [Theory]
     [BitAutoData]
     public async Task RestoreManyAsync_UpdatesCiphers(ICollection<CipherDetails> ciphers,
@@ -852,6 +938,239 @@ public class CipherServiceTests
         await AssertNoActionsAsync(sutProvider);
     }
 
+    [Theory]
+    [BitAutoData]
+    public async Task RestoreManyAsync_WithPersonalCipherBelongingToDifferentUser_DoesNotRestoreCiphers(
+        Guid restoringUserId, List<CipherDetails> ciphers, SutProvider<CipherService> sutProvider)
+    {
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+        var differentUserId = Guid.NewGuid();
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.UserId = differentUserId;
+            cipher.OrganizationId = null;
+            cipher.DeletedDate = DateTime.UtcNow;
+        }
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(restoringUserId)
+            .Returns(new List<CipherDetails>());
+
+        var result = await sutProvider.Sut.RestoreManyAsync(cipherIds, restoringUserId);
+
+        Assert.Empty(result);
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .RestoreAsync(Arg.Is<IEnumerable<Guid>>(ids => !ids.Any()), restoringUserId);
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(restoringUserId);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task RestoreManyAsync_WithOrgCipherAndEditPermission_RestoresCiphers(
+        Guid restoringUserId, List<CipherDetails> ciphers, Guid organizationId, SutProvider<CipherService> sutProvider)
+    {
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+        var previousRevisionDate = DateTime.UtcNow;
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.OrganizationId = organizationId;
+            cipher.Edit = true;
+            cipher.DeletedDate = DateTime.UtcNow;
+            cipher.RevisionDate = previousRevisionDate;
+        }
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(restoringUserId)
+            .Returns(ciphers);
+
+        var revisionDate = previousRevisionDate + TimeSpan.FromMinutes(1);
+        sutProvider.GetDependency<ICipherRepository>()
+            .RestoreAsync(Arg.Any<IEnumerable<Guid>>(), restoringUserId)
+            .Returns(revisionDate);
+
+        var result = await sutProvider.Sut.RestoreManyAsync(cipherIds, restoringUserId);
+
+        Assert.Equal(ciphers.Count, result.Count);
+        foreach (var cipher in result)
+        {
+            Assert.Null(cipher.DeletedDate);
+            Assert.Equal(revisionDate, cipher.RevisionDate);
+        }
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .RestoreAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Count() == cipherIds.Count() &&
+                ids.All(id => cipherIds.Contains(id))), restoringUserId);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(restoringUserId);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task RestoreManyAsync_WithOrgCipherLackingEditPermission_DoesNotRestoreCiphers(
+        Guid restoringUserId, List<Cipher> ciphers, Guid organizationId, SutProvider<CipherService> sutProvider)
+    {
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+        var cipherDetailsList = ciphers.Select(c => new CipherDetails
+        {
+            Id = c.Id,
+            OrganizationId = organizationId,
+            Edit = false,
+            DeletedDate = DateTime.UtcNow
+        }).ToList();
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(restoringUserId)
+            .Returns(cipherDetailsList);
+
+        var result = await sutProvider.Sut.RestoreManyAsync(cipherIds, restoringUserId);
+
+        Assert.Empty(result);
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .RestoreAsync(Arg.Is<IEnumerable<Guid>>(ids => !ids.Any()), restoringUserId);
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(restoringUserId);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task RestoreManyAsync_WithLimitItemDeletionEnabled_WithManagePermission_RestoresCiphers(
+        Guid restoringUserId, List<CipherDetails> ciphers, User user, SutProvider<CipherService> sutProvider)
+    {
+        var organizationId = Guid.NewGuid();
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+        var previousRevisionDate = DateTime.UtcNow;
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.OrganizationId = organizationId;
+            cipher.Edit = false;
+            cipher.Manage = true;
+            cipher.DeletedDate = DateTime.UtcNow;
+            cipher.RevisionDate = previousRevisionDate;
+        }
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.LimitItemDeletion)
+            .Returns(true);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(restoringUserId)
+            .Returns(ciphers);
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByIdAsync(restoringUserId)
+            .Returns(user);
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilitiesAsync()
+            .Returns(new Dictionary<Guid, OrganizationAbility>
+            {
+                {
+                    organizationId, new OrganizationAbility
+                    {
+                        Id = organizationId,
+                        LimitItemDeletion = true
+                    }
+                }
+            });
+
+        var revisionDate = previousRevisionDate + TimeSpan.FromMinutes(1);
+        sutProvider.GetDependency<ICipherRepository>()
+            .RestoreAsync(Arg.Any<IEnumerable<Guid>>(), restoringUserId)
+            .Returns(revisionDate);
+
+        var result = await sutProvider.Sut.RestoreManyAsync(cipherIds, restoringUserId);
+
+        Assert.Equal(ciphers.Count, result.Count);
+        foreach (var cipher in result)
+        {
+            Assert.Null(cipher.DeletedDate);
+            Assert.Equal(revisionDate, cipher.RevisionDate);
+        }
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .RestoreAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Count() == cipherIds.Count() &&
+                ids.All(id => cipherIds.Contains(id))), restoringUserId);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(restoringUserId);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task RestoreManyAsync_WithLimitItemDeletionEnabled_WithoutManagePermission_DoesNotRestoreCiphers(
+        Guid restoringUserId, List<CipherDetails> ciphers, User user, SutProvider<CipherService> sutProvider)
+    {
+        var organizationId = Guid.NewGuid();
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.OrganizationId = organizationId;
+            cipher.Edit = true;
+            cipher.Manage = false;
+            cipher.DeletedDate = DateTime.UtcNow;
+        }
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.LimitItemDeletion)
+            .Returns(true);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(restoringUserId)
+            .Returns(ciphers);
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByIdAsync(restoringUserId)
+            .Returns(user);
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilitiesAsync()
+            .Returns(new Dictionary<Guid, OrganizationAbility>
+            {
+                {
+                    organizationId, new OrganizationAbility
+                    {
+                        Id = organizationId,
+                        LimitItemDeletion = true
+                    }
+                }
+            });
+
+        var result = await sutProvider.Sut.RestoreManyAsync(cipherIds, restoringUserId);
+
+        Assert.Empty(result);
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .RestoreAsync(Arg.Is<IEnumerable<Guid>>(ids => !ids.Any()), restoringUserId);
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(restoringUserId);
+    }
+
     [Theory, BitAutoData]
     public async Task ShareManyAsync_FreeOrgWithAttachment_Throws(SutProvider<CipherService> sutProvider,
         IEnumerable<Cipher> ciphers, Guid organizationId, List<Guid> collectionIds)
@@ -1126,47 +1445,47 @@ public class CipherServiceTests
     [Theory]
     [BitAutoData]
     public async Task DeleteAsync_WithPersonalCipherOwner_DeletesCipher(
-        Guid deletingUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+        Guid deletingUserId, CipherDetails cipherDetails, SutProvider<CipherService> sutProvider)
     {
-        cipher.UserId = deletingUserId;
-        cipher.OrganizationId = null;
+        cipherDetails.UserId = deletingUserId;
+        cipherDetails.OrganizationId = null;
 
-        await sutProvider.Sut.DeleteAsync(cipher, deletingUserId);
+        await sutProvider.Sut.DeleteAsync(cipherDetails, deletingUserId);
 
-        await sutProvider.GetDependency<ICipherRepository>().Received(1).DeleteAsync(cipher);
-        await sutProvider.GetDependency<IAttachmentStorageService>().Received(1).DeleteAttachmentsForCipherAsync(cipher.Id);
-        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipher, EventType.Cipher_Deleted);
-        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherDeleteAsync(cipher);
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).DeleteAsync(cipherDetails);
+        await sutProvider.GetDependency<IAttachmentStorageService>().Received(1).DeleteAttachmentsForCipherAsync(cipherDetails.Id);
+        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipherDetails, EventType.Cipher_Deleted);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherDeleteAsync(cipherDetails);
     }
 
     [Theory]
     [OrganizationCipherCustomize]
     [BitAutoData]
     public async Task DeleteAsync_WithOrgCipherAndEditPermission_DeletesCipher(
-        Guid deletingUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+        Guid deletingUserId, CipherDetails cipherDetails, SutProvider<CipherService> sutProvider)
     {
         sutProvider.GetDependency<ICipherRepository>()
-            .GetCanEditByIdAsync(deletingUserId, cipher.Id)
+            .GetCanEditByIdAsync(deletingUserId, cipherDetails.Id)
             .Returns(true);
 
-        await sutProvider.Sut.DeleteAsync(cipher, deletingUserId);
+        await sutProvider.Sut.DeleteAsync(cipherDetails, deletingUserId);
 
-        await sutProvider.GetDependency<ICipherRepository>().Received(1).DeleteAsync(cipher);
-        await sutProvider.GetDependency<IAttachmentStorageService>().Received(1).DeleteAttachmentsForCipherAsync(cipher.Id);
-        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipher, EventType.Cipher_Deleted);
-        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherDeleteAsync(cipher);
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).DeleteAsync(cipherDetails);
+        await sutProvider.GetDependency<IAttachmentStorageService>().Received(1).DeleteAttachmentsForCipherAsync(cipherDetails.Id);
+        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipherDetails, EventType.Cipher_Deleted);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherDeleteAsync(cipherDetails);
     }
 
     [Theory]
     [BitAutoData]
     public async Task DeleteAsync_WithPersonalCipherBelongingToDifferentUser_ThrowsBadRequestException(
-        Guid deletingUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+        Guid deletingUserId, CipherDetails cipherDetails, SutProvider<CipherService> sutProvider)
     {
-        cipher.UserId = Guid.NewGuid();
-        cipher.OrganizationId = null;
+        cipherDetails.UserId = Guid.NewGuid();
+        cipherDetails.OrganizationId = null;
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.DeleteAsync(cipher, deletingUserId));
+            () => sutProvider.Sut.DeleteAsync(cipherDetails, deletingUserId));
 
         Assert.Contains("do not have permissions", exception.Message);
         await sutProvider.GetDependency<ICipherRepository>().DidNotReceiveWithAnyArgs().DeleteAsync(default);
@@ -1179,14 +1498,14 @@ public class CipherServiceTests
     [OrganizationCipherCustomize]
     [BitAutoData]
     public async Task DeleteAsync_WithOrgCipherLackingEditPermission_ThrowsBadRequestException(
-        Guid deletingUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+        Guid deletingUserId, CipherDetails cipherDetails, SutProvider<CipherService> sutProvider)
     {
         sutProvider.GetDependency<ICipherRepository>()
-            .GetCanEditByIdAsync(deletingUserId, cipher.Id)
+            .GetCanEditByIdAsync(deletingUserId, cipherDetails.Id)
             .Returns(false);
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.DeleteAsync(cipher, deletingUserId));
+            () => sutProvider.Sut.DeleteAsync(cipherDetails, deletingUserId));
 
         Assert.Contains("do not have permissions", exception.Message);
         await sutProvider.GetDependency<ICipherRepository>().DidNotReceiveWithAnyArgs().DeleteAsync(default);
@@ -1196,62 +1515,400 @@ public class CipherServiceTests
     }
 
     [Theory]
+    [OrganizationCipherCustomize]
     [BitAutoData]
-    public async Task SoftDeleteAsync_WithPersonalCipherOwner_SoftDeletesCipher(
-        Guid deletingUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+    public async Task DeleteAsync_WithOrgAdminOverride_DeletesCipher(
+        Guid deletingUserId, CipherDetails cipherDetails, SutProvider<CipherService> sutProvider)
     {
-        cipher.UserId = deletingUserId;
-        cipher.OrganizationId = null;
-        cipher.DeletedDate = null;
+        await sutProvider.Sut.DeleteAsync(cipherDetails, deletingUserId, true);
+
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).DeleteAsync(cipherDetails);
+        await sutProvider.GetDependency<IAttachmentStorageService>().Received(1).DeleteAttachmentsForCipherAsync(cipherDetails.Id);
+        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipherDetails, EventType.Cipher_Deleted);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherDeleteAsync(cipherDetails);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task DeleteAsync_WithLimitItemDeletionEnabled_WithManagePermission_DeletesCipher(
+        Guid deletingUserId, CipherDetails cipherDetails, User user, SutProvider<CipherService> sutProvider)
+    {
+        cipherDetails.OrganizationId = Guid.NewGuid();
+        cipherDetails.Edit = false;
+        cipherDetails.Manage = true;
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.LimitItemDeletion)
+            .Returns(true);
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByIdAsync(deletingUserId)
+            .Returns(user);
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(cipherDetails.OrganizationId.Value)
+            .Returns(new OrganizationAbility
+            {
+                Id = cipherDetails.OrganizationId.Value,
+                LimitItemDeletion = true
+            });
+
+        await sutProvider.Sut.DeleteAsync(cipherDetails, deletingUserId);
+
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).DeleteAsync(cipherDetails);
+        await sutProvider.GetDependency<IAttachmentStorageService>().Received(1).DeleteAttachmentsForCipherAsync(cipherDetails.Id);
+        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipherDetails, EventType.Cipher_Deleted);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherDeleteAsync(cipherDetails);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task DeleteAsync_WithLimitItemDeletionEnabled_WithoutManagePermission_ThrowsBadRequestException(
+        Guid deletingUserId, CipherDetails cipherDetails, User user, SutProvider<CipherService> sutProvider)
+    {
+        cipherDetails.OrganizationId = Guid.NewGuid();
+        cipherDetails.Edit = true;
+        cipherDetails.Manage = false;
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.LimitItemDeletion)
+            .Returns(true);
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByIdAsync(deletingUserId)
+            .Returns(user);
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(cipherDetails.OrganizationId.Value)
+            .Returns(new OrganizationAbility
+            {
+                Id = cipherDetails.OrganizationId.Value,
+                LimitItemDeletion = true
+            });
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.DeleteAsync(cipherDetails, deletingUserId));
+
+        Assert.Contains("do not have permissions", exception.Message);
+        await sutProvider.GetDependency<ICipherRepository>().DidNotReceiveWithAnyArgs().DeleteAsync(default);
+        await sutProvider.GetDependency<IAttachmentStorageService>().DidNotReceiveWithAnyArgs().DeleteAttachmentsForCipherAsync(default);
+        await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs().LogCipherEventAsync(default, default);
+        await sutProvider.GetDependency<IPushNotificationService>().DidNotReceiveWithAnyArgs().PushSyncCipherDeleteAsync(default);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task DeleteManyAsync_WithOrgAdminOverride_DeletesCiphers(
+        Guid deletingUserId, List<Cipher> ciphers, Guid organizationId, SutProvider<CipherService> sutProvider)
+    {
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.OrganizationId = organizationId;
+        }
 
         sutProvider.GetDependency<ICipherRepository>()
-            .GetCanEditByIdAsync(deletingUserId, cipher.Id)
+            .GetManyByOrganizationIdAsync(organizationId)
+            .Returns(ciphers);
+
+        await sutProvider.Sut.DeleteManyAsync(cipherIds, deletingUserId, organizationId, true);
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .DeleteByIdsOrganizationIdAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Count() == cipherIds.Count() &&
+                ids.All(id => cipherIds.Contains(id))), organizationId);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(deletingUserId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task DeleteManyAsync_WithPersonalCipherOwner_DeletesCiphers(
+        Guid deletingUserId, List<CipherDetails> ciphers, SutProvider<CipherService> sutProvider)
+    {
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.UserId = deletingUserId;
+            cipher.OrganizationId = null;
+            cipher.Edit = true;
+        }
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(deletingUserId)
+            .Returns(ciphers);
+
+        await sutProvider.Sut.DeleteManyAsync(cipherIds, deletingUserId);
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .DeleteAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Count() == cipherIds.Count() &&
+                ids.All(id => cipherIds.Contains(id))), deletingUserId);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(deletingUserId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task DeleteManyAsync_WithPersonalCipherBelongingToDifferentUser_DoesNotDeleteCiphers(
+        Guid deletingUserId, List<CipherDetails> ciphers, SutProvider<CipherService> sutProvider)
+    {
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+        var differentUserId = Guid.NewGuid();
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.UserId = differentUserId;
+            cipher.OrganizationId = null;
+        }
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(deletingUserId)
+            .Returns(new List<CipherDetails>());
+
+        await sutProvider.Sut.DeleteManyAsync(cipherIds, deletingUserId);
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .DeleteAsync(Arg.Is<IEnumerable<Guid>>(ids => !ids.Any()), deletingUserId);
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(deletingUserId);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task DeleteManyAsync_WithOrgCipherAndEditPermission_DeletesCiphers(
+        Guid deletingUserId, List<CipherDetails> ciphers, Guid organizationId, SutProvider<CipherService> sutProvider)
+    {
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+        foreach (var cipher in ciphers)
+        {
+            cipher.OrganizationId = organizationId;
+            cipher.Edit = true;
+        }
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(deletingUserId)
+            .Returns(ciphers);
+
+        await sutProvider.Sut.DeleteManyAsync(cipherIds, deletingUserId, organizationId);
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .DeleteAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Count() == cipherIds.Count() && ids.All(id => cipherIds.Contains(id))), deletingUserId);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(deletingUserId);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task DeleteManyAsync_WithOrgCipherLackingEditPermission_DoesNotDeleteCiphers(
+        Guid deletingUserId, List<Cipher> ciphers, Guid organizationId, SutProvider<CipherService> sutProvider)
+    {
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+        var cipherDetailsList = ciphers.Select(c => new CipherDetails
+        {
+            Id = c.Id,
+            OrganizationId = organizationId,
+            Edit = false
+        }).ToList();
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(deletingUserId)
+            .Returns(cipherDetailsList);
+
+        await sutProvider.Sut.DeleteManyAsync(cipherIds, deletingUserId, organizationId);
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .DeleteAsync(Arg.Is<IEnumerable<Guid>>(ids => !ids.Any()), deletingUserId);
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(deletingUserId);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task DeleteManyAsync_WithLimitItemDeletionEnabled_WithoutManagePermission_DoesNotDeleteCiphers(
+        Guid deletingUserId, List<CipherDetails> ciphers, User user, SutProvider<CipherService> sutProvider)
+    {
+        var organizationId = Guid.NewGuid();
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.OrganizationId = organizationId;
+            cipher.Edit = true;
+            cipher.Manage = false;
+        }
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.LimitItemDeletion)
+            .Returns(true);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(deletingUserId)
+            .Returns(ciphers);
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByIdAsync(deletingUserId)
+            .Returns(user);
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilitiesAsync()
+            .Returns(new Dictionary<Guid, OrganizationAbility>
+            {
+                {
+                    organizationId, new OrganizationAbility
+                    {
+                        Id = organizationId,
+                        LimitItemDeletion = true
+                    }
+                }
+            });
+
+        await sutProvider.Sut.DeleteManyAsync(cipherIds, deletingUserId, organizationId);
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .DeleteAsync(Arg.Is<IEnumerable<Guid>>(ids => !ids.Any()), deletingUserId);
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(deletingUserId);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task DeleteManyAsync_WithLimitItemDeletionEnabled_WithManagePermission_DeletesCiphers(
+        Guid deletingUserId, List<CipherDetails> ciphers, User user, SutProvider<CipherService> sutProvider)
+    {
+        var organizationId = Guid.NewGuid();
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.OrganizationId = organizationId;
+            cipher.Edit = false;
+            cipher.Manage = true;
+        }
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.LimitItemDeletion)
+            .Returns(true);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(deletingUserId)
+            .Returns(ciphers);
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByIdAsync(deletingUserId)
+            .Returns(user);
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilitiesAsync()
+            .Returns(new Dictionary<Guid, OrganizationAbility>
+            {
+                {
+                    organizationId, new OrganizationAbility
+                    {
+                        Id = organizationId,
+                        LimitItemDeletion = true
+                    }
+                }
+            });
+
+        await sutProvider.Sut.DeleteManyAsync(cipherIds, deletingUserId, organizationId);
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .DeleteAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Count() == cipherIds.Count() &&
+                ids.All(id => cipherIds.Contains(id))), deletingUserId);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(deletingUserId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SoftDeleteAsync_WithPersonalCipherOwner_SoftDeletesCipher(
+        Guid deletingUserId, CipherDetails cipherDetails, SutProvider<CipherService> sutProvider)
+    {
+        cipherDetails.UserId = deletingUserId;
+        cipherDetails.OrganizationId = null;
+        cipherDetails.DeletedDate = null;
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetCanEditByIdAsync(deletingUserId, cipherDetails.Id)
             .Returns(true);
 
-        await sutProvider.Sut.SoftDeleteAsync(cipher, deletingUserId);
+        await sutProvider.Sut.SoftDeleteAsync(cipherDetails, deletingUserId);
 
-        Assert.NotNull(cipher.DeletedDate);
-        Assert.Equal(cipher.RevisionDate, cipher.DeletedDate);
-        await sutProvider.GetDependency<ICipherRepository>().Received(1).UpsertAsync(cipher);
-        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipher, EventType.Cipher_SoftDeleted);
-        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherUpdateAsync(cipher, null);
+        Assert.NotNull(cipherDetails.DeletedDate);
+        Assert.Equal(cipherDetails.RevisionDate, cipherDetails.DeletedDate);
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).UpsertAsync(cipherDetails);
+        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipherDetails, EventType.Cipher_SoftDeleted);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherUpdateAsync(cipherDetails, null);
     }
 
     [Theory]
     [OrganizationCipherCustomize]
     [BitAutoData]
     public async Task SoftDeleteAsync_WithOrgCipherAndEditPermission_SoftDeletesCipher(
-        Guid deletingUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+        Guid deletingUserId, CipherDetails cipherDetails, SutProvider<CipherService> sutProvider)
     {
-        cipher.DeletedDate = null;
+        cipherDetails.DeletedDate = null;
 
         sutProvider.GetDependency<ICipherRepository>()
-            .GetCanEditByIdAsync(deletingUserId, cipher.Id)
+            .GetCanEditByIdAsync(deletingUserId, cipherDetails.Id)
             .Returns(true);
 
-        await sutProvider.Sut.SoftDeleteAsync(cipher, deletingUserId);
+        await sutProvider.Sut.SoftDeleteAsync(cipherDetails, deletingUserId);
 
-        Assert.NotNull(cipher.DeletedDate);
-        Assert.Equal(cipher.DeletedDate, cipher.RevisionDate);
-        await sutProvider.GetDependency<ICipherRepository>().Received(1).UpsertAsync(cipher);
-        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipher, EventType.Cipher_SoftDeleted);
-        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherUpdateAsync(cipher, null);
+        Assert.NotNull(cipherDetails.DeletedDate);
+        Assert.Equal(cipherDetails.RevisionDate, cipherDetails.DeletedDate);
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).UpsertAsync(cipherDetails);
+        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipherDetails, EventType.Cipher_SoftDeleted);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherUpdateAsync(cipherDetails, null);
     }
 
     [Theory]
     [BitAutoData]
     public async Task SoftDeleteAsync_WithPersonalCipherBelongingToDifferentUser_ThrowsBadRequestException(
-        Guid deletingUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+        Guid deletingUserId, CipherDetails cipherDetails, SutProvider<CipherService> sutProvider)
     {
-        cipher.UserId = Guid.NewGuid();
-        cipher.OrganizationId = null;
+        cipherDetails.UserId = Guid.NewGuid();
+        cipherDetails.OrganizationId = null;
 
         sutProvider.GetDependency<ICipherRepository>()
-            .GetCanEditByIdAsync(deletingUserId, cipher.Id)
+            .GetCanEditByIdAsync(deletingUserId, cipherDetails.Id)
             .Returns(false);
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SoftDeleteAsync(cipher, deletingUserId));
+            () => sutProvider.Sut.SoftDeleteAsync(cipherDetails, deletingUserId));
 
         Assert.Contains("do not have permissions", exception.Message);
     }
@@ -1260,51 +1917,395 @@ public class CipherServiceTests
     [OrganizationCipherCustomize]
     [BitAutoData]
     public async Task SoftDeleteAsync_WithOrgCipherLackingEditPermission_ThrowsBadRequestException(
-        Guid deletingUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+        Guid deletingUserId, CipherDetails cipherDetails, SutProvider<CipherService> sutProvider)
     {
         sutProvider.GetDependency<ICipherRepository>()
-            .GetCanEditByIdAsync(deletingUserId, cipher.Id)
+            .GetCanEditByIdAsync(deletingUserId, cipherDetails.Id)
             .Returns(false);
 
         var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SoftDeleteAsync(cipher, deletingUserId));
+            () => sutProvider.Sut.SoftDeleteAsync(cipherDetails, deletingUserId));
 
         Assert.Contains("do not have permissions", exception.Message);
     }
 
     [Theory]
     [BitAutoData]
-    public async Task SoftDeleteAsync_WithCipherDetailsType_SoftDeletesCipherDetails(
-        Guid deletingUserId, CipherDetails cipher, SutProvider<CipherService> sutProvider)
+    public async Task SoftDeleteAsync_WithEditPermission_SoftDeletesCipherDetails(
+        Guid deletingUserId, CipherDetails cipherDetails, SutProvider<CipherService> sutProvider)
     {
-        cipher.DeletedDate = null;
+        cipherDetails.DeletedDate = null;
 
-        await sutProvider.Sut.SoftDeleteAsync(cipher, deletingUserId, true);
+        await sutProvider.Sut.SoftDeleteAsync(cipherDetails, deletingUserId, true);
 
-        Assert.NotNull(cipher.DeletedDate);
-        Assert.Equal(cipher.DeletedDate, cipher.RevisionDate);
-        await sutProvider.GetDependency<ICipherRepository>().Received(1).UpsertAsync(cipher);
-        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipher, EventType.Cipher_SoftDeleted);
-        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherUpdateAsync(cipher, null);
+        Assert.NotNull(cipherDetails.DeletedDate);
+        Assert.Equal(cipherDetails.RevisionDate, cipherDetails.DeletedDate);
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).UpsertAsync(cipherDetails);
+        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipherDetails, EventType.Cipher_SoftDeleted);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherUpdateAsync(cipherDetails, null);
     }
 
     [Theory]
     [BitAutoData]
     public async Task SoftDeleteAsync_WithAlreadySoftDeletedCipher_SkipsOperation(
-        Guid deletingUserId, Cipher cipher, SutProvider<CipherService> sutProvider)
+        Guid deletingUserId, CipherDetails cipherDetails, SutProvider<CipherService> sutProvider)
     {
         sutProvider.GetDependency<ICipherRepository>()
-            .GetCanEditByIdAsync(deletingUserId, cipher.Id)
+            .GetCanEditByIdAsync(deletingUserId, cipherDetails.Id)
             .Returns(true);
-        cipher.DeletedDate = DateTime.UtcNow.AddDays(-1);
+        cipherDetails.DeletedDate = DateTime.UtcNow.AddDays(-1);
 
-        await sutProvider.Sut.SoftDeleteAsync(cipher, deletingUserId);
+        await sutProvider.Sut.SoftDeleteAsync(cipherDetails, deletingUserId);
 
         await sutProvider.GetDependency<ICipherRepository>().DidNotReceive().UpsertAsync(Arg.Any<Cipher>());
         await sutProvider.GetDependency<IEventService>().DidNotReceive().LogCipherEventAsync(Arg.Any<Cipher>(), Arg.Any<EventType>());
         await sutProvider.GetDependency<IPushNotificationService>().DidNotReceive().PushSyncCipherUpdateAsync(Arg.Any<Cipher>(), Arg.Any<IEnumerable<Guid>>());
     }
 
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task SoftDeleteAsync_WithOrgAdminOverride_SoftDeletesCipher(
+        Guid deletingUserId, CipherDetails cipherDetails, SutProvider<CipherService> sutProvider)
+    {
+        cipherDetails.DeletedDate = null;
+
+        await sutProvider.Sut.SoftDeleteAsync(cipherDetails, deletingUserId, true);
+
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).UpsertAsync(cipherDetails);
+        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipherDetails, EventType.Cipher_SoftDeleted);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherUpdateAsync(cipherDetails, null);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task SoftDeleteAsync_WithLimitItemDeletionEnabled_WithManagePermission_SoftDeletesCipher(
+        Guid deletingUserId, CipherDetails cipherDetails, User user, SutProvider<CipherService> sutProvider)
+    {
+        cipherDetails.OrganizationId = Guid.NewGuid();
+        cipherDetails.DeletedDate = null;
+        cipherDetails.Edit = false;
+        cipherDetails.Manage = true;
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.LimitItemDeletion)
+            .Returns(true);
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByIdAsync(deletingUserId)
+            .Returns(user);
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(cipherDetails.OrganizationId.Value)
+            .Returns(new OrganizationAbility
+            {
+                Id = cipherDetails.OrganizationId.Value,
+                LimitItemDeletion = true
+            });
+
+        await sutProvider.Sut.SoftDeleteAsync(cipherDetails, deletingUserId);
+
+        Assert.NotNull(cipherDetails.DeletedDate);
+        Assert.Equal(cipherDetails.RevisionDate, cipherDetails.DeletedDate);
+        await sutProvider.GetDependency<ICipherRepository>().Received(1).UpsertAsync(cipherDetails);
+        await sutProvider.GetDependency<IEventService>().Received(1).LogCipherEventAsync(cipherDetails, EventType.Cipher_SoftDeleted);
+        await sutProvider.GetDependency<IPushNotificationService>().Received(1).PushSyncCipherUpdateAsync(cipherDetails, null);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task SoftDeleteAsync_WithLimitItemDeletionEnabled_WithoutManagePermission_ThrowsBadRequestException(
+        Guid deletingUserId, CipherDetails cipherDetails, User user, SutProvider<CipherService> sutProvider)
+    {
+        cipherDetails.OrganizationId = Guid.NewGuid();
+        cipherDetails.DeletedDate = null;
+        cipherDetails.Edit = true;
+        cipherDetails.Manage = false;
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.LimitItemDeletion)
+            .Returns(true);
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByIdAsync(deletingUserId)
+            .Returns(user);
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(cipherDetails.OrganizationId.Value)
+            .Returns(new OrganizationAbility
+            {
+                Id = cipherDetails.OrganizationId.Value,
+                LimitItemDeletion = true
+            });
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.SoftDeleteAsync(cipherDetails, deletingUserId));
+
+        Assert.Contains("do not have permissions", exception.Message);
+        await sutProvider.GetDependency<ICipherRepository>().DidNotReceiveWithAnyArgs().UpsertAsync(default);
+        await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs().LogCipherEventAsync(default, default);
+        await sutProvider.GetDependency<IPushNotificationService>().DidNotReceiveWithAnyArgs().PushSyncCipherUpdateAsync(default, default);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task SoftDeleteManyAsync_WithOrgAdminOverride_SoftDeletesCiphers(
+        Guid deletingUserId, List<Cipher> ciphers, Guid organizationId, SutProvider<CipherService> sutProvider)
+    {
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.OrganizationId = organizationId;
+        }
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByOrganizationIdAsync(organizationId)
+            .Returns(ciphers);
+
+        await sutProvider.Sut.SoftDeleteManyAsync(cipherIds, deletingUserId, organizationId, true);
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .SoftDeleteByIdsOrganizationIdAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Count() == cipherIds.Count() &&
+                ids.All(id => cipherIds.Contains(id))), organizationId);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(deletingUserId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SoftDeleteManyAsync_WithPersonalCipherOwner_SoftDeletesCiphers(
+        Guid deletingUserId, List<CipherDetails> ciphers, SutProvider<CipherService> sutProvider)
+    {
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.UserId = deletingUserId;
+            cipher.OrganizationId = null;
+            cipher.Edit = true;
+            cipher.DeletedDate = null;
+        }
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(deletingUserId)
+            .Returns(ciphers);
+
+        await sutProvider.Sut.SoftDeleteManyAsync(cipherIds, deletingUserId, null, false);
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .SoftDeleteAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Count() == cipherIds.Count() &&
+                ids.All(id => cipherIds.Contains(id))), deletingUserId);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(deletingUserId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task SoftDeleteManyAsync_WithPersonalCipherBelongingToDifferentUser_DoesNotDeleteCiphers(
+        Guid deletingUserId, List<CipherDetails> ciphers, SutProvider<CipherService> sutProvider)
+    {
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+        var differentUserId = Guid.NewGuid();
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.UserId = differentUserId;
+            cipher.OrganizationId = null;
+        }
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(deletingUserId)
+            .Returns(new List<CipherDetails>());
+
+        await sutProvider.Sut.SoftDeleteManyAsync(cipherIds, deletingUserId, null, false);
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .SoftDeleteAsync(Arg.Is<IEnumerable<Guid>>(ids => !ids.Any()), deletingUserId);
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(deletingUserId);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task SoftDeleteManyAsync_WithOrgCipherAndEditPermission_SoftDeletesCiphers(
+        Guid deletingUserId, List<CipherDetails> ciphers, Guid organizationId, SutProvider<CipherService> sutProvider)
+    {
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+        foreach (var cipher in ciphers)
+        {
+            cipher.OrganizationId = organizationId;
+            cipher.Edit = true;
+            cipher.DeletedDate = null;
+        }
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(deletingUserId)
+            .Returns(ciphers);
+
+        await sutProvider.Sut.SoftDeleteManyAsync(cipherIds, deletingUserId, organizationId, false);
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .SoftDeleteAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Count() == cipherIds.Count() && ids.All(id => cipherIds.Contains(id))), deletingUserId);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(deletingUserId);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task SoftDeleteManyAsync_WithOrgCipherLackingEditPermission_DoesNotDeleteCiphers(
+        Guid deletingUserId, List<Cipher> ciphers, Guid organizationId, SutProvider<CipherService> sutProvider)
+    {
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+        var cipherDetailsList = ciphers.Select(c => new CipherDetails
+        {
+            Id = c.Id,
+            OrganizationId = organizationId,
+            Edit = false
+        }).ToList();
+
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(deletingUserId)
+            .Returns(cipherDetailsList);
+
+        await sutProvider.Sut.SoftDeleteManyAsync(cipherIds, deletingUserId, organizationId, false);
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .SoftDeleteAsync(Arg.Is<IEnumerable<Guid>>(ids => !ids.Any()), deletingUserId);
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(deletingUserId);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task SoftDeleteManyAsync_WithLimitItemDeletionEnabled_WithoutManagePermission_DoesNotDeleteCiphers(
+        Guid deletingUserId, List<CipherDetails> ciphers, User user, SutProvider<CipherService> sutProvider)
+    {
+        var organizationId = Guid.NewGuid();
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.OrganizationId = organizationId;
+            cipher.Edit = true;
+            cipher.Manage = false;
+        }
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.LimitItemDeletion)
+            .Returns(true);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(deletingUserId)
+            .Returns(ciphers);
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByIdAsync(deletingUserId)
+            .Returns(user);
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilitiesAsync()
+            .Returns(new Dictionary<Guid, OrganizationAbility>
+            {
+                {
+                    organizationId, new OrganizationAbility
+                    {
+                        Id = organizationId,
+                        LimitItemDeletion = true
+                    }
+                }
+            });
+
+        await sutProvider.Sut.SoftDeleteManyAsync(cipherIds, deletingUserId, organizationId, false);
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .SoftDeleteAsync(Arg.Is<IEnumerable<Guid>>(ids => !ids.Any()), deletingUserId);
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(deletingUserId);
+    }
+
+    [Theory]
+    [OrganizationCipherCustomize]
+    [BitAutoData]
+    public async Task SoftDeleteManyAsync_WithLimitItemDeletionEnabled_WithManagePermission_SoftDeletesCiphers(
+        Guid deletingUserId, List<CipherDetails> ciphers, User user, SutProvider<CipherService> sutProvider)
+    {
+        var organizationId = Guid.NewGuid();
+        var cipherIds = ciphers.Select(c => c.Id).ToArray();
+
+        foreach (var cipher in ciphers)
+        {
+            cipher.OrganizationId = organizationId;
+            cipher.Edit = false;
+            cipher.Manage = true;
+            cipher.DeletedDate = null;
+        }
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.LimitItemDeletion)
+            .Returns(true);
+        sutProvider.GetDependency<ICipherRepository>()
+            .GetManyByUserIdAsync(deletingUserId)
+            .Returns(ciphers);
+        sutProvider.GetDependency<IUserService>()
+            .GetUserByIdAsync(deletingUserId)
+            .Returns(user);
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilitiesAsync()
+            .Returns(new Dictionary<Guid, OrganizationAbility>
+            {
+                {
+                    organizationId, new OrganizationAbility
+                    {
+                        Id = organizationId,
+                        LimitItemDeletion = true
+                    }
+                }
+            });
+
+        await sutProvider.Sut.SoftDeleteManyAsync(cipherIds, deletingUserId, organizationId, false);
+
+        await sutProvider.GetDependency<ICipherRepository>()
+            .Received(1)
+            .SoftDeleteAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Count() == cipherIds.Count() &&
+                ids.All(id => cipherIds.Contains(id))), deletingUserId);
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogCipherEventsAsync(Arg.Any<IEnumerable<Tuple<Cipher, EventType, DateTime?>>>());
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncCiphersAsync(deletingUserId);
+    }
+
     private async Task AssertNoActionsAsync(SutProvider<CipherService> sutProvider)
     {
         await sutProvider.GetDependency<ICipherRepository>().DidNotReceiveWithAnyArgs().GetManyOrganizationDetailsByOrganizationIdAsync(default);

From 10ea2cb3eb417077fcff86b5a733ce559e8588f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Wed, 2 Apr 2025 11:47:44 +0100
Subject: [PATCH 147/184] [PM-17473] Refactor AuthRequestService to remove
 admin notification feature flag (#5549)

---
 .../Implementations/AuthRequestService.cs     |  6 --
 .../Auth/Services/AuthRequestServiceTests.cs  | 77 +------------------
 2 files changed, 1 insertion(+), 82 deletions(-)

diff --git a/src/Core/Auth/Services/Implementations/AuthRequestService.cs b/src/Core/Auth/Services/Implementations/AuthRequestService.cs
index c10fa6ce92..42d51a88f5 100644
--- a/src/Core/Auth/Services/Implementations/AuthRequestService.cs
+++ b/src/Core/Auth/Services/Implementations/AuthRequestService.cs
@@ -287,12 +287,6 @@ public class AuthRequestService : IAuthRequestService
 
     private async Task NotifyAdminsOfDeviceApprovalRequestAsync(OrganizationUser organizationUser, User user)
     {
-        if (!_featureService.IsEnabled(FeatureFlagKeys.DeviceApprovalRequestAdminNotifications))
-        {
-            _logger.LogWarning("Skipped sending device approval notification to admins - feature flag disabled");
-            return;
-        }
-
         var adminEmails = await GetAdminAndAccountRecoveryEmailsAsync(organizationUser.OrganizationId);
 
         await _mailService.SendDeviceApprovalRequestedNotificationEmailAsync(
diff --git a/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs b/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
index 5e99ecf171..edd7a06fa7 100644
--- a/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
+++ b/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
@@ -273,78 +273,7 @@ public class AuthRequestServiceTests
     /// each of them.
     /// </summary>
     [Theory, BitAutoData]
-    public async Task CreateAuthRequestAsync_AdminApproval_CreatesForEachOrganization(
-        SutProvider<AuthRequestService> sutProvider,
-        AuthRequestCreateRequestModel createModel,
-        User user,
-        OrganizationUser organizationUser1,
-        OrganizationUser organizationUser2)
-    {
-        createModel.Type = AuthRequestType.AdminApproval;
-        user.Email = createModel.Email;
-        organizationUser1.UserId = user.Id;
-        organizationUser2.UserId = user.Id;
-
-        sutProvider.GetDependency<IUserRepository>()
-            .GetByEmailAsync(user.Email)
-            .Returns(user);
-
-        sutProvider.GetDependency<ICurrentContext>()
-            .DeviceType
-            .Returns(DeviceType.ChromeExtension);
-
-        sutProvider.GetDependency<ICurrentContext>()
-            .UserId
-            .Returns(user.Id);
-
-        sutProvider.GetDependency<IGlobalSettings>()
-            .PasswordlessAuth.KnownDevicesOnly
-            .Returns(false);
-
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyByUserAsync(user.Id)
-            .Returns(new List<OrganizationUser>
-            {
-                organizationUser1,
-                organizationUser2,
-            });
-
-        sutProvider.GetDependency<IAuthRequestRepository>()
-            .CreateAsync(Arg.Any<AuthRequest>())
-            .Returns(c => c.ArgAt<AuthRequest>(0));
-
-        var authRequest = await sutProvider.Sut.CreateAuthRequestAsync(createModel);
-
-        Assert.Equal(organizationUser1.OrganizationId, authRequest.OrganizationId);
-
-        await sutProvider.GetDependency<IAuthRequestRepository>()
-            .Received(1)
-            .CreateAsync(Arg.Is<AuthRequest>(o => o.OrganizationId == organizationUser1.OrganizationId));
-
-        await sutProvider.GetDependency<IAuthRequestRepository>()
-            .Received(1)
-            .CreateAsync(Arg.Is<AuthRequest>(o => o.OrganizationId == organizationUser2.OrganizationId));
-
-        await sutProvider.GetDependency<IAuthRequestRepository>()
-            .Received(2)
-            .CreateAsync(Arg.Any<AuthRequest>());
-
-        await sutProvider.GetDependency<IEventService>()
-            .Received(1)
-            .LogUserEventAsync(user.Id, EventType.User_RequestedDeviceApproval);
-
-        await sutProvider.GetDependency<IMailService>()
-            .DidNotReceiveWithAnyArgs()
-            .SendDeviceApprovalRequestedNotificationEmailAsync(
-                Arg.Any<IEnumerable<string>>(),
-                Arg.Any<Guid>(),
-                Arg.Any<string>(),
-                Arg.Any<string>());
-    }
-
-    [Theory, BitAutoData]
-    public async Task CreateAuthRequestAsync_AdminApproval_WithAdminNotifications_CreatesForEachOrganization_SendsEmails(
+    public async Task CreateAuthRequestAsync_AdminApproval_CreatesForEachOrganization_SendsEmails(
         SutProvider<AuthRequestService> sutProvider,
         AuthRequestCreateRequestModel createModel,
         User user,
@@ -369,10 +298,6 @@ public class AuthRequestServiceTests
             ManageResetPassword = true,
         });
 
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.DeviceApprovalRequestAdminNotifications)
-            .Returns(true);
-
         sutProvider.GetDependency<IUserRepository>()
             .GetByEmailAsync(user.Email)
             .Returns(user);

From b309de141d52a38d81e0b329ca41b64cd00df01f Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Wed, 2 Apr 2025 19:47:48 +0200
Subject: [PATCH 148/184] [PM-19147] Automatic Tax Improvements (#5545)

* Pm 19147 2 (#5544)

* Pm 19147 2 (#5544)

* Unit tests for tax strategies `GetUpdateOptions`

* Only allow automatic tax flag to be updated for complete subscription updates such as plan changes, not when upgrading additional storage, seats, etc

* unit tests for factory

* Fix build

* Automatic tax for tax estimation

* Fix stub

* Fix stub

* "customer.tax_ids" isn't expanded in some flows.

* Fix SubscriberServiceTests.cs

* BusinessUseAutomaticTaxStrategy > SetUpdateOptions tests

* Fix ProviderBillingServiceTests.cs
---
 .../RemoveOrganizationFromProviderCommand.cs  |  28 +-
 .../Billing/ProviderBillingService.cs         |  23 +-
 ...oveOrganizationFromProviderCommandTests.cs |  20 +
 .../Billing/ProviderBillingServiceTests.cs    |  35 +-
 .../Implementations/UpcomingInvoiceHandler.cs |  24 +-
 src/Core/Billing/Constants/StripeConstants.cs |   2 +
 .../Billing/Extensions/CustomerExtensions.cs  |   2 +-
 .../Extensions/ServiceCollectionExtensions.cs |   4 +
 .../SubscriptionCreateOptionsExtensions.cs    |  26 -
 .../AutomaticTaxFactoryParameters.cs          |  30 ++
 .../Billing/Services/IAutomaticTaxFactory.cs  |  11 +
 .../Billing/Services/IAutomaticTaxStrategy.cs |  33 ++
 .../AutomaticTax/AutomaticTaxFactory.cs       |  50 ++
 .../BusinessUseAutomaticTaxStrategy.cs        |  96 ++++
 .../PersonalUseAutomaticTaxStrategy.cs        |  64 +++
 .../OrganizationBillingService.cs             |  33 +-
 .../PremiumUserBillingService.cs              |  22 +-
 .../Implementations/SubscriberService.cs      |  54 +-
 src/Core/Constants.cs                         |   3 +
 .../Implementations/StripePaymentService.cs   |  92 +++-
 .../BusinessUseAutomaticTaxStrategyTests.cs   | 492 ++++++++++++++++++
 .../PersonalUseAutomaticTaxStrategyTests.cs   | 217 ++++++++
 .../AutomaticTaxFactoryTests.cs               | 105 ++++
 .../Services/SubscriberServiceTests.cs        |  55 +-
 .../Billing/Stubs/FakeAutomaticTaxStrategy.cs |  35 ++
 25 files changed, 1448 insertions(+), 108 deletions(-)
 delete mode 100644 src/Core/Billing/Extensions/SubscriptionCreateOptionsExtensions.cs
 create mode 100644 src/Core/Billing/Services/Contracts/AutomaticTaxFactoryParameters.cs
 create mode 100644 src/Core/Billing/Services/IAutomaticTaxFactory.cs
 create mode 100644 src/Core/Billing/Services/IAutomaticTaxStrategy.cs
 create mode 100644 src/Core/Billing/Services/Implementations/AutomaticTax/AutomaticTaxFactory.cs
 create mode 100644 src/Core/Billing/Services/Implementations/AutomaticTax/BusinessUseAutomaticTaxStrategy.cs
 create mode 100644 src/Core/Billing/Services/Implementations/AutomaticTax/PersonalUseAutomaticTaxStrategy.cs
 create mode 100644 test/Core.Test/Billing/Services/Implementations/AutomaticTax/BusinessUseAutomaticTaxStrategyTests.cs
 create mode 100644 test/Core.Test/Billing/Services/Implementations/AutomaticTax/PersonalUseAutomaticTaxStrategyTests.cs
 create mode 100644 test/Core.Test/Billing/Services/Implementations/AutomaticTaxFactoryTests.cs
 create mode 100644 test/Core.Test/Billing/Stubs/FakeAutomaticTaxStrategy.cs

diff --git a/bitwarden_license/src/Commercial.Core/AdminConsole/Providers/RemoveOrganizationFromProviderCommand.cs b/bitwarden_license/src/Commercial.Core/AdminConsole/Providers/RemoveOrganizationFromProviderCommand.cs
index d2acdac079..2c34e57a92 100644
--- a/bitwarden_license/src/Commercial.Core/AdminConsole/Providers/RemoveOrganizationFromProviderCommand.cs
+++ b/bitwarden_license/src/Commercial.Core/AdminConsole/Providers/RemoveOrganizationFromProviderCommand.cs
@@ -1,4 +1,5 @@
-using Bit.Core.AdminConsole.Entities;
+using Bit.Core;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.Providers.Interfaces;
@@ -7,10 +8,12 @@ using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Extensions;
 using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
+using Bit.Core.Billing.Services.Implementations.AutomaticTax;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
+using Microsoft.Extensions.DependencyInjection;
 using Stripe;
 
 namespace Bit.Commercial.Core.AdminConsole.Providers;
@@ -28,6 +31,7 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv
     private readonly ISubscriberService _subscriberService;
     private readonly IHasConfirmedOwnersExceptQuery _hasConfirmedOwnersExceptQuery;
     private readonly IPricingClient _pricingClient;
+    private readonly IAutomaticTaxStrategy _automaticTaxStrategy;
 
     public RemoveOrganizationFromProviderCommand(
         IEventService eventService,
@@ -40,7 +44,8 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv
         IProviderBillingService providerBillingService,
         ISubscriberService subscriberService,
         IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery,
-        IPricingClient pricingClient)
+        IPricingClient pricingClient,
+        [FromKeyedServices(AutomaticTaxFactory.BusinessUse)] IAutomaticTaxStrategy automaticTaxStrategy)
     {
         _eventService = eventService;
         _mailService = mailService;
@@ -53,6 +58,7 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv
         _subscriberService = subscriberService;
         _hasConfirmedOwnersExceptQuery = hasConfirmedOwnersExceptQuery;
         _pricingClient = pricingClient;
+        _automaticTaxStrategy = automaticTaxStrategy;
     }
 
     public async Task RemoveOrganizationFromProvider(
@@ -107,10 +113,11 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv
             organization.IsValidClient() &&
             !string.IsNullOrEmpty(organization.GatewayCustomerId))
         {
-            await _stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, new CustomerUpdateOptions
+            var customer = await _stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, new CustomerUpdateOptions
             {
                 Description = string.Empty,
-                Email = organization.BillingEmail
+                Email = organization.BillingEmail,
+                Expand = ["tax", "tax_ids"]
             });
 
             var plan = await _pricingClient.GetPlanOrThrow(organization.PlanType);
@@ -120,7 +127,6 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv
                 Customer = organization.GatewayCustomerId,
                 CollectionMethod = StripeConstants.CollectionMethod.SendInvoice,
                 DaysUntilDue = 30,
-                AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true },
                 Metadata = new Dictionary<string, string>
                 {
                     { "organizationId", organization.Id.ToString() }
@@ -130,6 +136,18 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv
                 Items = [new SubscriptionItemOptions { Price = plan.PasswordManager.StripeSeatPlanId, Quantity = organization.Seats }]
             };
 
+            if (_featureService.IsEnabled(FeatureFlagKeys.PM19147_AutomaticTaxImprovements))
+            {
+                _automaticTaxStrategy.SetCreateOptions(subscriptionCreateOptions, customer);
+            }
+            else
+            {
+                subscriptionCreateOptions.AutomaticTax ??= new SubscriptionAutomaticTaxOptions
+                {
+                    Enabled = true
+                };
+            }
+
             var subscription = await _stripeAdapter.SubscriptionCreateAsync(subscriptionCreateOptions);
 
             organization.GatewaySubscriptionId = subscription.Id;
diff --git a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
index 74cfc1f916..65e41ab586 100644
--- a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
+++ b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
@@ -14,6 +14,7 @@ using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Repositories;
 using Bit.Core.Billing.Services;
 using Bit.Core.Billing.Services.Contracts;
+using Bit.Core.Billing.Services.Implementations.AutomaticTax;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
@@ -22,6 +23,7 @@ using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using CsvHelper;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Stripe;
 
@@ -29,6 +31,7 @@ namespace Bit.Commercial.Core.Billing;
 
 public class ProviderBillingService(
     IEventService eventService,
+    IFeatureService featureService,
     IGlobalSettings globalSettings,
     ILogger<ProviderBillingService> logger,
     IOrganizationRepository organizationRepository,
@@ -40,7 +43,9 @@ public class ProviderBillingService(
     IProviderUserRepository providerUserRepository,
     IStripeAdapter stripeAdapter,
     ISubscriberService subscriberService,
-    ITaxService taxService) : IProviderBillingService
+    ITaxService taxService,
+    [FromKeyedServices(AutomaticTaxFactory.BusinessUse)] IAutomaticTaxStrategy automaticTaxStrategy)
+    : IProviderBillingService
 {
     [RequireFeature(FeatureFlagKeys.P15179_AddExistingOrgsFromProviderPortal)]
     public async Task AddExistingOrganization(
@@ -557,7 +562,8 @@ public class ProviderBillingService(
     {
         ArgumentNullException.ThrowIfNull(provider);
 
-        var customer = await subscriberService.GetCustomerOrThrow(provider);
+        var customerGetOptions = new CustomerGetOptions { Expand = ["tax", "tax_ids"] };
+        var customer = await subscriberService.GetCustomerOrThrow(provider, customerGetOptions);
 
         var providerPlans = await providerPlanRepository.GetByProviderId(provider.Id);
 
@@ -589,10 +595,6 @@ public class ProviderBillingService(
 
         var subscriptionCreateOptions = new SubscriptionCreateOptions
         {
-            AutomaticTax = new SubscriptionAutomaticTaxOptions
-            {
-                Enabled = true
-            },
             CollectionMethod = StripeConstants.CollectionMethod.SendInvoice,
             Customer = customer.Id,
             DaysUntilDue = 30,
@@ -605,6 +607,15 @@ public class ProviderBillingService(
             ProrationBehavior = StripeConstants.ProrationBehavior.CreateProrations
         };
 
+        if (featureService.IsEnabled(FeatureFlagKeys.PM19147_AutomaticTaxImprovements))
+        {
+            automaticTaxStrategy.SetCreateOptions(subscriptionCreateOptions, customer);
+        }
+        else
+        {
+            subscriptionCreateOptions.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
+        }
+
         try
         {
             var subscription = await stripeAdapter.SubscriptionCreateAsync(subscriptionCreateOptions);
diff --git a/bitwarden_license/test/Commercial.Core.Test/AdminConsole/ProviderFeatures/RemoveOrganizationFromProviderCommandTests.cs b/bitwarden_license/test/Commercial.Core.Test/AdminConsole/ProviderFeatures/RemoveOrganizationFromProviderCommandTests.cs
index 2debd521a5..48eda094e8 100644
--- a/bitwarden_license/test/Commercial.Core.Test/AdminConsole/ProviderFeatures/RemoveOrganizationFromProviderCommandTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/AdminConsole/ProviderFeatures/RemoveOrganizationFromProviderCommandTests.cs
@@ -228,6 +228,26 @@ public class RemoveOrganizationFromProviderCommandTests
             Id = "subscription_id"
         });
 
+        sutProvider.GetDependency<IAutomaticTaxStrategy>()
+            .When(x => x.SetCreateOptions(
+                Arg.Is<SubscriptionCreateOptions>(options =>
+                    options.Customer == organization.GatewayCustomerId &&
+                    options.CollectionMethod == StripeConstants.CollectionMethod.SendInvoice &&
+                    options.DaysUntilDue == 30 &&
+                    options.Metadata["organizationId"] == organization.Id.ToString() &&
+                    options.OffSession == true &&
+                    options.ProrationBehavior == StripeConstants.ProrationBehavior.CreateProrations &&
+                    options.Items.First().Price == teamsMonthlyPlan.PasswordManager.StripeSeatPlanId &&
+                    options.Items.First().Quantity == organization.Seats)
+                , Arg.Any<Customer>()))
+            .Do(x =>
+            {
+                x.Arg<SubscriptionCreateOptions>().AutomaticTax = new SubscriptionAutomaticTaxOptions
+                {
+                    Enabled = true
+                };
+            });
+
         await sutProvider.Sut.RemoveOrganizationFromProvider(provider, providerOrganization, organization);
 
         await stripeAdapter.Received(1).SubscriptionCreateAsync(Arg.Is<SubscriptionCreateOptions>(options =>
diff --git a/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs b/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs
index c1da732d60..71a150a546 100644
--- a/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs
@@ -924,11 +924,15 @@ public class ProviderBillingServiceTests
     {
         provider.GatewaySubscriptionId = null;
 
-        sutProvider.GetDependency<ISubscriberService>().GetCustomerOrThrow(provider).Returns(new Customer
-        {
-            Id = "customer_id",
-            Tax = new CustomerTax { AutomaticTax = StripeConstants.AutomaticTaxStatus.Supported }
-        });
+        sutProvider.GetDependency<ISubscriberService>()
+            .GetCustomerOrThrow(
+                provider,
+                Arg.Is<CustomerGetOptions>(p => p.Expand.Contains("tax") || p.Expand.Contains("tax_ids")))
+            .Returns(new Customer
+            {
+                Id = "customer_id",
+                Tax = new CustomerTax { AutomaticTax = StripeConstants.AutomaticTaxStatus.Supported }
+            });
 
         var providerPlans = new List<ProviderPlan>
         {
@@ -975,11 +979,15 @@ public class ProviderBillingServiceTests
     {
         provider.GatewaySubscriptionId = null;
 
-        sutProvider.GetDependency<ISubscriberService>().GetCustomerOrThrow(provider).Returns(new Customer
+        var customer = new Customer
         {
             Id = "customer_id",
             Tax = new CustomerTax { AutomaticTax = StripeConstants.AutomaticTaxStatus.Supported }
-        });
+        };
+        sutProvider.GetDependency<ISubscriberService>()
+            .GetCustomerOrThrow(
+                provider,
+                Arg.Is<CustomerGetOptions>(p => p.Expand.Contains("tax") || p.Expand.Contains("tax_ids"))).Returns(customer);
 
         var providerPlans = new List<ProviderPlan>
         {
@@ -1017,6 +1025,19 @@ public class ProviderBillingServiceTests
 
         var expected = new Subscription { Id = "subscription_id", Status = StripeConstants.SubscriptionStatus.Active };
 
+        sutProvider.GetDependency<IAutomaticTaxStrategy>()
+            .When(x => x.SetCreateOptions(
+                Arg.Is<SubscriptionCreateOptions>(options =>
+                    options.Customer == "customer_id")
+                , Arg.Is<Customer>(p => p == customer)))
+            .Do(x =>
+            {
+                x.Arg<SubscriptionCreateOptions>().AutomaticTax = new SubscriptionAutomaticTaxOptions
+                {
+                    Enabled = true
+                };
+            });
+
         sutProvider.GetDependency<IStripeAdapter>().SubscriptionCreateAsync(Arg.Is<SubscriptionCreateOptions>(
             sub =>
                 sub.AutomaticTax.Enabled == true &&
diff --git a/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs b/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
index d37bf41428..f75cbf8a8b 100644
--- a/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
+++ b/src/Billing/Services/Implementations/UpcomingInvoiceHandler.cs
@@ -1,8 +1,11 @@
-using Bit.Core.AdminConsole.Repositories;
+using Bit.Core;
+using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Extensions;
 using Bit.Core.Billing.Pricing;
+using Bit.Core.Billing.Services;
+using Bit.Core.Billing.Services.Contracts;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -12,6 +15,7 @@ using Event = Stripe.Event;
 namespace Bit.Billing.Services.Implementations;
 
 public class UpcomingInvoiceHandler(
+    IFeatureService featureService,
     ILogger<StripeEventProcessor> logger,
     IMailService mailService,
     IOrganizationRepository organizationRepository,
@@ -21,7 +25,8 @@ public class UpcomingInvoiceHandler(
     IStripeEventService stripeEventService,
     IStripeEventUtilityService stripeEventUtilityService,
     IUserRepository userRepository,
-    IValidateSponsorshipCommand validateSponsorshipCommand)
+    IValidateSponsorshipCommand validateSponsorshipCommand,
+    IAutomaticTaxFactory automaticTaxFactory)
     : IUpcomingInvoiceHandler
 {
     public async Task HandleAsync(Event parsedEvent)
@@ -136,6 +141,21 @@ public class UpcomingInvoiceHandler(
 
     private async Task TryEnableAutomaticTaxAsync(Subscription subscription)
     {
+        if (featureService.IsEnabled(FeatureFlagKeys.PM19147_AutomaticTaxImprovements))
+        {
+            var automaticTaxParameters = new AutomaticTaxFactoryParameters(subscription.Items.Select(x => x.Price.Id));
+            var automaticTaxStrategy = await automaticTaxFactory.CreateAsync(automaticTaxParameters);
+            var updateOptions = automaticTaxStrategy.GetUpdateOptions(subscription);
+
+            if (updateOptions == null)
+            {
+                return;
+            }
+
+            await stripeFacade.UpdateSubscription(subscription.Id, updateOptions);
+            return;
+        }
+
         if (subscription.AutomaticTax.Enabled ||
             !subscription.Customer.HasBillingLocation() ||
             await IsNonTaxableNonUSBusinessUseSubscription(subscription))
diff --git a/src/Core/Billing/Constants/StripeConstants.cs b/src/Core/Billing/Constants/StripeConstants.cs
index 080416e2bb..326023e34c 100644
--- a/src/Core/Billing/Constants/StripeConstants.cs
+++ b/src/Core/Billing/Constants/StripeConstants.cs
@@ -47,6 +47,8 @@ public static class StripeConstants
     public static class MetadataKeys
     {
         public const string OrganizationId = "organizationId";
+        public const string ProviderId = "providerId";
+        public const string UserId = "userId";
     }
 
     public static class PaymentBehavior
diff --git a/src/Core/Billing/Extensions/CustomerExtensions.cs b/src/Core/Billing/Extensions/CustomerExtensions.cs
index 1ab595342e..8f15f61a7f 100644
--- a/src/Core/Billing/Extensions/CustomerExtensions.cs
+++ b/src/Core/Billing/Extensions/CustomerExtensions.cs
@@ -21,7 +21,7 @@ public static class CustomerExtensions
     /// <param name="customer"></param>
     /// <returns></returns>
     public static bool HasTaxLocationVerified(this Customer customer) =>
-        customer?.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported;
+        customer?.Tax?.AutomaticTax != StripeConstants.AutomaticTaxStatus.UnrecognizedLocation;
 
     public static decimal GetBillingBalance(this Customer customer)
     {
diff --git a/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs b/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
index 26815d7df0..17285e0676 100644
--- a/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
+++ b/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
@@ -4,6 +4,7 @@ using Bit.Core.Billing.Licenses.Extensions;
 using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
 using Bit.Core.Billing.Services.Implementations;
+using Bit.Core.Billing.Services.Implementations.AutomaticTax;
 
 namespace Bit.Core.Billing.Extensions;
 
@@ -18,6 +19,9 @@ public static class ServiceCollectionExtensions
         services.AddTransient<IPremiumUserBillingService, PremiumUserBillingService>();
         services.AddTransient<ISetupIntentCache, SetupIntentDistributedCache>();
         services.AddTransient<ISubscriberService, SubscriberService>();
+        services.AddKeyedTransient<IAutomaticTaxStrategy, PersonalUseAutomaticTaxStrategy>(AutomaticTaxFactory.PersonalUse);
+        services.AddKeyedTransient<IAutomaticTaxStrategy, BusinessUseAutomaticTaxStrategy>(AutomaticTaxFactory.BusinessUse);
+        services.AddTransient<IAutomaticTaxFactory, AutomaticTaxFactory>();
         services.AddLicenseServices();
         services.AddPricingClient();
     }
diff --git a/src/Core/Billing/Extensions/SubscriptionCreateOptionsExtensions.cs b/src/Core/Billing/Extensions/SubscriptionCreateOptionsExtensions.cs
deleted file mode 100644
index d76a0553a3..0000000000
--- a/src/Core/Billing/Extensions/SubscriptionCreateOptionsExtensions.cs
+++ /dev/null
@@ -1,26 +0,0 @@
-using Stripe;
-
-namespace Bit.Core.Billing.Extensions;
-
-public static class SubscriptionCreateOptionsExtensions
-{
-    /// <summary>
-    /// Attempts to enable automatic tax for given new subscription options.
-    /// </summary>
-    /// <param name="options"></param>
-    /// <param name="customer">The existing customer.</param>
-    /// <returns>Returns true when successful, false when conditions are not met.</returns>
-    public static bool EnableAutomaticTax(this SubscriptionCreateOptions options, Customer customer)
-    {
-        // We might only need to check the automatic tax status.
-        if (!customer.HasTaxLocationVerified() && string.IsNullOrWhiteSpace(customer.Address?.Country))
-        {
-            return false;
-        }
-
-        options.DefaultTaxRates = [];
-        options.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
-
-        return true;
-    }
-}
diff --git a/src/Core/Billing/Services/Contracts/AutomaticTaxFactoryParameters.cs b/src/Core/Billing/Services/Contracts/AutomaticTaxFactoryParameters.cs
new file mode 100644
index 0000000000..19a4f0bdfa
--- /dev/null
+++ b/src/Core/Billing/Services/Contracts/AutomaticTaxFactoryParameters.cs
@@ -0,0 +1,30 @@
+#nullable enable
+using Bit.Core.Billing.Enums;
+using Bit.Core.Entities;
+
+namespace Bit.Core.Billing.Services.Contracts;
+
+public class AutomaticTaxFactoryParameters
+{
+    public AutomaticTaxFactoryParameters(PlanType planType)
+    {
+        PlanType = planType;
+    }
+
+    public AutomaticTaxFactoryParameters(ISubscriber subscriber, IEnumerable<string> prices)
+    {
+        Subscriber = subscriber;
+        Prices = prices;
+    }
+
+    public AutomaticTaxFactoryParameters(IEnumerable<string> prices)
+    {
+        Prices = prices;
+    }
+
+    public ISubscriber? Subscriber { get; init; }
+
+    public PlanType? PlanType { get; init; }
+
+    public IEnumerable<string>? Prices { get; init; }
+}
diff --git a/src/Core/Billing/Services/IAutomaticTaxFactory.cs b/src/Core/Billing/Services/IAutomaticTaxFactory.cs
new file mode 100644
index 0000000000..c52a8f2671
--- /dev/null
+++ b/src/Core/Billing/Services/IAutomaticTaxFactory.cs
@@ -0,0 +1,11 @@
+using Bit.Core.Billing.Services.Contracts;
+
+namespace Bit.Core.Billing.Services;
+
+/// <summary>
+/// Responsible for defining the correct automatic tax strategy for either personal use of business use.
+/// </summary>
+public interface IAutomaticTaxFactory
+{
+    Task<IAutomaticTaxStrategy> CreateAsync(AutomaticTaxFactoryParameters parameters);
+}
diff --git a/src/Core/Billing/Services/IAutomaticTaxStrategy.cs b/src/Core/Billing/Services/IAutomaticTaxStrategy.cs
new file mode 100644
index 0000000000..292f2d0939
--- /dev/null
+++ b/src/Core/Billing/Services/IAutomaticTaxStrategy.cs
@@ -0,0 +1,33 @@
+#nullable enable
+using Stripe;
+
+namespace Bit.Core.Billing.Services;
+
+public interface IAutomaticTaxStrategy
+{
+    /// <summary>
+    ///
+    /// </summary>
+    /// <param name="subscription"></param>
+    /// <returns>
+    /// Returns <see cref="SubscriptionUpdateOptions" /> if changes are to be applied to the subscription, returns null
+    /// otherwise.
+    /// </returns>
+    SubscriptionUpdateOptions? GetUpdateOptions(Subscription subscription);
+
+    /// <summary>
+    /// Modifies an existing <see cref="SubscriptionCreateOptions" /> object with the automatic tax flag set correctly.
+    /// </summary>
+    /// <param name="options"></param>
+    /// <param name="customer"></param>
+    void SetCreateOptions(SubscriptionCreateOptions options, Customer customer);
+
+    /// <summary>
+    /// Modifies an existing <see cref="SubscriptionUpdateOptions" /> object with the automatic tax flag set correctly.
+    /// </summary>
+    /// <param name="options"></param>
+    /// <param name="subscription"></param>
+    void SetUpdateOptions(SubscriptionUpdateOptions options, Subscription subscription);
+
+    void SetInvoiceCreatePreviewOptions(InvoiceCreatePreviewOptions options);
+}
diff --git a/src/Core/Billing/Services/Implementations/AutomaticTax/AutomaticTaxFactory.cs b/src/Core/Billing/Services/Implementations/AutomaticTax/AutomaticTaxFactory.cs
new file mode 100644
index 0000000000..133cd2c7a7
--- /dev/null
+++ b/src/Core/Billing/Services/Implementations/AutomaticTax/AutomaticTaxFactory.cs
@@ -0,0 +1,50 @@
+#nullable enable
+using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Pricing;
+using Bit.Core.Billing.Services.Contracts;
+using Bit.Core.Entities;
+using Bit.Core.Services;
+
+namespace Bit.Core.Billing.Services.Implementations.AutomaticTax;
+
+public class AutomaticTaxFactory(
+    IFeatureService featureService,
+    IPricingClient pricingClient) : IAutomaticTaxFactory
+{
+    public const string BusinessUse = "business-use";
+    public const string PersonalUse = "personal-use";
+
+    private readonly Lazy<Task<IEnumerable<string>>> _personalUsePlansTask = new(async () =>
+    {
+        var plans = await Task.WhenAll(
+            pricingClient.GetPlanOrThrow(PlanType.FamiliesAnnually2019),
+            pricingClient.GetPlanOrThrow(PlanType.FamiliesAnnually));
+
+        return plans.Select(plan => plan.PasswordManager.StripePlanId);
+    });
+
+    public async Task<IAutomaticTaxStrategy> CreateAsync(AutomaticTaxFactoryParameters parameters)
+    {
+        if (parameters.Subscriber is User)
+        {
+            return new PersonalUseAutomaticTaxStrategy(featureService);
+        }
+
+        if (parameters.PlanType.HasValue)
+        {
+            var plan = await pricingClient.GetPlanOrThrow(parameters.PlanType.Value);
+            return plan.CanBeUsedByBusiness
+                ? new BusinessUseAutomaticTaxStrategy(featureService)
+                : new PersonalUseAutomaticTaxStrategy(featureService);
+        }
+
+        var personalUsePlans = await _personalUsePlansTask.Value;
+
+        if (parameters.Prices != null && parameters.Prices.Any(x => personalUsePlans.Any(y => y == x)))
+        {
+            return new PersonalUseAutomaticTaxStrategy(featureService);
+        }
+
+        return new BusinessUseAutomaticTaxStrategy(featureService);
+    }
+}
diff --git a/src/Core/Billing/Services/Implementations/AutomaticTax/BusinessUseAutomaticTaxStrategy.cs b/src/Core/Billing/Services/Implementations/AutomaticTax/BusinessUseAutomaticTaxStrategy.cs
new file mode 100644
index 0000000000..40eb6e4540
--- /dev/null
+++ b/src/Core/Billing/Services/Implementations/AutomaticTax/BusinessUseAutomaticTaxStrategy.cs
@@ -0,0 +1,96 @@
+#nullable enable
+using Bit.Core.Billing.Extensions;
+using Bit.Core.Services;
+using Stripe;
+
+namespace Bit.Core.Billing.Services.Implementations.AutomaticTax;
+
+public class BusinessUseAutomaticTaxStrategy(IFeatureService featureService) : IAutomaticTaxStrategy
+{
+    public SubscriptionUpdateOptions? GetUpdateOptions(Subscription subscription)
+    {
+        if (!featureService.IsEnabled(FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+        {
+            return null;
+        }
+
+        var shouldBeEnabled = ShouldBeEnabled(subscription.Customer);
+        if (subscription.AutomaticTax.Enabled == shouldBeEnabled)
+        {
+            return null;
+        }
+
+        var options = new SubscriptionUpdateOptions
+        {
+            AutomaticTax = new SubscriptionAutomaticTaxOptions
+            {
+                Enabled = shouldBeEnabled
+            },
+            DefaultTaxRates = []
+        };
+
+        return options;
+    }
+
+    public void SetCreateOptions(SubscriptionCreateOptions options, Customer customer)
+    {
+        options.AutomaticTax = new SubscriptionAutomaticTaxOptions
+        {
+            Enabled = ShouldBeEnabled(customer)
+        };
+    }
+
+    public void SetUpdateOptions(SubscriptionUpdateOptions options, Subscription subscription)
+    {
+        if (!featureService.IsEnabled(FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+        {
+            return;
+        }
+
+        var shouldBeEnabled = ShouldBeEnabled(subscription.Customer);
+
+        if (subscription.AutomaticTax.Enabled == shouldBeEnabled)
+        {
+            return;
+        }
+
+        options.AutomaticTax = new SubscriptionAutomaticTaxOptions
+        {
+            Enabled = shouldBeEnabled
+        };
+        options.DefaultTaxRates = [];
+    }
+
+    public void SetInvoiceCreatePreviewOptions(InvoiceCreatePreviewOptions options)
+    {
+        options.AutomaticTax ??= new InvoiceAutomaticTaxOptions();
+
+        if (options.CustomerDetails.Address.Country == "US")
+        {
+            options.AutomaticTax.Enabled = true;
+            return;
+        }
+
+        options.AutomaticTax.Enabled = options.CustomerDetails.TaxIds != null && options.CustomerDetails.TaxIds.Any();
+    }
+
+    private bool ShouldBeEnabled(Customer customer)
+    {
+        if (!customer.HasTaxLocationVerified())
+        {
+            return false;
+        }
+
+        if (customer.Address.Country == "US")
+        {
+            return true;
+        }
+
+        if (customer.TaxIds == null)
+        {
+            throw new ArgumentNullException(nameof(customer.TaxIds), "`customer.tax_ids` must be expanded.");
+        }
+
+        return customer.TaxIds.Any();
+    }
+}
diff --git a/src/Core/Billing/Services/Implementations/AutomaticTax/PersonalUseAutomaticTaxStrategy.cs b/src/Core/Billing/Services/Implementations/AutomaticTax/PersonalUseAutomaticTaxStrategy.cs
new file mode 100644
index 0000000000..15ee1adf8f
--- /dev/null
+++ b/src/Core/Billing/Services/Implementations/AutomaticTax/PersonalUseAutomaticTaxStrategy.cs
@@ -0,0 +1,64 @@
+#nullable enable
+using Bit.Core.Billing.Extensions;
+using Bit.Core.Services;
+using Stripe;
+
+namespace Bit.Core.Billing.Services.Implementations.AutomaticTax;
+
+public class PersonalUseAutomaticTaxStrategy(IFeatureService featureService) : IAutomaticTaxStrategy
+{
+    public void SetCreateOptions(SubscriptionCreateOptions options, Customer customer)
+    {
+        options.AutomaticTax = new SubscriptionAutomaticTaxOptions
+        {
+            Enabled = ShouldBeEnabled(customer)
+        };
+    }
+
+    public void SetUpdateOptions(SubscriptionUpdateOptions options, Subscription subscription)
+    {
+        if (!featureService.IsEnabled(FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+        {
+            return;
+        }
+        options.AutomaticTax = new SubscriptionAutomaticTaxOptions
+        {
+            Enabled = ShouldBeEnabled(subscription.Customer)
+        };
+        options.DefaultTaxRates = [];
+    }
+
+    public SubscriptionUpdateOptions? GetUpdateOptions(Subscription subscription)
+    {
+        if (!featureService.IsEnabled(FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+        {
+            return null;
+        }
+
+        if (subscription.AutomaticTax.Enabled == ShouldBeEnabled(subscription.Customer))
+        {
+            return null;
+        }
+
+        var options = new SubscriptionUpdateOptions
+        {
+            AutomaticTax = new SubscriptionAutomaticTaxOptions
+            {
+                Enabled = ShouldBeEnabled(subscription.Customer),
+            },
+            DefaultTaxRates = []
+        };
+
+        return options;
+    }
+
+    public void SetInvoiceCreatePreviewOptions(InvoiceCreatePreviewOptions options)
+    {
+        options.AutomaticTax = new InvoiceAutomaticTaxOptions { Enabled = true };
+    }
+
+    private static bool ShouldBeEnabled(Customer customer)
+    {
+        return customer.HasTaxLocationVerified();
+    }
+}
diff --git a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
index 8b773f1cef..a4d22cfa3e 100644
--- a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
@@ -1,9 +1,11 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Billing.Caches;
 using Bit.Core.Billing.Constants;
+using Bit.Core.Billing.Extensions;
 using Bit.Core.Billing.Models;
 using Bit.Core.Billing.Models.Sales;
 using Bit.Core.Billing.Pricing;
+using Bit.Core.Billing.Services.Contracts;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
@@ -23,6 +25,7 @@ namespace Bit.Core.Billing.Services.Implementations;
 
 public class OrganizationBillingService(
     IBraintreeGateway braintreeGateway,
+    IFeatureService featureService,
     IGlobalSettings globalSettings,
     ILogger<OrganizationBillingService> logger,
     IOrganizationRepository organizationRepository,
@@ -30,7 +33,8 @@ public class OrganizationBillingService(
     ISetupIntentCache setupIntentCache,
     IStripeAdapter stripeAdapter,
     ISubscriberService subscriberService,
-    ITaxService taxService) : IOrganizationBillingService
+    ITaxService taxService,
+    IAutomaticTaxFactory automaticTaxFactory) : IOrganizationBillingService
 {
     public async Task Finalize(OrganizationSale sale)
     {
@@ -143,7 +147,7 @@ public class OrganizationBillingService(
             Coupon = customerSetup.Coupon,
             Description = organization.DisplayBusinessName(),
             Email = organization.BillingEmail,
-            Expand = ["tax"],
+            Expand = ["tax", "tax_ids"],
             InvoiceSettings = new CustomerInvoiceSettingsOptions
             {
                 CustomFields = [
@@ -369,21 +373,8 @@ public class OrganizationBillingService(
             }
         }
 
-        var customerHasTaxInfo = customer is
-        {
-            Address:
-            {
-                Country: not null and not "",
-                PostalCode: not null and not ""
-            }
-        };
-
         var subscriptionCreateOptions = new SubscriptionCreateOptions
         {
-            AutomaticTax = new SubscriptionAutomaticTaxOptions
-            {
-                Enabled = customerHasTaxInfo
-            },
             CollectionMethod = StripeConstants.CollectionMethod.ChargeAutomatically,
             Customer = customer.Id,
             Items = subscriptionItemOptionsList,
@@ -395,6 +386,18 @@ public class OrganizationBillingService(
             TrialPeriodDays = subscriptionSetup.SkipTrial ? 0 : plan.TrialPeriodDays
         };
 
+        if (featureService.IsEnabled(FeatureFlagKeys.PM19147_AutomaticTaxImprovements))
+        {
+            var automaticTaxParameters = new AutomaticTaxFactoryParameters(subscriptionSetup.PlanType);
+            var automaticTaxStrategy = await automaticTaxFactory.CreateAsync(automaticTaxParameters);
+            automaticTaxStrategy.SetCreateOptions(subscriptionCreateOptions, customer);
+        }
+        else
+        {
+            subscriptionCreateOptions.AutomaticTax ??= new SubscriptionAutomaticTaxOptions();
+            subscriptionCreateOptions.AutomaticTax.Enabled = customer.HasBillingLocation();
+        }
+
         return await stripeAdapter.SubscriptionCreateAsync(subscriptionCreateOptions);
     }
 
diff --git a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
index c00a151aa1..6746a8cc98 100644
--- a/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/PremiumUserBillingService.cs
@@ -2,6 +2,7 @@
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Models;
 using Bit.Core.Billing.Models.Sales;
+using Bit.Core.Billing.Services.Implementations.AutomaticTax;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -9,6 +10,7 @@ using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
 using Braintree;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Stripe;
 using Customer = Stripe.Customer;
@@ -20,12 +22,14 @@ using static Utilities;
 
 public class PremiumUserBillingService(
     IBraintreeGateway braintreeGateway,
+    IFeatureService featureService,
     IGlobalSettings globalSettings,
     ILogger<PremiumUserBillingService> logger,
     ISetupIntentCache setupIntentCache,
     IStripeAdapter stripeAdapter,
     ISubscriberService subscriberService,
-    IUserRepository userRepository) : IPremiumUserBillingService
+    IUserRepository userRepository,
+    [FromKeyedServices(AutomaticTaxFactory.PersonalUse)] IAutomaticTaxStrategy automaticTaxStrategy) : IPremiumUserBillingService
 {
     public async Task Credit(User user, decimal amount)
     {
@@ -318,10 +322,6 @@ public class PremiumUserBillingService(
 
         var subscriptionCreateOptions = new SubscriptionCreateOptions
         {
-            AutomaticTax = new SubscriptionAutomaticTaxOptions
-            {
-                Enabled = customer.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported,
-            },
             CollectionMethod = StripeConstants.CollectionMethod.ChargeAutomatically,
             Customer = customer.Id,
             Items = subscriptionItemOptionsList,
@@ -335,6 +335,18 @@ public class PremiumUserBillingService(
             OffSession = true
         };
 
+        if (featureService.IsEnabled(FeatureFlagKeys.PM19147_AutomaticTaxImprovements))
+        {
+            automaticTaxStrategy.SetCreateOptions(subscriptionCreateOptions, customer);
+        }
+        else
+        {
+            subscriptionCreateOptions.AutomaticTax = new SubscriptionAutomaticTaxOptions
+            {
+                Enabled = customer.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported,
+            };
+        }
+
         var subscription = await stripeAdapter.SubscriptionCreateAsync(subscriptionCreateOptions);
 
         if (usingPayPal)
diff --git a/src/Core/Billing/Services/Implementations/SubscriberService.cs b/src/Core/Billing/Services/Implementations/SubscriberService.cs
index b2dca19e80..e4b0594433 100644
--- a/src/Core/Billing/Services/Implementations/SubscriberService.cs
+++ b/src/Core/Billing/Services/Implementations/SubscriberService.cs
@@ -1,6 +1,7 @@
 using Bit.Core.Billing.Caches;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Models;
+using Bit.Core.Billing.Services.Contracts;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -20,11 +21,13 @@ namespace Bit.Core.Billing.Services.Implementations;
 
 public class SubscriberService(
     IBraintreeGateway braintreeGateway,
+    IFeatureService featureService,
     IGlobalSettings globalSettings,
     ILogger<SubscriberService> logger,
     ISetupIntentCache setupIntentCache,
     IStripeAdapter stripeAdapter,
-    ITaxService taxService) : ISubscriberService
+    ITaxService taxService,
+    IAutomaticTaxFactory automaticTaxFactory) : ISubscriberService
 {
     public async Task CancelSubscription(
         ISubscriber subscriber,
@@ -438,7 +441,8 @@ public class SubscriberService(
         ArgumentNullException.ThrowIfNull(subscriber);
         ArgumentNullException.ThrowIfNull(tokenizedPaymentSource);
 
-        var customer = await GetCustomerOrThrow(subscriber);
+        var customerGetOptions = new CustomerGetOptions { Expand = ["tax", "tax_ids"] };
+        var customer = await GetCustomerOrThrow(subscriber, customerGetOptions);
 
         var (type, token) = tokenizedPaymentSource;
 
@@ -597,7 +601,7 @@ public class SubscriberService(
             Expand = ["subscriptions", "tax", "tax_ids"]
         });
 
-        await stripeAdapter.CustomerUpdateAsync(customer.Id, new CustomerUpdateOptions
+        customer = await stripeAdapter.CustomerUpdateAsync(customer.Id, new CustomerUpdateOptions
         {
             Address = new AddressOptions
             {
@@ -607,7 +611,8 @@ public class SubscriberService(
                 Line2 = taxInformation.Line2,
                 City = taxInformation.City,
                 State = taxInformation.State
-            }
+            },
+            Expand = ["subscriptions", "tax", "tax_ids"]
         });
 
         var taxId = customer.TaxIds?.FirstOrDefault();
@@ -661,21 +666,42 @@ public class SubscriberService(
             }
         }
 
-        if (SubscriberIsEligibleForAutomaticTax(subscriber, customer))
+        if (featureService.IsEnabled(FeatureFlagKeys.PM19147_AutomaticTaxImprovements))
         {
-            await stripeAdapter.SubscriptionUpdateAsync(subscriber.GatewaySubscriptionId,
-                new SubscriptionUpdateOptions
+            if (!string.IsNullOrEmpty(subscriber.GatewaySubscriptionId))
+            {
+                var subscriptionGetOptions = new SubscriptionGetOptions
                 {
-                    AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
-                });
+                    Expand = ["customer.tax", "customer.tax_ids"]
+                };
+                var subscription = await stripeAdapter.SubscriptionGetAsync(subscriber.GatewaySubscriptionId, subscriptionGetOptions);
+                var automaticTaxParameters = new AutomaticTaxFactoryParameters(subscriber, subscription.Items.Select(x => x.Price.Id));
+                var automaticTaxStrategy = await automaticTaxFactory.CreateAsync(automaticTaxParameters);
+                var automaticTaxOptions = automaticTaxStrategy.GetUpdateOptions(subscription);
+                if (automaticTaxOptions?.AutomaticTax?.Enabled != null)
+                {
+                    await stripeAdapter.SubscriptionUpdateAsync(subscriber.GatewaySubscriptionId, automaticTaxOptions);
+                }
+            }
         }
+        else
+        {
+            if (SubscriberIsEligibleForAutomaticTax(subscriber, customer))
+            {
+                await stripeAdapter.SubscriptionUpdateAsync(subscriber.GatewaySubscriptionId,
+                    new SubscriptionUpdateOptions
+                    {
+                        AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
+                    });
+            }
 
-        return;
+            return;
 
-        bool SubscriberIsEligibleForAutomaticTax(ISubscriber localSubscriber, Customer localCustomer)
-            => !string.IsNullOrEmpty(localSubscriber.GatewaySubscriptionId) &&
-               (localCustomer.Subscriptions?.Any(sub => sub.Id == localSubscriber.GatewaySubscriptionId && !sub.AutomaticTax.Enabled) ?? false) &&
-               localCustomer.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported;
+            bool SubscriberIsEligibleForAutomaticTax(ISubscriber localSubscriber, Customer localCustomer)
+                => !string.IsNullOrEmpty(localSubscriber.GatewaySubscriptionId) &&
+                   (localCustomer.Subscriptions?.Any(sub => sub.Id == localSubscriber.GatewaySubscriptionId && !sub.AutomaticTax.Enabled) ?? false) &&
+                   localCustomer.Tax?.AutomaticTax == StripeConstants.AutomaticTaxStatus.Supported;
+        }
     }
 
     public async Task VerifyBankAccount(
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index b772002dbb..310b917bf7 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -148,6 +148,8 @@ public static class FeatureFlagKeys
     public const string P15179_AddExistingOrgsFromProviderPortal = "pm-15179-add-existing-orgs-from-provider-portal";
     public const string PM12276Breadcrumbing = "pm-12276-breadcrumbing-for-business-features";
     public const string PM18794_ProviderPaymentMethod = "pm-18794-provider-payment-method";
+    public const string PM19147_AutomaticTaxImprovements = "pm-19147-automatic-tax-improvements";
+    public const string PM19422_AllowAutomaticTaxUpdates = "pm-19422-allow-automatic-tax-updates";
 
     /* Key Management Team */
     public const string ReturnErrorOnExistingKeypair = "return-error-on-existing-keypair";
@@ -169,6 +171,7 @@ public static class FeatureFlagKeys
     public const string SingleTapPasskeyAuthentication = "single-tap-passkey-authentication";
     public const string EnablePMAuthenticatorSync = "enable-pm-bwa-sync";
     public const string PM3503_MobileAnonAddySelfHostAlias = "anon-addy-self-host-alias";
+
     public const string PM3553_MobileSimpleLoginSelfHostAlias = "simple-login-self-host-alias";
 
     /* Platform Team */
diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index ca377407f4..cdcd14ca90 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -9,6 +9,8 @@ using Bit.Core.Billing.Models.Api.Responses;
 using Bit.Core.Billing.Models.Business;
 using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
+using Bit.Core.Billing.Services.Contracts;
+using Bit.Core.Billing.Services.Implementations.AutomaticTax;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -16,6 +18,7 @@ using Bit.Core.Models.BitStripe;
 using Bit.Core.Models.Business;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Stripe;
 using PaymentMethod = Stripe.PaymentMethod;
@@ -36,6 +39,8 @@ public class StripePaymentService : IPaymentService
     private readonly ITaxService _taxService;
     private readonly ISubscriberService _subscriberService;
     private readonly IPricingClient _pricingClient;
+    private readonly IAutomaticTaxFactory _automaticTaxFactory;
+    private readonly IAutomaticTaxStrategy _personalUseTaxStrategy;
 
     public StripePaymentService(
         ITransactionRepository transactionRepository,
@@ -46,7 +51,9 @@ public class StripePaymentService : IPaymentService
         IFeatureService featureService,
         ITaxService taxService,
         ISubscriberService subscriberService,
-        IPricingClient pricingClient)
+        IPricingClient pricingClient,
+        IAutomaticTaxFactory automaticTaxFactory,
+        [FromKeyedServices(AutomaticTaxFactory.PersonalUse)] IAutomaticTaxStrategy personalUseTaxStrategy)
     {
         _transactionRepository = transactionRepository;
         _logger = logger;
@@ -57,6 +64,8 @@ public class StripePaymentService : IPaymentService
         _taxService = taxService;
         _subscriberService = subscriberService;
         _pricingClient = pricingClient;
+        _automaticTaxFactory = automaticTaxFactory;
+        _personalUseTaxStrategy = personalUseTaxStrategy;
     }
 
     private async Task ChangeOrganizationSponsorship(
@@ -91,9 +100,7 @@ public class StripePaymentService : IPaymentService
         SubscriptionUpdate subscriptionUpdate, bool invoiceNow = false)
     {
         // remember, when in doubt, throw
-        var subGetOptions = new SubscriptionGetOptions();
-        // subGetOptions.AddExpand("customer");
-        subGetOptions.AddExpand("customer.tax");
+        var subGetOptions = new SubscriptionGetOptions { Expand = ["customer.tax", "customer.tax_ids"] };
         var sub = await _stripeAdapter.SubscriptionGetAsync(subscriber.GatewaySubscriptionId, subGetOptions);
         if (sub == null)
         {
@@ -124,7 +131,19 @@ public class StripePaymentService : IPaymentService
                 new SubscriptionPendingInvoiceItemIntervalOptions { Interval = "month" };
         }
 
-        subUpdateOptions.EnableAutomaticTax(sub.Customer, sub);
+        if (subscriptionUpdate is CompleteSubscriptionUpdate)
+        {
+            if (_featureService.IsEnabled(FeatureFlagKeys.PM19147_AutomaticTaxImprovements))
+            {
+                var automaticTaxParameters = new AutomaticTaxFactoryParameters(subscriber, updatedItemOptions.Select(x => x.Plan ?? x.Price));
+                var automaticTaxStrategy = await _automaticTaxFactory.CreateAsync(automaticTaxParameters);
+                automaticTaxStrategy.SetUpdateOptions(subUpdateOptions, sub);
+            }
+            else
+            {
+                subUpdateOptions.EnableAutomaticTax(sub.Customer, sub);
+            }
+        }
 
         if (!subscriptionUpdate.UpdateNeeded(sub))
         {
@@ -811,21 +830,46 @@ public class StripePaymentService : IPaymentService
                 });
             }
 
-            if (!string.IsNullOrEmpty(subscriber.GatewaySubscriptionId) &&
-                customer.Subscriptions.Any(sub =>
-                    sub.Id == subscriber.GatewaySubscriptionId &&
-                    !sub.AutomaticTax.Enabled) &&
-                customer.HasTaxLocationVerified())
+            if (_featureService.IsEnabled(FeatureFlagKeys.PM19147_AutomaticTaxImprovements))
             {
-                var subscriptionUpdateOptions = new SubscriptionUpdateOptions
+                if (!string.IsNullOrEmpty(subscriber.GatewaySubscriptionId))
                 {
-                    AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true },
-                    DefaultTaxRates = []
-                };
+                    var subscriptionGetOptions = new SubscriptionGetOptions
+                    {
+                        Expand = ["customer.tax", "customer.tax_ids"]
+                    };
+                    var subscription = await _stripeAdapter.SubscriptionGetAsync(subscriber.GatewaySubscriptionId, subscriptionGetOptions);
 
-                _ = await _stripeAdapter.SubscriptionUpdateAsync(
-                    subscriber.GatewaySubscriptionId,
-                    subscriptionUpdateOptions);
+                    var automaticTaxParameters = new AutomaticTaxFactoryParameters(subscriber, subscription.Items.Select(x => x.Price.Id));
+                    var automaticTaxStrategy = await _automaticTaxFactory.CreateAsync(automaticTaxParameters);
+                    var subscriptionUpdateOptions = automaticTaxStrategy.GetUpdateOptions(subscription);
+
+                    if (subscriptionUpdateOptions != null)
+                    {
+                        _ = await _stripeAdapter.SubscriptionUpdateAsync(
+                            subscriber.GatewaySubscriptionId,
+                            subscriptionUpdateOptions);
+                    }
+                }
+            }
+            else
+            {
+                if (!string.IsNullOrEmpty(subscriber.GatewaySubscriptionId) &&
+                    customer.Subscriptions.Any(sub =>
+                        sub.Id == subscriber.GatewaySubscriptionId &&
+                        !sub.AutomaticTax.Enabled) &&
+                    customer.HasTaxLocationVerified())
+                {
+                    var subscriptionUpdateOptions = new SubscriptionUpdateOptions
+                    {
+                        AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true },
+                        DefaultTaxRates = []
+                    };
+
+                    _ = await _stripeAdapter.SubscriptionUpdateAsync(
+                        subscriber.GatewaySubscriptionId,
+                        subscriptionUpdateOptions);
+                }
             }
         }
         catch
@@ -1214,6 +1258,8 @@ public class StripePaymentService : IPaymentService
             }
         }
 
+        _personalUseTaxStrategy.SetInvoiceCreatePreviewOptions(options);
+
         try
         {
             var invoice = await _stripeAdapter.InvoiceCreatePreviewAsync(options);
@@ -1256,10 +1302,6 @@ public class StripePaymentService : IPaymentService
 
         var options = new InvoiceCreatePreviewOptions
         {
-            AutomaticTax = new InvoiceAutomaticTaxOptions
-            {
-                Enabled = true,
-            },
             Currency = "usd",
             SubscriptionDetails = new InvoiceSubscriptionDetailsOptions
             {
@@ -1347,9 +1389,11 @@ public class StripePaymentService : IPaymentService
             ];
         }
 
+        Customer gatewayCustomer = null;
+
         if (!string.IsNullOrWhiteSpace(gatewayCustomerId))
         {
-            var gatewayCustomer = await _stripeAdapter.CustomerGetAsync(gatewayCustomerId);
+            gatewayCustomer = await _stripeAdapter.CustomerGetAsync(gatewayCustomerId);
 
             if (gatewayCustomer.Discount != null)
             {
@@ -1367,6 +1411,10 @@ public class StripePaymentService : IPaymentService
             }
         }
 
+        var automaticTaxFactoryParameters = new AutomaticTaxFactoryParameters(parameters.PasswordManager.Plan);
+        var automaticTaxStrategy = await _automaticTaxFactory.CreateAsync(automaticTaxFactoryParameters);
+        automaticTaxStrategy.SetInvoiceCreatePreviewOptions(options);
+
         try
         {
             var invoice = await _stripeAdapter.InvoiceCreatePreviewAsync(options);
diff --git a/test/Core.Test/Billing/Services/Implementations/AutomaticTax/BusinessUseAutomaticTaxStrategyTests.cs b/test/Core.Test/Billing/Services/Implementations/AutomaticTax/BusinessUseAutomaticTaxStrategyTests.cs
new file mode 100644
index 0000000000..dc40656275
--- /dev/null
+++ b/test/Core.Test/Billing/Services/Implementations/AutomaticTax/BusinessUseAutomaticTaxStrategyTests.cs
@@ -0,0 +1,492 @@
+using Bit.Core.Billing.Constants;
+using Bit.Core.Billing.Services.Implementations.AutomaticTax;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Stripe;
+using Xunit;
+
+namespace Bit.Core.Test.Billing.Services.Implementations.AutomaticTax;
+
+[SutProviderCustomize]
+public class BusinessUseAutomaticTaxStrategyTests
+{
+    [Theory]
+    [BitAutoData]
+    public void GetUpdateOptions_ReturnsNull_WhenFeatureFlagAllowingToUpdateSubscriptionsIsDisabled(
+        SutProvider<BusinessUseAutomaticTaxStrategy> sutProvider)
+    {
+        var subscription = new Subscription();
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(false);
+
+        var actual = sutProvider.Sut.GetUpdateOptions(subscription);
+
+        Assert.Null(actual);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void GetUpdateOptions_ReturnsNull_WhenSubscriptionDoesNotNeedUpdating(
+        SutProvider<BusinessUseAutomaticTaxStrategy> sutProvider)
+    {
+        var subscription = new Subscription
+        {
+            AutomaticTax = new SubscriptionAutomaticTax
+            {
+                Enabled = true
+            },
+            Customer = new Customer
+            {
+                Address = new Address
+                {
+                    Country = "US",
+                },
+                Tax = new CustomerTax
+                {
+                    AutomaticTax = StripeConstants.AutomaticTaxStatus.Supported
+                }
+            }
+        };
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(true);
+
+        var actual = sutProvider.Sut.GetUpdateOptions(subscription);
+
+        Assert.Null(actual);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void GetUpdateOptions_SetsAutomaticTaxToFalse_WhenTaxLocationIsUnrecognizedOrInvalid(
+        SutProvider<BusinessUseAutomaticTaxStrategy> sutProvider)
+    {
+        var subscription = new Subscription
+        {
+            AutomaticTax = new SubscriptionAutomaticTax
+            {
+                Enabled = true
+            },
+            Customer = new Customer
+            {
+                Tax = new CustomerTax
+                {
+                    AutomaticTax = StripeConstants.AutomaticTaxStatus.UnrecognizedLocation
+                }
+            }
+        };
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(true);
+
+        var actual = sutProvider.Sut.GetUpdateOptions(subscription);
+
+        Assert.NotNull(actual);
+        Assert.False(actual.AutomaticTax.Enabled);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void GetUpdateOptions_SetsAutomaticTaxToTrue_ForAmericanCustomers(
+        SutProvider<BusinessUseAutomaticTaxStrategy> sutProvider)
+    {
+        var subscription = new Subscription
+        {
+            AutomaticTax = new SubscriptionAutomaticTax
+            {
+                Enabled = false
+            },
+            Customer = new Customer
+            {
+                Address = new Address
+                {
+                    Country = "US",
+                },
+                Tax = new CustomerTax
+                {
+                    AutomaticTax = StripeConstants.AutomaticTaxStatus.Supported
+                }
+            }
+        };
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(true);
+
+        var actual = sutProvider.Sut.GetUpdateOptions(subscription);
+
+        Assert.NotNull(actual);
+        Assert.True(actual.AutomaticTax.Enabled);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void GetUpdateOptions_SetsAutomaticTaxToTrue_ForGlobalCustomersWithTaxIds(
+        SutProvider<BusinessUseAutomaticTaxStrategy> sutProvider)
+    {
+        var subscription = new Subscription
+        {
+            AutomaticTax = new SubscriptionAutomaticTax
+            {
+                Enabled = false
+            },
+            Customer = new Customer
+            {
+                Address = new Address
+                {
+                    Country = "ES",
+                },
+                Tax = new CustomerTax
+                {
+                    AutomaticTax = StripeConstants.AutomaticTaxStatus.Supported
+                },
+                TaxIds = new StripeList<TaxId>
+                {
+                    Data = new List<TaxId>
+                    {
+                        new()
+                        {
+                            Country = "ES",
+                            Type = "eu_vat",
+                            Value = "ESZ8880999Z"
+                        }
+                    }
+                }
+            }
+        };
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(true);
+
+        var actual = sutProvider.Sut.GetUpdateOptions(subscription);
+
+        Assert.NotNull(actual);
+        Assert.True(actual.AutomaticTax.Enabled);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void GetUpdateOptions_ThrowsArgumentNullException_WhenTaxIdsIsNull(
+        SutProvider<BusinessUseAutomaticTaxStrategy> sutProvider)
+    {
+        var subscription = new Subscription
+        {
+            AutomaticTax = new SubscriptionAutomaticTax
+            {
+                Enabled = true
+            },
+            Customer = new Customer
+            {
+                Address = new Address
+                {
+                    Country = "ES",
+                },
+                Tax = new CustomerTax
+                {
+                    AutomaticTax = StripeConstants.AutomaticTaxStatus.Supported
+                },
+                TaxIds = null
+            }
+        };
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(true);
+
+        Assert.Throws<ArgumentNullException>(() => sutProvider.Sut.GetUpdateOptions(subscription));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void GetUpdateOptions_SetsAutomaticTaxToTrue_ForGlobalCustomersWithoutTaxIds(
+        SutProvider<BusinessUseAutomaticTaxStrategy> sutProvider)
+    {
+
+        var subscription = new Subscription
+        {
+            AutomaticTax = new SubscriptionAutomaticTax
+            {
+                Enabled = true
+            },
+            Customer = new Customer
+            {
+                Address = new Address
+                {
+                    Country = "ES",
+                },
+                Tax = new CustomerTax
+                {
+                    AutomaticTax = StripeConstants.AutomaticTaxStatus.Supported
+                },
+                TaxIds = new StripeList<TaxId>
+                {
+                    Data = new List<TaxId>()
+                }
+            }
+        };
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(true);
+
+        var actual = sutProvider.Sut.GetUpdateOptions(subscription);
+
+        Assert.NotNull(actual);
+        Assert.False(actual.AutomaticTax.Enabled);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SetUpdateOptions_SetsNothing_WhenFeatureFlagAllowingToUpdateSubscriptionsIsDisabled(
+        SutProvider<BusinessUseAutomaticTaxStrategy> sutProvider)
+    {
+        var options = new SubscriptionUpdateOptions();
+
+        var subscription = new Subscription
+        {
+            Customer = new Customer
+            {
+                Address = new()
+                {
+                    Country = "US"
+                }
+            }
+        };
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(false);
+
+        sutProvider.Sut.SetUpdateOptions(options, subscription);
+
+        Assert.Null(options.AutomaticTax);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SetUpdateOptions_SetsNothing_WhenSubscriptionDoesNotNeedUpdating(
+        SutProvider<BusinessUseAutomaticTaxStrategy> sutProvider)
+    {
+        var options = new SubscriptionUpdateOptions();
+
+        var subscription = new Subscription
+        {
+            AutomaticTax = new SubscriptionAutomaticTax
+            {
+                Enabled = true
+            },
+            Customer = new Customer
+            {
+                Address = new Address
+                {
+                    Country = "US",
+                },
+                Tax = new CustomerTax
+                {
+                    AutomaticTax = StripeConstants.AutomaticTaxStatus.Supported
+                }
+            }
+        };
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(true);
+
+        sutProvider.Sut.SetUpdateOptions(options, subscription);
+
+        Assert.Null(options.AutomaticTax);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SetUpdateOptions_SetsAutomaticTaxToFalse_WhenTaxLocationIsUnrecognizedOrInvalid(
+        SutProvider<BusinessUseAutomaticTaxStrategy> sutProvider)
+    {
+        var options = new SubscriptionUpdateOptions();
+
+        var subscription = new Subscription
+        {
+            AutomaticTax = new SubscriptionAutomaticTax
+            {
+                Enabled = true
+            },
+            Customer = new Customer
+            {
+                Tax = new CustomerTax
+                {
+                    AutomaticTax = StripeConstants.AutomaticTaxStatus.UnrecognizedLocation
+                }
+            }
+        };
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(true);
+
+        sutProvider.Sut.SetUpdateOptions(options, subscription);
+
+        Assert.False(options.AutomaticTax.Enabled);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SetUpdateOptions_SetsAutomaticTaxToTrue_ForAmericanCustomers(
+        SutProvider<BusinessUseAutomaticTaxStrategy> sutProvider)
+    {
+        var options = new SubscriptionUpdateOptions();
+
+        var subscription = new Subscription
+        {
+            AutomaticTax = new SubscriptionAutomaticTax
+            {
+                Enabled = false
+            },
+            Customer = new Customer
+            {
+                Address = new Address
+                {
+                    Country = "US",
+                },
+                Tax = new CustomerTax
+                {
+                    AutomaticTax = StripeConstants.AutomaticTaxStatus.Supported
+                }
+            }
+        };
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(true);
+
+        sutProvider.Sut.SetUpdateOptions(options, subscription);
+
+        Assert.True(options.AutomaticTax!.Enabled);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SetUpdateOptions_SetsAutomaticTaxToTrue_ForGlobalCustomersWithTaxIds(
+        SutProvider<BusinessUseAutomaticTaxStrategy> sutProvider)
+    {
+        var options = new SubscriptionUpdateOptions();
+
+        var subscription = new Subscription
+        {
+            AutomaticTax = new SubscriptionAutomaticTax
+            {
+                Enabled = false
+            },
+            Customer = new Customer
+            {
+                Address = new Address
+                {
+                    Country = "ES",
+                },
+                Tax = new CustomerTax
+                {
+                    AutomaticTax = StripeConstants.AutomaticTaxStatus.Supported
+                },
+                TaxIds = new StripeList<TaxId>
+                {
+                    Data = new List<TaxId>
+                    {
+                        new()
+                        {
+                            Country = "ES",
+                            Type = "eu_vat",
+                            Value = "ESZ8880999Z"
+                        }
+                    }
+                }
+            }
+        };
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(true);
+
+        sutProvider.Sut.SetUpdateOptions(options, subscription);
+
+        Assert.True(options.AutomaticTax!.Enabled);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SetUpdateOptions_ThrowsArgumentNullException_WhenTaxIdsIsNull(
+        SutProvider<BusinessUseAutomaticTaxStrategy> sutProvider)
+    {
+        var options = new SubscriptionUpdateOptions();
+
+        var subscription = new Subscription
+        {
+            AutomaticTax = new SubscriptionAutomaticTax
+            {
+                Enabled = true
+            },
+            Customer = new Customer
+            {
+                Address = new Address
+                {
+                    Country = "ES",
+                },
+                Tax = new CustomerTax
+                {
+                    AutomaticTax = StripeConstants.AutomaticTaxStatus.Supported
+                },
+                TaxIds = null
+            }
+        };
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(true);
+
+        Assert.Throws<ArgumentNullException>(() => sutProvider.Sut.SetUpdateOptions(options, subscription));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SetUpdateOptions_SetsAutomaticTaxToTrue_ForGlobalCustomersWithoutTaxIds(
+        SutProvider<BusinessUseAutomaticTaxStrategy> sutProvider)
+    {
+        var options = new SubscriptionUpdateOptions();
+
+        var subscription = new Subscription
+        {
+            AutomaticTax = new SubscriptionAutomaticTax
+            {
+                Enabled = true
+            },
+            Customer = new Customer
+            {
+                Address = new Address
+                {
+                    Country = "ES",
+                },
+                Tax = new CustomerTax
+                {
+                    AutomaticTax = StripeConstants.AutomaticTaxStatus.Supported
+                },
+                TaxIds = new StripeList<TaxId>
+                {
+                    Data = new List<TaxId>()
+                }
+            }
+        };
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(true);
+
+        sutProvider.Sut.SetUpdateOptions(options, subscription);
+
+        Assert.False(options.AutomaticTax!.Enabled);
+    }
+}
diff --git a/test/Core.Test/Billing/Services/Implementations/AutomaticTax/PersonalUseAutomaticTaxStrategyTests.cs b/test/Core.Test/Billing/Services/Implementations/AutomaticTax/PersonalUseAutomaticTaxStrategyTests.cs
new file mode 100644
index 0000000000..2d50c9f75a
--- /dev/null
+++ b/test/Core.Test/Billing/Services/Implementations/AutomaticTax/PersonalUseAutomaticTaxStrategyTests.cs
@@ -0,0 +1,217 @@
+using Bit.Core.Billing.Constants;
+using Bit.Core.Billing.Services.Implementations.AutomaticTax;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Stripe;
+using Xunit;
+
+namespace Bit.Core.Test.Billing.Services.Implementations.AutomaticTax;
+
+[SutProviderCustomize]
+public class PersonalUseAutomaticTaxStrategyTests
+{
+    [Theory]
+    [BitAutoData]
+    public void GetUpdateOptions_ReturnsNull_WhenFeatureFlagAllowingToUpdateSubscriptionsIsDisabled(
+        SutProvider<PersonalUseAutomaticTaxStrategy> sutProvider)
+    {
+        var subscription = new Subscription();
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(false);
+
+        var actual = sutProvider.Sut.GetUpdateOptions(subscription);
+
+        Assert.Null(actual);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void GetUpdateOptions_ReturnsNull_WhenSubscriptionDoesNotNeedUpdating(
+        SutProvider<PersonalUseAutomaticTaxStrategy> sutProvider)
+    {
+        var subscription = new Subscription
+        {
+            AutomaticTax = new SubscriptionAutomaticTax
+            {
+                Enabled = true
+            },
+            Customer = new Customer
+            {
+                Address = new Address
+                {
+                    Country = "US",
+                },
+                Tax = new CustomerTax
+                {
+                    AutomaticTax = StripeConstants.AutomaticTaxStatus.Supported
+                }
+            }
+        };
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(true);
+
+        var actual = sutProvider.Sut.GetUpdateOptions(subscription);
+
+        Assert.Null(actual);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void GetUpdateOptions_SetsAutomaticTaxToFalse_WhenTaxLocationIsUnrecognizedOrInvalid(
+        SutProvider<PersonalUseAutomaticTaxStrategy> sutProvider)
+    {
+        var subscription = new Subscription
+        {
+            AutomaticTax = new SubscriptionAutomaticTax
+            {
+                Enabled = true
+            },
+            Customer = new Customer
+            {
+                Tax = new CustomerTax
+                {
+                    AutomaticTax = StripeConstants.AutomaticTaxStatus.UnrecognizedLocation
+                }
+            }
+        };
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(true);
+
+        var actual = sutProvider.Sut.GetUpdateOptions(subscription);
+
+        Assert.NotNull(actual);
+        Assert.False(actual.AutomaticTax.Enabled);
+    }
+
+    [Theory]
+    [BitAutoData("CA")]
+    [BitAutoData("ES")]
+    [BitAutoData("US")]
+    public void GetUpdateOptions_SetsAutomaticTaxToTrue_ForAllCountries(
+        string country, SutProvider<PersonalUseAutomaticTaxStrategy> sutProvider)
+    {
+        var subscription = new Subscription
+        {
+            AutomaticTax = new SubscriptionAutomaticTax
+            {
+                Enabled = false
+            },
+            Customer = new Customer
+            {
+                Address = new Address
+                {
+                    Country = country
+                },
+                Tax = new CustomerTax
+                {
+                    AutomaticTax = StripeConstants.AutomaticTaxStatus.Supported
+                }
+            }
+        };
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(true);
+
+        var actual = sutProvider.Sut.GetUpdateOptions(subscription);
+
+        Assert.NotNull(actual);
+        Assert.True(actual.AutomaticTax.Enabled);
+    }
+
+    [Theory]
+    [BitAutoData("CA")]
+    [BitAutoData("ES")]
+    [BitAutoData("US")]
+    public void GetUpdateOptions_SetsAutomaticTaxToTrue_ForGlobalCustomersWithTaxIds(
+        string country, SutProvider<PersonalUseAutomaticTaxStrategy> sutProvider)
+    {
+        var subscription = new Subscription
+        {
+            AutomaticTax = new SubscriptionAutomaticTax
+            {
+                Enabled = false
+            },
+            Customer = new Customer
+            {
+                Address = new Address
+                {
+                    Country = country,
+                },
+                Tax = new CustomerTax
+                {
+                    AutomaticTax = StripeConstants.AutomaticTaxStatus.Supported
+                },
+                TaxIds = new StripeList<TaxId>
+                {
+                    Data = new List<TaxId>
+                    {
+                        new()
+                        {
+                            Country = "ES",
+                            Type = "eu_vat",
+                            Value = "ESZ8880999Z"
+                        }
+                    }
+                }
+            }
+        };
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(true);
+
+        var actual = sutProvider.Sut.GetUpdateOptions(subscription);
+
+        Assert.NotNull(actual);
+        Assert.True(actual.AutomaticTax.Enabled);
+    }
+
+    [Theory]
+    [BitAutoData("CA")]
+    [BitAutoData("ES")]
+    [BitAutoData("US")]
+    public void GetUpdateOptions_SetsAutomaticTaxToTrue_ForGlobalCustomersWithoutTaxIds(
+        string country, SutProvider<PersonalUseAutomaticTaxStrategy> sutProvider)
+    {
+        var subscription = new Subscription
+        {
+            AutomaticTax = new SubscriptionAutomaticTax
+            {
+                Enabled = false
+            },
+            Customer = new Customer
+            {
+                Address = new Address
+                {
+                    Country = country
+                },
+                Tax = new CustomerTax
+                {
+                    AutomaticTax = StripeConstants.AutomaticTaxStatus.Supported
+                },
+                TaxIds = new StripeList<TaxId>
+                {
+                    Data = new List<TaxId>()
+                }
+            }
+        };
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(Arg.Is<string>(p => p == FeatureFlagKeys.PM19422_AllowAutomaticTaxUpdates))
+            .Returns(true);
+
+        var actual = sutProvider.Sut.GetUpdateOptions(subscription);
+
+        Assert.NotNull(actual);
+        Assert.True(actual.AutomaticTax.Enabled);
+    }
+}
diff --git a/test/Core.Test/Billing/Services/Implementations/AutomaticTaxFactoryTests.cs b/test/Core.Test/Billing/Services/Implementations/AutomaticTaxFactoryTests.cs
new file mode 100644
index 0000000000..7d5c9c3a26
--- /dev/null
+++ b/test/Core.Test/Billing/Services/Implementations/AutomaticTaxFactoryTests.cs
@@ -0,0 +1,105 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Models.StaticStore.Plans;
+using Bit.Core.Billing.Pricing;
+using Bit.Core.Billing.Services.Contracts;
+using Bit.Core.Billing.Services.Implementations.AutomaticTax;
+using Bit.Core.Entities;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Billing.Services.Implementations;
+
+[SutProviderCustomize]
+public class AutomaticTaxFactoryTests
+{
+    [BitAutoData]
+    [Theory]
+    public async Task CreateAsync_ReturnsPersonalUseStrategy_WhenSubscriberIsUser(SutProvider<AutomaticTaxFactory> sut)
+    {
+        var parameters = new AutomaticTaxFactoryParameters(new User(), []);
+
+        var actual = await sut.Sut.CreateAsync(parameters);
+
+        Assert.IsType<PersonalUseAutomaticTaxStrategy>(actual);
+    }
+
+    [BitAutoData]
+    [Theory]
+    public async Task CreateAsync_ReturnsPersonalUseStrategy_WhenSubscriberIsOrganizationWithFamiliesAnnuallyPrice(
+        SutProvider<AutomaticTaxFactory> sut)
+    {
+        var familiesPlan = new FamiliesPlan();
+        var parameters = new AutomaticTaxFactoryParameters(new Organization(), [familiesPlan.PasswordManager.StripePlanId]);
+
+        sut.GetDependency<IPricingClient>()
+            .GetPlanOrThrow(Arg.Is<PlanType>(p => p == PlanType.FamiliesAnnually))
+            .Returns(new FamiliesPlan());
+
+        sut.GetDependency<IPricingClient>()
+            .GetPlanOrThrow(Arg.Is<PlanType>(p => p == PlanType.FamiliesAnnually2019))
+            .Returns(new Families2019Plan());
+
+        var actual = await sut.Sut.CreateAsync(parameters);
+
+        Assert.IsType<PersonalUseAutomaticTaxStrategy>(actual);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task CreateAsync_ReturnsBusinessUseStrategy_WhenSubscriberIsOrganizationWithBusinessUsePrice(
+        EnterpriseAnnually plan,
+        SutProvider<AutomaticTaxFactory> sut)
+    {
+        var parameters = new AutomaticTaxFactoryParameters(new Organization(), [plan.PasswordManager.StripePlanId]);
+
+        sut.GetDependency<IPricingClient>()
+            .GetPlanOrThrow(Arg.Is<PlanType>(p => p == PlanType.FamiliesAnnually))
+            .Returns(new FamiliesPlan());
+
+        sut.GetDependency<IPricingClient>()
+            .GetPlanOrThrow(Arg.Is<PlanType>(p => p == PlanType.FamiliesAnnually2019))
+            .Returns(new Families2019Plan());
+
+        var actual = await sut.Sut.CreateAsync(parameters);
+
+        Assert.IsType<BusinessUseAutomaticTaxStrategy>(actual);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task CreateAsync_ReturnsPersonalUseStrategy_WhenPlanIsMeantForPersonalUse(SutProvider<AutomaticTaxFactory> sut)
+    {
+        var parameters = new AutomaticTaxFactoryParameters(PlanType.FamiliesAnnually);
+        sut.GetDependency<IPricingClient>()
+            .GetPlanOrThrow(Arg.Is<PlanType>(p => p == parameters.PlanType.Value))
+            .Returns(new FamiliesPlan());
+
+        var actual = await sut.Sut.CreateAsync(parameters);
+
+        Assert.IsType<PersonalUseAutomaticTaxStrategy>(actual);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task CreateAsync_ReturnsBusinessUseStrategy_WhenPlanIsMeantForBusinessUse(SutProvider<AutomaticTaxFactory> sut)
+    {
+        var parameters = new AutomaticTaxFactoryParameters(PlanType.EnterpriseAnnually);
+        sut.GetDependency<IPricingClient>()
+            .GetPlanOrThrow(Arg.Is<PlanType>(p => p == parameters.PlanType.Value))
+            .Returns(new EnterprisePlan(true));
+
+        var actual = await sut.Sut.CreateAsync(parameters);
+
+        Assert.IsType<BusinessUseAutomaticTaxStrategy>(actual);
+    }
+
+    public record EnterpriseAnnually : EnterprisePlan
+    {
+        public EnterpriseAnnually() : base(true)
+        {
+        }
+    }
+}
diff --git a/test/Core.Test/Billing/Services/SubscriberServiceTests.cs b/test/Core.Test/Billing/Services/SubscriberServiceTests.cs
index 5b7a2cc8bd..9e4be78787 100644
--- a/test/Core.Test/Billing/Services/SubscriberServiceTests.cs
+++ b/test/Core.Test/Billing/Services/SubscriberServiceTests.cs
@@ -3,10 +3,13 @@ using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.Billing.Caches;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Models;
+using Bit.Core.Billing.Services;
+using Bit.Core.Billing.Services.Contracts;
 using Bit.Core.Billing.Services.Implementations;
 using Bit.Core.Enums;
 using Bit.Core.Services;
 using Bit.Core.Settings;
+using Bit.Core.Test.Billing.Stubs;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Braintree;
@@ -1167,7 +1170,9 @@ public class SubscriberServiceTests
     {
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
-        stripeAdapter.CustomerGetAsync(provider.GatewayCustomerId)
+        stripeAdapter.CustomerGetAsync(
+                provider.GatewayCustomerId,
+                Arg.Is<CustomerGetOptions>(p => p.Expand.Contains("tax") || p.Expand.Contains("tax_ids")))
             .Returns(new Customer
             {
                 Id = provider.GatewayCustomerId,
@@ -1213,7 +1218,10 @@ public class SubscriberServiceTests
     {
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
 
-        stripeAdapter.CustomerGetAsync(provider.GatewayCustomerId)
+        stripeAdapter.CustomerGetAsync(
+                provider.GatewayCustomerId,
+                Arg.Is<CustomerGetOptions>(p => p.Expand.Contains("tax") || p.Expand.Contains("tax_ids"))
+                )
             .Returns(new Customer
             {
                 Id = provider.GatewayCustomerId,
@@ -1321,7 +1329,9 @@ public class SubscriberServiceTests
     {
         const string braintreeCustomerId = "braintree_customer_id";
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(provider.GatewayCustomerId)
+        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(
+                provider.GatewayCustomerId,
+                Arg.Is<CustomerGetOptions>(p => p.Expand.Contains("tax") || p.Expand.Contains("tax_ids")))
             .Returns(new Customer
             {
                 Id = provider.GatewayCustomerId,
@@ -1373,7 +1383,9 @@ public class SubscriberServiceTests
     {
         const string braintreeCustomerId = "braintree_customer_id";
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(provider.GatewayCustomerId)
+        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(
+                provider.GatewayCustomerId,
+                Arg.Is<CustomerGetOptions>(p => p.Expand.Contains("tax") || p.Expand.Contains("tax_ids")))
             .Returns(new Customer
             {
                 Id = provider.GatewayCustomerId,
@@ -1482,7 +1494,9 @@ public class SubscriberServiceTests
     {
         const string braintreeCustomerId = "braintree_customer_id";
 
-        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(provider.GatewayCustomerId)
+        sutProvider.GetDependency<IStripeAdapter>().CustomerGetAsync(
+                provider.GatewayCustomerId,
+                Arg.Is<CustomerGetOptions>(p => p.Expand.Contains("tax") || p.Expand.Contains("tax_ids")))
             .Returns(new Customer
             {
                 Id = provider.GatewayCustomerId
@@ -1561,6 +1575,37 @@ public class SubscriberServiceTests
             "Example Town",
             "NY");
 
+        sutProvider.GetDependency<IStripeAdapter>()
+            .CustomerUpdateAsync(
+                Arg.Is<string>(p => p == provider.GatewayCustomerId),
+                Arg.Is<CustomerUpdateOptions>(options =>
+                    options.Address.Country == "US" &&
+                    options.Address.PostalCode == "12345" &&
+                    options.Address.Line1 == "123 Example St." &&
+                    options.Address.Line2 == null &&
+                    options.Address.City == "Example Town" &&
+                    options.Address.State == "NY"))
+            .Returns(new Customer
+            {
+                Id = provider.GatewayCustomerId,
+                Address = new Address
+                {
+                    Country = "US",
+                    PostalCode = "12345",
+                    Line1 = "123 Example St.",
+                    Line2 = null,
+                    City = "Example Town",
+                    State = "NY"
+                },
+                TaxIds = new StripeList<TaxId> { Data = [new TaxId { Id = "tax_id_1", Type = "us_ein" }] }
+            });
+
+        var subscription = new Subscription { Items = new StripeList<SubscriptionItem>() };
+        sutProvider.GetDependency<IStripeAdapter>().SubscriptionGetAsync(Arg.Any<string>())
+            .Returns(subscription);
+        sutProvider.GetDependency<IAutomaticTaxFactory>().CreateAsync(Arg.Any<AutomaticTaxFactoryParameters>())
+            .Returns(new FakeAutomaticTaxStrategy(true));
+
         await sutProvider.Sut.UpdateTaxInformation(provider, taxInformation);
 
         await stripeAdapter.Received(1).CustomerUpdateAsync(provider.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(
diff --git a/test/Core.Test/Billing/Stubs/FakeAutomaticTaxStrategy.cs b/test/Core.Test/Billing/Stubs/FakeAutomaticTaxStrategy.cs
new file mode 100644
index 0000000000..253aead5c7
--- /dev/null
+++ b/test/Core.Test/Billing/Stubs/FakeAutomaticTaxStrategy.cs
@@ -0,0 +1,35 @@
+using Bit.Core.Billing.Services;
+using Stripe;
+
+namespace Bit.Core.Test.Billing.Stubs;
+
+/// <param name="isAutomaticTaxEnabled">
+/// Whether the subscription options will have automatic tax enabled or not.
+/// </param>
+public class FakeAutomaticTaxStrategy(
+    bool isAutomaticTaxEnabled) : IAutomaticTaxStrategy
+{
+    public SubscriptionUpdateOptions? GetUpdateOptions(Subscription subscription)
+    {
+        return new SubscriptionUpdateOptions
+        {
+            AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = isAutomaticTaxEnabled }
+        };
+    }
+
+    public void SetCreateOptions(SubscriptionCreateOptions options, Customer customer)
+    {
+        options.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = isAutomaticTaxEnabled };
+    }
+
+    public void SetUpdateOptions(SubscriptionUpdateOptions options, Subscription subscription)
+    {
+        options.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = isAutomaticTaxEnabled };
+    }
+
+    public void SetInvoiceCreatePreviewOptions(InvoiceCreatePreviewOptions options)
+    {
+        options.AutomaticTax = new InvoiceAutomaticTaxOptions { Enabled = isAutomaticTaxEnabled };
+
+    }
+}

From aef05f5fb67c8635238d4a690b9d075e554e9ca1 Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Wed, 2 Apr 2025 15:23:31 -0400
Subject: [PATCH 149/184] [PM-19290] Skip the notification step if no admin
 emails are available. (#5582)

---
 .../Implementations/AuthRequestService.cs     |  6 ++
 .../Auth/Services/AuthRequestServiceTests.cs  | 82 +++++++++++++++++++
 2 files changed, 88 insertions(+)

diff --git a/src/Core/Auth/Services/Implementations/AuthRequestService.cs b/src/Core/Auth/Services/Implementations/AuthRequestService.cs
index 42d51a88f5..0fd1846d00 100644
--- a/src/Core/Auth/Services/Implementations/AuthRequestService.cs
+++ b/src/Core/Auth/Services/Implementations/AuthRequestService.cs
@@ -289,6 +289,12 @@ public class AuthRequestService : IAuthRequestService
     {
         var adminEmails = await GetAdminAndAccountRecoveryEmailsAsync(organizationUser.OrganizationId);
 
+        if (adminEmails.Count == 0)
+        {
+            _logger.LogWarning("There are no admin emails to send to.");
+            return;
+        }
+
         await _mailService.SendDeviceApprovalRequestedNotificationEmailAsync(
             adminEmails,
             organizationUser.OrganizationId,
diff --git a/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs b/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
index edd7a06fa7..eec6747c5f 100644
--- a/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
+++ b/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
@@ -17,6 +17,7 @@ using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Bit.Test.Common.Helpers;
+using Microsoft.Extensions.Logging;
 using NSubstitute;
 using Xunit;
 using GlobalSettings = Bit.Core.Settings.GlobalSettings;
@@ -395,6 +396,87 @@ public class AuthRequestServiceTests
                 user.Name);
     }
 
+
+    [Theory, BitAutoData]
+    public async Task CreateAuthRequestAsync_AdminApproval_WithAdminNotifications_AndNoAdminEmails_ShouldNotSendNotificationEmails(
+        SutProvider<AuthRequestService> sutProvider,
+        AuthRequestCreateRequestModel createModel,
+        User user,
+        OrganizationUser organizationUser1)
+    {
+        createModel.Type = AuthRequestType.AdminApproval;
+        user.Email = createModel.Email;
+        organizationUser1.UserId = user.Id;
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.DeviceApprovalRequestAdminNotifications)
+            .Returns(true);
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetByEmailAsync(user.Email)
+            .Returns(user);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .DeviceType
+            .Returns(DeviceType.ChromeExtension);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .UserId
+            .Returns(user.Id);
+
+        sutProvider.GetDependency<IGlobalSettings>()
+            .PasswordlessAuth.KnownDevicesOnly
+            .Returns(false);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(user.Id)
+            .Returns(new List<OrganizationUser>
+            {
+                organizationUser1,
+            });
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByMinimumRoleAsync(organizationUser1.OrganizationId, OrganizationUserType.Admin)
+            .Returns([]);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByRoleAsync(organizationUser1.OrganizationId, OrganizationUserType.Custom)
+            .Returns([]);
+
+        sutProvider.GetDependency<IAuthRequestRepository>()
+            .CreateAsync(Arg.Any<AuthRequest>())
+            .Returns(c => c.ArgAt<AuthRequest>(0));
+
+        var authRequest = await sutProvider.Sut.CreateAuthRequestAsync(createModel);
+
+        Assert.Equal(organizationUser1.OrganizationId, authRequest.OrganizationId);
+
+        await sutProvider.GetDependency<IAuthRequestRepository>()
+            .Received(1)
+            .CreateAsync(Arg.Is<AuthRequest>(o => o.OrganizationId == organizationUser1.OrganizationId));
+
+        await sutProvider.GetDependency<IAuthRequestRepository>()
+            .Received(1)
+            .CreateAsync(Arg.Any<AuthRequest>());
+
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogUserEventAsync(user.Id, EventType.User_RequestedDeviceApproval);
+
+        await sutProvider.GetDependency<IMailService>()
+            .Received(0)
+            .SendDeviceApprovalRequestedNotificationEmailAsync(
+                Arg.Any<IEnumerable<string>>(),
+                Arg.Any<Guid>(),
+                Arg.Any<string>(),
+                Arg.Any<string>());
+
+        var expectedLogMessage = "There are no admin emails to send to.";
+        sutProvider.GetDependency<ILogger<AuthRequestService>>()
+            .Received(1)
+            .LogWarning(expectedLogMessage);
+    }
+
     /// <summary>
     /// Story: When an <see cref="AuthRequest"> is approved we want to update it in the database so it cannot have
     /// it's status changed again and we want to push a notification to let the user know of the approval.

From 7b2b62e794e1b89703a8d8ca46254bb18b8005a0 Mon Sep 17 00:00:00 2001
From: Nick Krantz <125900171+nick-livefront@users.noreply.github.com>
Date: Wed, 2 Apr 2025 15:18:53 -0500
Subject: [PATCH 150/184] [PM-18858] Security Task email plurality (#5588)

* use handlebars helper for plurality of text rather than logic within the template

* Remove `TaskCountPlural` - unused
---
 .../Handlebars/Layouts/SecurityTasks.html.hbs |  7 ++----
 .../Handlebars/Layouts/SecurityTasks.text.hbs |  4 +---
 .../Mail/SecurityTaskNotificationViewModel.cs |  2 --
 .../Implementations/HandlebarsMailService.cs  | 23 +++++++++++++++++++
 4 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.html.hbs b/src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.html.hbs
index 930d39eeee..67537b81a7 100644
--- a/src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.html.hbs
@@ -6,11 +6,8 @@
       <table border="0" cellpadding="0" cellspacing="0" width="100%"
         style="padding-left:30px; padding-right: 5px; padding-top: 20px;">
         <tr>
-          <td
-            style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 24px; color: #ffffff; line-height: 32px; font-weight: 500; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
-            {{OrgName}} has identified {{TaskCount}} critical login{{#if TaskCountPlural}}s{{/if}} that require{{#unless
-            TaskCountPlural}}s{{/unless}} a
-            password change
+          <td style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 24px; color: #ffffff; line-height: 32px; font-weight: 500; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+            {{OrgName}} has identified {{TaskCount}} critical {{plurality TaskCount "login" "logins"}} that {{plurality TaskCount "requires" "require"}} a password change
           </td>
         </tr>
       </table>
diff --git a/src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.text.hbs b/src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.text.hbs
index f9befac46c..009e2b923f 100644
--- a/src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.text.hbs
+++ b/src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.text.hbs
@@ -1,7 +1,5 @@
 {{#>FullTextLayout}}
-{{OrgName}} has identified {{TaskCount}} critical login{{#if TaskCountPlural}}s{{/if}} that require{{#unless
-TaskCountPlural}}s{{/unless}} a
-password change
+{{OrgName}} has identified {{TaskCount}} critical {{plurality TaskCount "login" "logins"}} that {{plurality TaskCount "requires" "require"}} a password change
 
 {{>@partial-block}}
 
diff --git a/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs b/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs
index 9b4ede6e01..d41ca41146 100644
--- a/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs
+++ b/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs
@@ -6,8 +6,6 @@ public class SecurityTaskNotificationViewModel : BaseMailModel
 
     public int TaskCount { get; set; }
 
-    public bool TaskCountPlural => TaskCount != 1;
-
     public List<string> AdminOwnerEmails { get; set; }
 
     public string ReviewPasswordsUrl => $"{WebVaultUrl}/browser-extension-prompt";
diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index 430636f44d..a551342324 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -794,6 +794,29 @@ public class HandlebarsMailService : IMailService
 
             writer.WriteSafeString($"{outputMessage}");
         });
+
+        // Returns the singular or plural form of a word based on the provided numeric value.
+        Handlebars.RegisterHelper("plurality", (writer, context, parameters) =>
+        {
+            if (parameters.Length != 3)
+            {
+                writer.WriteSafeString(string.Empty);
+                return;
+            }
+
+            var numeric = parameters[0];
+            var singularText = parameters[1].ToString();
+            var pluralText = parameters[2].ToString();
+
+            if (numeric is int number)
+            {
+                writer.WriteSafeString(number == 1 ? singularText : pluralText);
+            }
+            else
+            {
+                writer.WriteSafeString(string.Empty);
+            }
+        });
     }
 
     public async Task SendEmergencyAccessInviteEmailAsync(EmergencyAccess emergencyAccess, string name, string token)

From d4a3cd00befd4faf612e942b7a6dfa374c69054e Mon Sep 17 00:00:00 2001
From: Shane Melton <smelton@bitwarden.com>
Date: Wed, 2 Apr 2025 13:44:59 -0700
Subject: [PATCH 151/184] [PM-17563] Add missing TaskId and HubHelper for
 PendingSecurityTasks (#5591)

* [PM-17563] Add case for PushType.PendingSecurityTasks

* [PM-17563] Add missing TaskId property to NotificationStatusDetails and NotificationResponseModel

* [PM-17563] Add migration script to re-create NotificationStatusDetailsView to include TaskId column

* [PM-17563] Select explicit columns for NotificationStatusDetailsView and fix migration script
---
 .../Response/NotificationResponseModel.cs     |  3 +++
 .../Models/Data/NotificationStatusDetails.cs  |  1 +
 .../NotificationStatusDetailsViewQuery.cs     |  1 +
 src/Notifications/HubHelpers.cs               |  5 ++++
 .../Views/NotificationStatusDetailsView.sql   | 18 ++++++++++---
 .../NotificationsControllerTests.cs           |  3 +++
 .../NotificationResponseModelTests.cs         |  2 ++
 ...4-01_00_RecreateNotificationStatusView.sql | 25 +++++++++++++++++++
 8 files changed, 54 insertions(+), 4 deletions(-)
 create mode 100644 util/Migrator/DbScripts/2025-04-01_00_RecreateNotificationStatusView.sql

diff --git a/src/Api/NotificationCenter/Models/Response/NotificationResponseModel.cs b/src/Api/NotificationCenter/Models/Response/NotificationResponseModel.cs
index 1ebed87de2..ab882d5557 100644
--- a/src/Api/NotificationCenter/Models/Response/NotificationResponseModel.cs
+++ b/src/Api/NotificationCenter/Models/Response/NotificationResponseModel.cs
@@ -22,6 +22,7 @@ public class NotificationResponseModel : ResponseModel
         Title = notificationStatusDetails.Title;
         Body = notificationStatusDetails.Body;
         Date = notificationStatusDetails.RevisionDate;
+        TaskId = notificationStatusDetails.TaskId;
         ReadDate = notificationStatusDetails.ReadDate;
         DeletedDate = notificationStatusDetails.DeletedDate;
     }
@@ -40,6 +41,8 @@ public class NotificationResponseModel : ResponseModel
 
     public DateTime Date { get; set; }
 
+    public Guid? TaskId { get; set; }
+
     public DateTime? ReadDate { get; set; }
 
     public DateTime? DeletedDate { get; set; }
diff --git a/src/Core/NotificationCenter/Models/Data/NotificationStatusDetails.cs b/src/Core/NotificationCenter/Models/Data/NotificationStatusDetails.cs
index d48985e725..5ad8decb94 100644
--- a/src/Core/NotificationCenter/Models/Data/NotificationStatusDetails.cs
+++ b/src/Core/NotificationCenter/Models/Data/NotificationStatusDetails.cs
@@ -19,6 +19,7 @@ public class NotificationStatusDetails
     public string? Body { get; set; }
     public DateTime CreationDate { get; set; }
     public DateTime RevisionDate { get; set; }
+    public Guid? TaskId { get; set; }
     // Notification Status fields
     public DateTime? ReadDate { get; set; }
     public DateTime? DeletedDate { get; set; }
diff --git a/src/Infrastructure.EntityFramework/NotificationCenter/Repositories/Queries/NotificationStatusDetailsViewQuery.cs b/src/Infrastructure.EntityFramework/NotificationCenter/Repositories/Queries/NotificationStatusDetailsViewQuery.cs
index 2f8bade1d3..41f8610101 100644
--- a/src/Infrastructure.EntityFramework/NotificationCenter/Repositories/Queries/NotificationStatusDetailsViewQuery.cs
+++ b/src/Infrastructure.EntityFramework/NotificationCenter/Repositories/Queries/NotificationStatusDetailsViewQuery.cs
@@ -52,6 +52,7 @@ public class NotificationStatusDetailsViewQuery(Guid userId, ClientType clientTy
             ClientType = x.n.ClientType,
             UserId = x.n.UserId,
             OrganizationId = x.n.OrganizationId,
+            TaskId = x.n.TaskId,
             Title = x.n.Title,
             Body = x.n.Body,
             CreationDate = x.n.CreationDate,
diff --git a/src/Notifications/HubHelpers.cs b/src/Notifications/HubHelpers.cs
index 8fa74f7b84..441842da3b 100644
--- a/src/Notifications/HubHelpers.cs
+++ b/src/Notifications/HubHelpers.cs
@@ -135,6 +135,11 @@ public static class HubHelpers
                 }
 
                 break;
+            case PushType.PendingSecurityTasks:
+                var pendingTasksData = JsonSerializer.Deserialize<PushNotificationData<UserPushNotification>>(notificationJson, _deserializerOptions);
+                await hubContext.Clients.User(pendingTasksData.Payload.UserId.ToString())
+                    .SendAsync(_receiveMessageMethod, pendingTasksData, cancellationToken);
+                break;
             default:
                 break;
         }
diff --git a/src/Sql/NotificationCenter/dbo/Views/NotificationStatusDetailsView.sql b/src/Sql/NotificationCenter/dbo/Views/NotificationStatusDetailsView.sql
index 5264be2009..57298152c7 100644
--- a/src/Sql/NotificationCenter/dbo/Views/NotificationStatusDetailsView.sql
+++ b/src/Sql/NotificationCenter/dbo/Views/NotificationStatusDetailsView.sql
@@ -1,10 +1,20 @@
 CREATE VIEW [dbo].[NotificationStatusDetailsView]
 AS
 SELECT
-    N.*,
-    NS.UserId AS NotificationStatusUserId,
-    NS.ReadDate,
-    NS.DeletedDate
+    N.[Id],
+    N.[Priority],
+    N.[Global],
+    N.[ClientType],
+    N.[UserId],
+    N.[OrganizationId],
+    N.[Title],
+    N.[Body],
+    N.[CreationDate],
+    N.[RevisionDate],
+    N.[TaskId],
+    NS.[UserId] AS [NotificationStatusUserId],
+    NS.[ReadDate],
+    NS.[DeletedDate]
 FROM
     [dbo].[Notification] AS N
 LEFT JOIN
diff --git a/test/Api.Test/NotificationCenter/Controllers/NotificationsControllerTests.cs b/test/Api.Test/NotificationCenter/Controllers/NotificationsControllerTests.cs
index b8b21ef419..094ef2918e 100644
--- a/test/Api.Test/NotificationCenter/Controllers/NotificationsControllerTests.cs
+++ b/test/Api.Test/NotificationCenter/Controllers/NotificationsControllerTests.cs
@@ -67,6 +67,7 @@ public class NotificationsControllerTests
             Assert.Equal(expectedNotificationStatusDetails.RevisionDate, notificationResponseModel.Date);
             Assert.Equal(expectedNotificationStatusDetails.ReadDate, notificationResponseModel.ReadDate);
             Assert.Equal(expectedNotificationStatusDetails.DeletedDate, notificationResponseModel.DeletedDate);
+            Assert.Equal(expectedNotificationStatusDetails.TaskId, notificationResponseModel.TaskId);
         });
         Assert.Null(listResponse.ContinuationToken);
 
@@ -116,6 +117,7 @@ public class NotificationsControllerTests
             Assert.Equal(expectedNotificationStatusDetails.RevisionDate, notificationResponseModel.Date);
             Assert.Equal(expectedNotificationStatusDetails.ReadDate, notificationResponseModel.ReadDate);
             Assert.Equal(expectedNotificationStatusDetails.DeletedDate, notificationResponseModel.DeletedDate);
+            Assert.Equal(expectedNotificationStatusDetails.TaskId, notificationResponseModel.TaskId);
         });
         Assert.Equal("2", listResponse.ContinuationToken);
 
@@ -164,6 +166,7 @@ public class NotificationsControllerTests
             Assert.Equal(expectedNotificationStatusDetails.RevisionDate, notificationResponseModel.Date);
             Assert.Equal(expectedNotificationStatusDetails.ReadDate, notificationResponseModel.ReadDate);
             Assert.Equal(expectedNotificationStatusDetails.DeletedDate, notificationResponseModel.DeletedDate);
+            Assert.Equal(expectedNotificationStatusDetails.TaskId, notificationResponseModel.TaskId);
         });
         Assert.Null(listResponse.ContinuationToken);
 
diff --git a/test/Api.Test/NotificationCenter/Models/Response/NotificationResponseModelTests.cs b/test/Api.Test/NotificationCenter/Models/Response/NotificationResponseModelTests.cs
index f0dfc03fec..171b972575 100644
--- a/test/Api.Test/NotificationCenter/Models/Response/NotificationResponseModelTests.cs
+++ b/test/Api.Test/NotificationCenter/Models/Response/NotificationResponseModelTests.cs
@@ -26,6 +26,7 @@ public class NotificationResponseModelTests
             ClientType = ClientType.All,
             Title = "Test Title",
             Body = "Test Body",
+            TaskId = Guid.NewGuid(),
             RevisionDate = DateTime.UtcNow - TimeSpan.FromMinutes(3),
             ReadDate = DateTime.UtcNow - TimeSpan.FromMinutes(1),
             DeletedDate = DateTime.UtcNow,
@@ -39,5 +40,6 @@ public class NotificationResponseModelTests
         Assert.Equal(model.Date, notificationStatusDetails.RevisionDate);
         Assert.Equal(model.ReadDate, notificationStatusDetails.ReadDate);
         Assert.Equal(model.DeletedDate, notificationStatusDetails.DeletedDate);
+        Assert.Equal(model.TaskId, notificationStatusDetails.TaskId);
     }
 }
diff --git a/util/Migrator/DbScripts/2025-04-01_00_RecreateNotificationStatusView.sql b/util/Migrator/DbScripts/2025-04-01_00_RecreateNotificationStatusView.sql
new file mode 100644
index 0000000000..727218f9ab
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-04-01_00_RecreateNotificationStatusView.sql
@@ -0,0 +1,25 @@
+-- Recreate the NotificationStatusView to include the Notification.TaskId column
+CREATE OR ALTER VIEW [dbo].[NotificationStatusDetailsView]
+AS
+SELECT
+    N.[Id],
+    N.[Priority],
+    N.[Global],
+    N.[ClientType],
+    N.[UserId],
+    N.[OrganizationId],
+    N.[Title],
+    N.[Body],
+    N.[CreationDate],
+    N.[RevisionDate],
+    N.[TaskId],
+    NS.[UserId] AS [NotificationStatusUserId],
+    NS.[ReadDate],
+    NS.[DeletedDate]
+FROM
+    [dbo].[Notification] AS N
+    LEFT JOIN
+    [dbo].[NotificationStatus] as NS
+ON
+    N.[Id] = NS.[NotificationId]
+GO

From 0069866deaf23bc859973b43f9b0de875c9939ff Mon Sep 17 00:00:00 2001
From: Brandon Treston <btreston@bitwarden.com>
Date: Wed, 2 Apr 2025 17:07:05 -0400
Subject: [PATCH 152/184] override exempt status to include Invited (#5596)

---
 .../PolicyRequirements/ResetPasswordPolicyRequirement.cs        | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirement.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirement.cs
index 4feef1b088..b7d0b14f15 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirement.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirement.cs
@@ -34,6 +34,8 @@ public class ResetPasswordPolicyRequirementFactory : BasePolicyRequirementFactor
 
     protected override IEnumerable<OrganizationUserType> ExemptRoles => [];
 
+    protected override IEnumerable<OrganizationUserStatusType> ExemptStatuses => [OrganizationUserStatusType.Revoked];
+
     public override ResetPasswordPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
     {
         var result = policyDetails

From 8fd48374dc4942fba8c8c0cd9525776a503eb8aa Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann <mail@quexten.com>
Date: Thu, 3 Apr 2025 11:30:49 +0200
Subject: [PATCH 153/184] [PM-2199] Implement userkey rotation for all TDE
 devices (#5446)

* Implement userkey rotation v2

* Update request models

* Cleanup

* Update tests

* Improve test

* Add tests

* Fix formatting

* Fix test

* Remove whitespace

* Fix namespace

* Enable nullable on models

* Fix build

* Add tests and enable nullable on masterpasswordunlockdatamodel

* Fix test

* Remove rollback

* Add tests

* Make masterpassword hint optional

* Update user query

* Add EF test

* Improve test

* Cleanup

* Set masterpassword hint

* Remove connection close

* Add tests for invalid kdf types

* Update test/Core.Test/KeyManagement/UserKey/RotateUserAccountKeysCommandTests.cs

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Fix formatting

* Update src/Api/KeyManagement/Models/Requests/RotateAccountKeysAndDataRequestModel.cs

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Update src/Api/Auth/Models/Request/Accounts/MasterPasswordUnlockDataModel.cs

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Update src/Api/Auth/Models/Request/Accounts/MasterPasswordUnlockDataModel.cs

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Update src/Api/KeyManagement/Models/Requests/AccountKeysRequestModel.cs

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Fix imports

* Fix tests

* Add poc for tde rotation

* Improve rotation transaction safety

* Add validator tests

* Clean up validator

* Add newline

* Add devicekey unlock data to integration test

* Fix tests

* Fix tests

* Remove null check

* Remove null check

* Fix IsTrusted returning wrong result

* Add rollback

* Cleanup

* Address feedback

* Further renames

---------

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>
---
 src/Api/Controllers/DevicesController.cs      | 10 +---
 .../AccountsKeyManagementController.cs        |  7 ++-
 .../Models/Requests/UnlockDataRequestModel.cs |  2 +
 .../Validators/DeviceRotationValidator.cs     | 53 +++++++++++++++++++
 src/Api/Startup.cs                            |  5 +-
 .../Request/DeviceKeysUpdateRequestModel.cs   |  8 +++
 .../DeviceAuthRequestResponseModel.cs         |  3 +-
 .../Models/Data/RotateUserAccountKeysData.cs  |  1 +
 .../RotateUserAccountkeysCommand.cs           |  8 +++
 src/Core/Repositories/IDeviceRepository.cs    |  2 +
 .../Repositories/DeviceRepository.cs          | 33 ++++++++++++
 .../Repositories/DeviceRepository.cs          | 27 ++++++++++
 .../AccountsKeyManagementControllerTests.cs   |  4 ++
 .../DeviceRotationValidatorTests.cs           | 49 +++++++++++++++++
 14 files changed, 199 insertions(+), 13 deletions(-)
 create mode 100644 src/Api/KeyManagement/Validators/DeviceRotationValidator.cs
 create mode 100644 test/Api.Test/KeyManagement/Validators/DeviceRotationValidatorTests.cs

diff --git a/src/Api/Controllers/DevicesController.cs b/src/Api/Controllers/DevicesController.cs
index 02eb2d36d5..4e21b5e9dc 100644
--- a/src/Api/Controllers/DevicesController.cs
+++ b/src/Api/Controllers/DevicesController.cs
@@ -1,6 +1,5 @@
 using System.ComponentModel.DataAnnotations;
 using Bit.Api.Auth.Models.Request;
-using Bit.Api.Auth.Models.Request.Accounts;
 using Bit.Api.Models.Request;
 using Bit.Api.Models.Response;
 using Bit.Core.Auth.Models.Api.Request;
@@ -125,7 +124,7 @@ public class DevicesController : Controller
     }
 
     [HttpPost("{identifier}/retrieve-keys")]
-    public async Task<ProtectedDeviceResponseModel> GetDeviceKeys(string identifier, [FromBody] SecretVerificationRequestModel model)
+    public async Task<ProtectedDeviceResponseModel> GetDeviceKeys(string identifier)
     {
         var user = await _userService.GetUserByPrincipalAsync(User);
 
@@ -134,14 +133,7 @@ public class DevicesController : Controller
             throw new UnauthorizedAccessException();
         }
 
-        if (!await _userService.VerifySecretAsync(user, model.Secret))
-        {
-            await Task.Delay(2000);
-            throw new BadRequestException(string.Empty, "User verification failed.");
-        }
-
         var device = await _deviceRepository.GetByIdentifierAsync(identifier, user.Id);
-
         if (device == null)
         {
             throw new NotFoundException();
diff --git a/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs b/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs
index 85e0981f22..0764e2ee28 100644
--- a/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs
+++ b/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs
@@ -8,6 +8,7 @@ using Bit.Api.Tools.Models.Request;
 using Bit.Api.Vault.Models.Request;
 using Bit.Core;
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Api.Request;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
@@ -43,6 +44,7 @@ public class AccountsKeyManagementController : Controller
         _organizationUserValidator;
     private readonly IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>>
         _webauthnKeyValidator;
+    private readonly IRotationValidator<IEnumerable<OtherDeviceKeysUpdateRequestModel>, IEnumerable<Device>> _deviceValidator;
 
     public AccountsKeyManagementController(IUserService userService,
         IFeatureService featureService,
@@ -57,7 +59,8 @@ public class AccountsKeyManagementController : Controller
             emergencyAccessValidator,
         IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>, IReadOnlyList<OrganizationUser>>
             organizationUserValidator,
-        IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>> webAuthnKeyValidator)
+        IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>> webAuthnKeyValidator,
+        IRotationValidator<IEnumerable<OtherDeviceKeysUpdateRequestModel>, IEnumerable<Device>> deviceValidator)
     {
         _userService = userService;
         _featureService = featureService;
@@ -71,6 +74,7 @@ public class AccountsKeyManagementController : Controller
         _emergencyAccessValidator = emergencyAccessValidator;
         _organizationUserValidator = organizationUserValidator;
         _webauthnKeyValidator = webAuthnKeyValidator;
+        _deviceValidator = deviceValidator;
     }
 
     [HttpPost("regenerate-keys")]
@@ -109,6 +113,7 @@ public class AccountsKeyManagementController : Controller
             EmergencyAccesses = await _emergencyAccessValidator.ValidateAsync(user, model.AccountUnlockData.EmergencyAccessUnlockData),
             OrganizationUsers = await _organizationUserValidator.ValidateAsync(user, model.AccountUnlockData.OrganizationAccountRecoveryUnlockData),
             WebAuthnKeys = await _webauthnKeyValidator.ValidateAsync(user, model.AccountUnlockData.PasskeyUnlockData),
+            DeviceKeys = await _deviceValidator.ValidateAsync(user, model.AccountUnlockData.DeviceKeyUnlockData),
 
             Ciphers = await _cipherValidator.ValidateAsync(user, model.AccountData.Ciphers),
             Folders = await _folderValidator.ValidateAsync(user, model.AccountData.Folders),
diff --git a/src/Api/KeyManagement/Models/Requests/UnlockDataRequestModel.cs b/src/Api/KeyManagement/Models/Requests/UnlockDataRequestModel.cs
index 5156e2a655..23c3eb95d0 100644
--- a/src/Api/KeyManagement/Models/Requests/UnlockDataRequestModel.cs
+++ b/src/Api/KeyManagement/Models/Requests/UnlockDataRequestModel.cs
@@ -3,6 +3,7 @@ using Bit.Api.AdminConsole.Models.Request.Organizations;
 using Bit.Api.Auth.Models.Request;
 using Bit.Api.Auth.Models.Request.Accounts;
 using Bit.Api.Auth.Models.Request.WebAuthn;
+using Bit.Core.Auth.Models.Api.Request;
 
 namespace Bit.Api.KeyManagement.Models.Requests;
 
@@ -13,4 +14,5 @@ public class UnlockDataRequestModel
     public required IEnumerable<EmergencyAccessWithIdRequestModel> EmergencyAccessUnlockData { get; set; }
     public required IEnumerable<ResetPasswordWithOrgIdRequestModel> OrganizationAccountRecoveryUnlockData { get; set; }
     public required IEnumerable<WebAuthnLoginRotateKeyRequestModel> PasskeyUnlockData { get; set; }
+    public required IEnumerable<OtherDeviceKeysUpdateRequestModel> DeviceKeyUnlockData { get; set; }
 }
diff --git a/src/Api/KeyManagement/Validators/DeviceRotationValidator.cs b/src/Api/KeyManagement/Validators/DeviceRotationValidator.cs
new file mode 100644
index 0000000000..cbaf508766
--- /dev/null
+++ b/src/Api/KeyManagement/Validators/DeviceRotationValidator.cs
@@ -0,0 +1,53 @@
+using Bit.Core.Auth.Models.Api.Request;
+using Bit.Core.Auth.Utilities;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+
+namespace Bit.Api.KeyManagement.Validators;
+
+/// <summary>
+/// Device implementation for <see cref="IRotationValidator{T,R}"/>
+/// </summary>
+public class DeviceRotationValidator : IRotationValidator<IEnumerable<OtherDeviceKeysUpdateRequestModel>, IEnumerable<Device>>
+{
+    private readonly IDeviceRepository _deviceRepository;
+
+    /// <summary>
+    /// Instantiates a new <see cref="DeviceRotationValidator"/>
+    /// </summary>
+    /// <param name="deviceRepository">Retrieves all user <see cref="Device"/>s</param>
+    public DeviceRotationValidator(IDeviceRepository deviceRepository)
+    {
+        _deviceRepository = deviceRepository;
+    }
+
+    public async Task<IEnumerable<Device>> ValidateAsync(User user, IEnumerable<OtherDeviceKeysUpdateRequestModel> devices)
+    {
+        var result = new List<Device>();
+
+        var existingTrustedDevices = (await _deviceRepository.GetManyByUserIdAsync(user.Id)).Where(d => d.IsTrusted()).ToList();
+        if (existingTrustedDevices.Count == 0)
+        {
+            return result;
+        }
+
+        foreach (var existing in existingTrustedDevices)
+        {
+            var device = devices.FirstOrDefault(c => c.DeviceId == existing.Id);
+            if (device == null)
+            {
+                throw new BadRequestException("All existing trusted devices must be included in the rotation.");
+            }
+
+            if (device.EncryptedUserKey == null || device.EncryptedPublicKey == null)
+            {
+                throw new BadRequestException("Rotated encryption keys must be provided for all devices that are trusted.");
+            }
+
+            result.Add(device.ToDevice(existing));
+        }
+
+        return result;
+    }
+}
diff --git a/src/Api/Startup.cs b/src/Api/Startup.cs
index 5849bfb634..deac7bf0c9 100644
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@@ -31,7 +31,7 @@ using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Identity.TokenProviders;
 using Bit.Core.Tools.ImportFeatures;
 using Bit.Core.Tools.ReportFeatures;
-
+using Bit.Core.Auth.Models.Api.Request;
 
 #if !OSS
 using Bit.Commercial.Core.SecretsManager;
@@ -168,6 +168,9 @@ public class Startup
         services
             .AddScoped<IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>>,
                 WebAuthnLoginKeyRotationValidator>();
+        services
+            .AddScoped<IRotationValidator<IEnumerable<OtherDeviceKeysUpdateRequestModel>, IEnumerable<Device>>,
+                DeviceRotationValidator>();
 
         // Services
         services.AddBaseServices(globalSettings);
diff --git a/src/Core/Auth/Models/Api/Request/DeviceKeysUpdateRequestModel.cs b/src/Core/Auth/Models/Api/Request/DeviceKeysUpdateRequestModel.cs
index 2b815afd16..111b03a3a3 100644
--- a/src/Core/Auth/Models/Api/Request/DeviceKeysUpdateRequestModel.cs
+++ b/src/Core/Auth/Models/Api/Request/DeviceKeysUpdateRequestModel.cs
@@ -1,4 +1,5 @@
 using System.ComponentModel.DataAnnotations;
+using Bit.Core.Entities;
 using Bit.Core.Utilities;
 
 namespace Bit.Core.Auth.Models.Api.Request;
@@ -7,6 +8,13 @@ public class OtherDeviceKeysUpdateRequestModel : DeviceKeysUpdateRequestModel
 {
     [Required]
     public Guid DeviceId { get; set; }
+
+    public Device ToDevice(Device existingDevice)
+    {
+        existingDevice.EncryptedPublicKey = EncryptedPublicKey;
+        existingDevice.EncryptedUserKey = EncryptedUserKey;
+        return existingDevice;
+    }
 }
 
 public class DeviceKeysUpdateRequestModel
diff --git a/src/Core/Auth/Models/Api/Response/DeviceAuthRequestResponseModel.cs b/src/Core/Auth/Models/Api/Response/DeviceAuthRequestResponseModel.cs
index 3cfea51ee3..59630a6d2c 100644
--- a/src/Core/Auth/Models/Api/Response/DeviceAuthRequestResponseModel.cs
+++ b/src/Core/Auth/Models/Api/Response/DeviceAuthRequestResponseModel.cs
@@ -1,5 +1,4 @@
 using Bit.Core.Auth.Models.Data;
-using Bit.Core.Auth.Utilities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Api;
 
@@ -19,7 +18,7 @@ public class DeviceAuthRequestResponseModel : ResponseModel
             Type = deviceAuthDetails.Type,
             Identifier = deviceAuthDetails.Identifier,
             CreationDate = deviceAuthDetails.CreationDate,
-            IsTrusted = deviceAuthDetails.IsTrusted()
+            IsTrusted = deviceAuthDetails.IsTrusted,
         };
 
         if (deviceAuthDetails.AuthRequestId != null && deviceAuthDetails.AuthRequestCreatedAt != null)
diff --git a/src/Core/KeyManagement/Models/Data/RotateUserAccountKeysData.cs b/src/Core/KeyManagement/Models/Data/RotateUserAccountKeysData.cs
index 7cb1c273a3..f81baf6fab 100644
--- a/src/Core/KeyManagement/Models/Data/RotateUserAccountKeysData.cs
+++ b/src/Core/KeyManagement/Models/Data/RotateUserAccountKeysData.cs
@@ -20,6 +20,7 @@ public class RotateUserAccountKeysData
     public IEnumerable<EmergencyAccess> EmergencyAccesses { get; set; }
     public IReadOnlyList<OrganizationUser> OrganizationUsers { get; set; }
     public IEnumerable<WebAuthnLoginRotateKeyData> WebAuthnKeys { get; set; }
+    public IEnumerable<Device> DeviceKeys { get; set; }
 
     // User vault data encrypted by the userkey
     public IEnumerable<Cipher> Ciphers { get; set; }
diff --git a/src/Core/KeyManagement/UserKey/Implementations/RotateUserAccountkeysCommand.cs b/src/Core/KeyManagement/UserKey/Implementations/RotateUserAccountkeysCommand.cs
index f4dcf31d5c..6967c9bf85 100644
--- a/src/Core/KeyManagement/UserKey/Implementations/RotateUserAccountkeysCommand.cs
+++ b/src/Core/KeyManagement/UserKey/Implementations/RotateUserAccountkeysCommand.cs
@@ -20,6 +20,7 @@ public class RotateUserAccountKeysCommand : IRotateUserAccountKeysCommand
     private readonly ISendRepository _sendRepository;
     private readonly IEmergencyAccessRepository _emergencyAccessRepository;
     private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IDeviceRepository _deviceRepository;
     private readonly IPushNotificationService _pushService;
     private readonly IdentityErrorDescriber _identityErrorDescriber;
     private readonly IWebAuthnCredentialRepository _credentialRepository;
@@ -42,6 +43,7 @@ public class RotateUserAccountKeysCommand : IRotateUserAccountKeysCommand
     public RotateUserAccountKeysCommand(IUserService userService, IUserRepository userRepository,
         ICipherRepository cipherRepository, IFolderRepository folderRepository, ISendRepository sendRepository,
         IEmergencyAccessRepository emergencyAccessRepository, IOrganizationUserRepository organizationUserRepository,
+        IDeviceRepository deviceRepository,
         IPasswordHasher<User> passwordHasher,
         IPushNotificationService pushService, IdentityErrorDescriber errors, IWebAuthnCredentialRepository credentialRepository)
     {
@@ -52,6 +54,7 @@ public class RotateUserAccountKeysCommand : IRotateUserAccountKeysCommand
         _sendRepository = sendRepository;
         _emergencyAccessRepository = emergencyAccessRepository;
         _organizationUserRepository = organizationUserRepository;
+        _deviceRepository = deviceRepository;
         _pushService = pushService;
         _identityErrorDescriber = errors;
         _credentialRepository = credentialRepository;
@@ -127,6 +130,11 @@ public class RotateUserAccountKeysCommand : IRotateUserAccountKeysCommand
             saveEncryptedDataActions.Add(_credentialRepository.UpdateKeysForRotationAsync(user.Id, model.WebAuthnKeys));
         }
 
+        if (model.DeviceKeys.Any())
+        {
+            saveEncryptedDataActions.Add(_deviceRepository.UpdateKeysForRotationAsync(user.Id, model.DeviceKeys));
+        }
+
         await _userRepository.UpdateUserKeyAndEncryptedDataV2Async(user, saveEncryptedDataActions);
         await _pushService.PushLogOutAsync(user.Id);
         return IdentityResult.Success;
diff --git a/src/Core/Repositories/IDeviceRepository.cs b/src/Core/Repositories/IDeviceRepository.cs
index c9809c1de6..fc2f1556b7 100644
--- a/src/Core/Repositories/IDeviceRepository.cs
+++ b/src/Core/Repositories/IDeviceRepository.cs
@@ -1,5 +1,6 @@
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Entities;
+using Bit.Core.KeyManagement.UserKey;
 
 #nullable enable
 
@@ -16,4 +17,5 @@ public interface IDeviceRepository : IRepository<Device, Guid>
     // other requests.
     Task<ICollection<DeviceAuthDetails>> GetManyByUserIdWithDeviceAuth(Guid userId);
     Task ClearPushTokenAsync(Guid id);
+    UpdateEncryptedDataForKeyRotation UpdateKeysForRotationAsync(Guid userId, IEnumerable<Device> devices);
 }
diff --git a/src/Infrastructure.Dapper/Repositories/DeviceRepository.cs b/src/Infrastructure.Dapper/Repositories/DeviceRepository.cs
index 4abf4a4649..723200ff1c 100644
--- a/src/Infrastructure.Dapper/Repositories/DeviceRepository.cs
+++ b/src/Infrastructure.Dapper/Repositories/DeviceRepository.cs
@@ -1,8 +1,10 @@
 using System.Data;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Entities;
+using Bit.Core.KeyManagement.UserKey;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
+using Bit.Core.Utilities;
 using Dapper;
 using Microsoft.Data.SqlClient;
 
@@ -109,4 +111,35 @@ public class DeviceRepository : Repository<Device, Guid>, IDeviceRepository
                 commandType: CommandType.StoredProcedure);
         }
     }
+
+    public UpdateEncryptedDataForKeyRotation UpdateKeysForRotationAsync(Guid userId, IEnumerable<Device> devices)
+    {
+        return async (SqlConnection connection, SqlTransaction transaction) =>
+        {
+            const string sql = @"
+                UPDATE D
+                SET
+                    D.[EncryptedPublicKey] = UD.[encryptedPublicKey],
+                    D.[EncryptedUserKey] = UD.[encryptedUserKey]
+                FROM
+                    [dbo].[Device] D
+                INNER JOIN
+                    OPENJSON(@DeviceCredentials)
+                    WITH (
+                        id UNIQUEIDENTIFIER,
+                        encryptedPublicKey NVARCHAR(MAX),
+                        encryptedUserKey NVARCHAR(MAX)
+                    ) UD
+                    ON UD.[id] = D.[Id]
+                WHERE
+                    D.[UserId] = @UserId";
+            var deviceCredentials = CoreHelpers.ClassToJsonData(devices);
+
+            await connection.ExecuteAsync(
+                sql,
+                new { UserId = userId, DeviceCredentials = deviceCredentials },
+                transaction: transaction,
+                commandType: CommandType.Text);
+        };
+    }
 }
diff --git a/src/Infrastructure.EntityFramework/Repositories/DeviceRepository.cs b/src/Infrastructure.EntityFramework/Repositories/DeviceRepository.cs
index ad31d0fb8b..19f38c6098 100644
--- a/src/Infrastructure.EntityFramework/Repositories/DeviceRepository.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/DeviceRepository.cs
@@ -1,5 +1,6 @@
 using AutoMapper;
 using Bit.Core.Auth.Models.Data;
+using Bit.Core.KeyManagement.UserKey;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
 using Bit.Infrastructure.EntityFramework.Auth.Repositories.Queries;
@@ -91,4 +92,30 @@ public class DeviceRepository : Repository<Core.Entities.Device, Device, Guid>,
             return await query.GetQuery(dbContext, userId, expirationMinutes).ToListAsync();
         }
     }
+
+    public UpdateEncryptedDataForKeyRotation UpdateKeysForRotationAsync(Guid userId, IEnumerable<Core.Entities.Device> devices)
+    {
+        return async (_, _) =>
+        {
+            var deviceUpdates = devices.ToList();
+            using var scope = ServiceScopeFactory.CreateScope();
+            var dbContext = GetDatabaseContext(scope);
+            var userDevices = await GetDbSet(dbContext)
+                .Where(device => device.UserId == userId)
+                .ToListAsync();
+            var userDevicesWithUpdatesPending = userDevices
+                .Where(existingDevice => deviceUpdates.Any(updatedDevice => updatedDevice.Id == existingDevice.Id))
+                .ToList();
+
+            foreach (var deviceToUpdate in userDevicesWithUpdatesPending)
+            {
+                var deviceUpdate = deviceUpdates.First(deviceUpdate => deviceUpdate.Id == deviceToUpdate.Id);
+                deviceToUpdate.EncryptedPublicKey = deviceUpdate.EncryptedPublicKey;
+                deviceToUpdate.EncryptedUserKey = deviceUpdate.EncryptedUserKey;
+            }
+
+            await dbContext.SaveChangesAsync();
+        };
+    }
+
 }
diff --git a/test/Api.IntegrationTest/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs b/test/Api.IntegrationTest/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
index 7c05e1d680..1b065adbd6 100644
--- a/test/Api.IntegrationTest/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
+++ b/test/Api.IntegrationTest/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
@@ -29,6 +29,7 @@ public class AccountsKeyManagementControllerTests : IClassFixture<ApiApplication
     private readonly ApiApplicationFactory _factory;
     private readonly LoginHelper _loginHelper;
     private readonly IUserRepository _userRepository;
+    private readonly IDeviceRepository _deviceRepository;
     private readonly IPasswordHasher<User> _passwordHasher;
     private string _ownerEmail = null!;
 
@@ -40,6 +41,7 @@ public class AccountsKeyManagementControllerTests : IClassFixture<ApiApplication
         _client = factory.CreateClient();
         _loginHelper = new LoginHelper(_factory, _client);
         _userRepository = _factory.GetService<IUserRepository>();
+        _deviceRepository = _factory.GetService<IDeviceRepository>();
         _emergencyAccessRepository = _factory.GetService<IEmergencyAccessRepository>();
         _organizationUserRepository = _factory.GetService<IOrganizationUserRepository>();
         _passwordHasher = _factory.GetService<IPasswordHasher<User>>();
@@ -238,10 +240,12 @@ public class AccountsKeyManagementControllerTests : IClassFixture<ApiApplication
         ];
         request.AccountUnlockData.MasterPasswordUnlockData.MasterKeyEncryptedUserKey = _mockEncryptedString;
         request.AccountUnlockData.PasskeyUnlockData = [];
+        request.AccountUnlockData.DeviceKeyUnlockData = [];
         request.AccountUnlockData.EmergencyAccessUnlockData = [];
         request.AccountUnlockData.OrganizationAccountRecoveryUnlockData = [];
 
         var response = await _client.PostAsJsonAsync("/accounts/key-management/rotate-user-account-keys", request);
+        var responseMessage = await response.Content.ReadAsStringAsync();
         response.EnsureSuccessStatusCode();
 
         var userNewState = await _userRepository.GetByEmailAsync(_ownerEmail);
diff --git a/test/Api.Test/KeyManagement/Validators/DeviceRotationValidatorTests.cs b/test/Api.Test/KeyManagement/Validators/DeviceRotationValidatorTests.cs
new file mode 100644
index 0000000000..44dd37977a
--- /dev/null
+++ b/test/Api.Test/KeyManagement/Validators/DeviceRotationValidatorTests.cs
@@ -0,0 +1,49 @@
+using Bit.Api.KeyManagement.Validators;
+using Bit.Core.Auth.Models.Api.Request;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.KeyManagement.Validators;
+
+[SutProviderCustomize]
+public class DeviceRotationValidatorTests
+{
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_SentDevicesAreEmptyButDatabaseDevicesAreNot_Throws(
+        SutProvider<DeviceRotationValidator> sutProvider, User user, IEnumerable<OtherDeviceKeysUpdateRequestModel> devices)
+    {
+        var userCiphers = devices.Select(c => new Device { Id = c.DeviceId, EncryptedPrivateKey = "EncryptedPrivateKey", EncryptedPublicKey = "EncryptedPublicKey", EncryptedUserKey = "EncryptedUserKey" }).ToList();
+        sutProvider.GetDependency<IDeviceRepository>().GetManyByUserIdAsync(user.Id)
+            .Returns(userCiphers);
+        await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.ValidateAsync(user, Enumerable.Empty<OtherDeviceKeysUpdateRequestModel>()));
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_SentDevicesTrustedButDatabaseUntrusted_Throws(
+        SutProvider<DeviceRotationValidator> sutProvider, User user, IEnumerable<OtherDeviceKeysUpdateRequestModel> devices)
+    {
+        var userCiphers = devices.Select(c => new Device { Id = c.DeviceId, EncryptedPrivateKey = "Key", EncryptedPublicKey = "Key", EncryptedUserKey = "Key" }).ToList();
+        sutProvider.GetDependency<IDeviceRepository>().GetManyByUserIdAsync(user.Id)
+            .Returns(userCiphers);
+        await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.ValidateAsync(user, [
+            new OtherDeviceKeysUpdateRequestModel { DeviceId = userCiphers.First().Id, EncryptedPublicKey = null, EncryptedUserKey = null }
+        ]));
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_Validates(
+        SutProvider<DeviceRotationValidator> sutProvider, User user, IEnumerable<OtherDeviceKeysUpdateRequestModel> devices)
+    {
+        var userCiphers = devices.Select(c => new Device { Id = c.DeviceId, EncryptedPrivateKey = "Key", EncryptedPublicKey = "Key", EncryptedUserKey = "Key" }).ToList().Slice(0, 1);
+        sutProvider.GetDependency<IDeviceRepository>().GetManyByUserIdAsync(user.Id)
+            .Returns(userCiphers);
+        Assert.NotEmpty(await sutProvider.Sut.ValidateAsync(user, [
+            new OtherDeviceKeysUpdateRequestModel { DeviceId = userCiphers.First().Id, EncryptedPublicKey = "Key", EncryptedUserKey = "Key" }
+        ]));
+    }
+}

From 1cc854ddb90e7e638ec9fcd7651562ec86455aa8 Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Thu, 3 Apr 2025 12:35:46 +0000
Subject: [PATCH 154/184] Bumped version to 2025.4.0

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 2ede6ad8d1..858abb2bc8 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.3.3</Version>
+    <Version>2025.4.0</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From 282e80ca026e1d1bd7b28be9bcfa4c1f4ed618ba Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Thu, 3 Apr 2025 08:51:09 -0400
Subject: [PATCH 155/184] [PM-13837] Switch provider price IDs (#5518)

* Add ProviderPriceAdapter

This is a temporary utility that will be used to manage retrieval of provider price IDs until all providers can be migrated to the new price structure.

* Updated ProviderBillingService.ChangePlan

* Update ProviderBillingService.SetupSubscription

* Update ProviderBillingService.UpdateSeatMinimums

* Update ProviderBillingService.CurrySeatScalingUpdate

* Mark StripeProviderPortalSeatPlanId obsolete

* Run dotnet format
---
 .../Billing/ProviderBillingService.cs         | 130 +++++++-------
 .../Billing/ProviderPriceAdapter.cs           | 133 ++++++++++++++
 .../Billing/ProviderBillingServiceTests.cs    | 169 +++++++++++++-----
 .../Billing/ProviderPriceAdapterTests.cs      | 151 ++++++++++++++++
 .../Controllers/ProvidersController.cs        |  10 +-
 .../Implementations/ProviderMigrator.cs       |   3 +-
 src/Core/Billing/Models/StaticStore/Plan.cs   |   1 +
 .../Contracts/ChangeProviderPlansCommand.cs   |   7 +-
 .../UpdateProviderSeatMinimumsCommand.cs      |   8 +-
 .../Business/ProviderSubscriptionUpdate.cs    |  62 -------
 src/Core/Services/IPaymentService.cs          |   6 -
 .../Implementations/StripePaymentService.cs   |  13 --
 12 files changed, 480 insertions(+), 213 deletions(-)
 create mode 100644 bitwarden_license/src/Commercial.Core/Billing/ProviderPriceAdapter.cs
 create mode 100644 bitwarden_license/test/Commercial.Core.Test/Billing/ProviderPriceAdapterTests.cs
 delete mode 100644 src/Core/Models/Business/ProviderSubscriptionUpdate.cs

diff --git a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
index 65e41ab586..757d6510f1 100644
--- a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
+++ b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs
@@ -35,7 +35,6 @@ public class ProviderBillingService(
     IGlobalSettings globalSettings,
     ILogger<ProviderBillingService> logger,
     IOrganizationRepository organizationRepository,
-    IPaymentService paymentService,
     IPricingClient pricingClient,
     IProviderInvoiceItemRepository providerInvoiceItemRepository,
     IProviderOrganizationRepository providerOrganizationRepository,
@@ -148,36 +147,29 @@ public class ProviderBillingService(
 
     public async Task ChangePlan(ChangeProviderPlanCommand command)
     {
-        var plan = await providerPlanRepository.GetByIdAsync(command.ProviderPlanId);
+        var (provider, providerPlanId, newPlanType) = command;
 
-        if (plan == null)
+        var providerPlan = await providerPlanRepository.GetByIdAsync(providerPlanId);
+
+        if (providerPlan == null)
         {
             throw new BadRequestException("Provider plan not found.");
         }
 
-        if (plan.PlanType == command.NewPlan)
+        if (providerPlan.PlanType == newPlanType)
         {
             return;
         }
 
-        var oldPlanConfiguration = await pricingClient.GetPlanOrThrow(plan.PlanType);
-        var newPlanConfiguration = await pricingClient.GetPlanOrThrow(command.NewPlan);
+        var subscription = await subscriberService.GetSubscriptionOrThrow(provider);
 
-        plan.PlanType = command.NewPlan;
-        await providerPlanRepository.ReplaceAsync(plan);
+        var oldPriceId = ProviderPriceAdapter.GetPriceId(provider, subscription, providerPlan.PlanType);
+        var newPriceId = ProviderPriceAdapter.GetPriceId(provider, subscription, newPlanType);
 
-        Subscription subscription;
-        try
-        {
-            subscription = await stripeAdapter.ProviderSubscriptionGetAsync(command.GatewaySubscriptionId, plan.ProviderId);
-        }
-        catch (InvalidOperationException)
-        {
-            throw new ConflictException("Subscription not found.");
-        }
+        providerPlan.PlanType = newPlanType;
+        await providerPlanRepository.ReplaceAsync(providerPlan);
 
-        var oldSubscriptionItem = subscription.Items.SingleOrDefault(x =>
-            x.Price.Id == oldPlanConfiguration.PasswordManager.StripeProviderPortalSeatPlanId);
+        var oldSubscriptionItem = subscription.Items.SingleOrDefault(x => x.Price.Id == oldPriceId);
 
         var updateOptions = new SubscriptionUpdateOptions
         {
@@ -185,7 +177,7 @@ public class ProviderBillingService(
             [
                 new SubscriptionItemOptions
                 {
-                    Price = newPlanConfiguration.PasswordManager.StripeProviderPortalSeatPlanId,
+                    Price = newPriceId,
                     Quantity = oldSubscriptionItem!.Quantity
                 },
                 new SubscriptionItemOptions
@@ -196,12 +188,14 @@ public class ProviderBillingService(
             ]
         };
 
-        await stripeAdapter.SubscriptionUpdateAsync(command.GatewaySubscriptionId, updateOptions);
+        await stripeAdapter.SubscriptionUpdateAsync(provider.GatewaySubscriptionId, updateOptions);
 
         // Refactor later to ?ChangeClientPlanCommand? (ProviderPlanId, ProviderId, OrganizationId)
         // 1. Retrieve PlanType and PlanName for ProviderPlan
         // 2. Assign PlanType & PlanName to Organization
-        var providerOrganizations = await providerOrganizationRepository.GetManyDetailsByProviderAsync(plan.ProviderId);
+        var providerOrganizations = await providerOrganizationRepository.GetManyDetailsByProviderAsync(providerPlan.ProviderId);
+
+        var newPlan = await pricingClient.GetPlanOrThrow(newPlanType);
 
         foreach (var providerOrganization in providerOrganizations)
         {
@@ -210,8 +204,8 @@ public class ProviderBillingService(
             {
                 throw new ConflictException($"Organization '{providerOrganization.Id}' not found.");
             }
-            organization.PlanType = command.NewPlan;
-            organization.Plan = newPlanConfiguration.Name;
+            organization.PlanType = newPlanType;
+            organization.Plan = newPlan.Name;
             await organizationRepository.ReplaceAsync(organization);
         }
     }
@@ -405,7 +399,7 @@ public class ProviderBillingService(
 
         var newlyAssignedSeatTotal = currentlyAssignedSeatTotal + seatAdjustment;
 
-        var update = CurrySeatScalingUpdate(
+        var scaleQuantityTo = CurrySeatScalingUpdate(
             provider,
             providerPlan,
             newlyAssignedSeatTotal);
@@ -428,9 +422,7 @@ public class ProviderBillingService(
         else if (currentlyAssignedSeatTotal <= seatMinimum &&
                  newlyAssignedSeatTotal > seatMinimum)
         {
-            await update(
-                seatMinimum,
-                newlyAssignedSeatTotal);
+            await scaleQuantityTo(newlyAssignedSeatTotal);
         }
         /*
          * Above the limit => Above the limit:
@@ -439,9 +431,7 @@ public class ProviderBillingService(
         else if (currentlyAssignedSeatTotal > seatMinimum &&
                  newlyAssignedSeatTotal > seatMinimum)
         {
-            await update(
-                currentlyAssignedSeatTotal,
-                newlyAssignedSeatTotal);
+            await scaleQuantityTo(newlyAssignedSeatTotal);
         }
         /*
          * Above the limit => Below the limit:
@@ -450,9 +440,7 @@ public class ProviderBillingService(
         else if (currentlyAssignedSeatTotal > seatMinimum &&
                  newlyAssignedSeatTotal <= seatMinimum)
         {
-            await update(
-                currentlyAssignedSeatTotal,
-                seatMinimum);
+            await scaleQuantityTo(seatMinimum);
         }
     }
 
@@ -586,9 +574,11 @@ public class ProviderBillingService(
                 throw new BillingException();
             }
 
+            var priceId = ProviderPriceAdapter.GetActivePriceId(provider, providerPlan.PlanType);
+
             subscriptionItemOptionsList.Add(new SubscriptionItemOptions
             {
-                Price = plan.PasswordManager.StripeProviderPortalSeatPlanId,
+                Price = priceId,
                 Quantity = providerPlan.SeatMinimum
             });
         }
@@ -654,43 +644,37 @@ public class ProviderBillingService(
 
     public async Task UpdateSeatMinimums(UpdateProviderSeatMinimumsCommand command)
     {
-        if (command.Configuration.Any(x => x.SeatsMinimum < 0))
+        var (provider, updatedPlanConfigurations) = command;
+
+        if (updatedPlanConfigurations.Any(x => x.SeatsMinimum < 0))
         {
             throw new BadRequestException("Provider seat minimums must be at least 0.");
         }
 
-        Subscription subscription;
-        try
-        {
-            subscription = await stripeAdapter.ProviderSubscriptionGetAsync(command.GatewaySubscriptionId, command.Id);
-        }
-        catch (InvalidOperationException)
-        {
-            throw new ConflictException("Subscription not found.");
-        }
+        var subscription = await subscriberService.GetSubscriptionOrThrow(provider);
 
         var subscriptionItemOptionsList = new List<SubscriptionItemOptions>();
 
-        var providerPlans = await providerPlanRepository.GetByProviderId(command.Id);
+        var providerPlans = await providerPlanRepository.GetByProviderId(provider.Id);
 
-        foreach (var newPlanConfiguration in command.Configuration)
+        foreach (var updatedPlanConfiguration in updatedPlanConfigurations)
         {
+            var (updatedPlanType, updatedSeatMinimum) = updatedPlanConfiguration;
+
             var providerPlan =
-                providerPlans.Single(providerPlan => providerPlan.PlanType == newPlanConfiguration.Plan);
+                providerPlans.Single(providerPlan => providerPlan.PlanType == updatedPlanType);
 
-            if (providerPlan.SeatMinimum != newPlanConfiguration.SeatsMinimum)
+            if (providerPlan.SeatMinimum != updatedSeatMinimum)
             {
-                var newPlan = await pricingClient.GetPlanOrThrow(newPlanConfiguration.Plan);
-
-                var priceId = newPlan.PasswordManager.StripeProviderPortalSeatPlanId;
+                var priceId = ProviderPriceAdapter.GetPriceId(provider, subscription, updatedPlanType);
 
                 var subscriptionItem = subscription.Items.First(item => item.Price.Id == priceId);
 
                 if (providerPlan.PurchasedSeats == 0)
                 {
-                    if (providerPlan.AllocatedSeats > newPlanConfiguration.SeatsMinimum)
+                    if (providerPlan.AllocatedSeats > updatedSeatMinimum)
                     {
-                        providerPlan.PurchasedSeats = providerPlan.AllocatedSeats - newPlanConfiguration.SeatsMinimum;
+                        providerPlan.PurchasedSeats = providerPlan.AllocatedSeats - updatedSeatMinimum;
 
                         subscriptionItemOptionsList.Add(new SubscriptionItemOptions
                         {
@@ -705,7 +689,7 @@ public class ProviderBillingService(
                         {
                             Id = subscriptionItem.Id,
                             Price = priceId,
-                            Quantity = newPlanConfiguration.SeatsMinimum
+                            Quantity = updatedSeatMinimum
                         });
                     }
                 }
@@ -713,9 +697,9 @@ public class ProviderBillingService(
                 {
                     var totalSeats = providerPlan.SeatMinimum + providerPlan.PurchasedSeats;
 
-                    if (newPlanConfiguration.SeatsMinimum <= totalSeats)
+                    if (updatedSeatMinimum <= totalSeats)
                     {
-                        providerPlan.PurchasedSeats = totalSeats - newPlanConfiguration.SeatsMinimum;
+                        providerPlan.PurchasedSeats = totalSeats - updatedSeatMinimum;
                     }
                     else
                     {
@@ -724,12 +708,12 @@ public class ProviderBillingService(
                         {
                             Id = subscriptionItem.Id,
                             Price = priceId,
-                            Quantity = newPlanConfiguration.SeatsMinimum
+                            Quantity = updatedSeatMinimum
                         });
                     }
                 }
 
-                providerPlan.SeatMinimum = newPlanConfiguration.SeatsMinimum;
+                providerPlan.SeatMinimum = updatedSeatMinimum;
 
                 await providerPlanRepository.ReplaceAsync(providerPlan);
             }
@@ -737,23 +721,33 @@ public class ProviderBillingService(
 
         if (subscriptionItemOptionsList.Count > 0)
         {
-            await stripeAdapter.SubscriptionUpdateAsync(command.GatewaySubscriptionId,
+            await stripeAdapter.SubscriptionUpdateAsync(provider.GatewaySubscriptionId,
                 new SubscriptionUpdateOptions { Items = subscriptionItemOptionsList });
         }
     }
 
-    private Func<int, int, Task> CurrySeatScalingUpdate(
+    private Func<int, Task> CurrySeatScalingUpdate(
         Provider provider,
         ProviderPlan providerPlan,
-        int newlyAssignedSeats) => async (currentlySubscribedSeats, newlySubscribedSeats) =>
+        int newlyAssignedSeats) => async newlySubscribedSeats =>
     {
-        var plan = await pricingClient.GetPlanOrThrow(providerPlan.PlanType);
+        var subscription = await subscriberService.GetSubscriptionOrThrow(provider);
 
-        await paymentService.AdjustSeats(
-            provider,
-            plan,
-            currentlySubscribedSeats,
-            newlySubscribedSeats);
+        var priceId = ProviderPriceAdapter.GetPriceId(provider, subscription, providerPlan.PlanType);
+
+        var item = subscription.Items.First(item => item.Price.Id == priceId);
+
+        await stripeAdapter.SubscriptionUpdateAsync(provider.GatewaySubscriptionId, new SubscriptionUpdateOptions
+        {
+            Items = [
+                new SubscriptionItemOptions
+                {
+                    Id = item.Id,
+                    Price = priceId,
+                    Quantity = newlySubscribedSeats
+                }
+            ]
+        });
 
         var newlyPurchasedSeats = newlySubscribedSeats > providerPlan.SeatMinimum
             ? newlySubscribedSeats - providerPlan.SeatMinimum
diff --git a/bitwarden_license/src/Commercial.Core/Billing/ProviderPriceAdapter.cs b/bitwarden_license/src/Commercial.Core/Billing/ProviderPriceAdapter.cs
new file mode 100644
index 0000000000..4cc0711ec9
--- /dev/null
+++ b/bitwarden_license/src/Commercial.Core/Billing/ProviderPriceAdapter.cs
@@ -0,0 +1,133 @@
+// ReSharper disable SwitchExpressionHandlesSomeKnownEnumValuesWithExceptionInDefault
+#nullable enable
+using Bit.Core.AdminConsole.Entities.Provider;
+using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.Billing;
+using Bit.Core.Billing.Enums;
+using Stripe;
+
+namespace Bit.Commercial.Core.Billing;
+
+public static class ProviderPriceAdapter
+{
+    public static class MSP
+    {
+        public static class Active
+        {
+            public const string Enterprise = "provider-portal-enterprise-monthly-2025";
+            public const string Teams = "provider-portal-teams-monthly-2025";
+        }
+
+        public static class Legacy
+        {
+            public const string Enterprise = "password-manager-provider-portal-enterprise-monthly-2024";
+            public const string Teams = "password-manager-provider-portal-teams-monthly-2024";
+            public static readonly List<string> List = [Enterprise, Teams];
+        }
+    }
+
+    public static class BusinessUnit
+    {
+        public static class Active
+        {
+            public const string Annually = "business-unit-portal-enterprise-annually-2025";
+            public const string Monthly = "business-unit-portal-enterprise-monthly-2025";
+        }
+
+        public static class Legacy
+        {
+            public const string Annually = "password-manager-provider-portal-enterprise-annually-2024";
+            public const string Monthly = "password-manager-provider-portal-enterprise-monthly-2024";
+            public static readonly List<string> List = [Annually, Monthly];
+        }
+    }
+
+    /// <summary>
+    /// Uses the <paramref name="provider"/>'s <see cref="Provider.Type"/> and <paramref name="subscription"/> to determine
+    /// whether the <paramref name="provider"/> is on active or legacy pricing and then returns a Stripe price ID for the provided
+    /// <paramref name="planType"/> based on that determination.
+    /// </summary>
+    /// <param name="provider">The provider to get the Stripe price ID for.</param>
+    /// <param name="subscription">The provider's subscription.</param>
+    /// <param name="planType">The plan type correlating to the desired Stripe price ID.</param>
+    /// <returns>A Stripe <see cref="Stripe.Price"/> ID.</returns>
+    /// <exception cref="BillingException">Thrown when the provider's type is not <see cref="ProviderType.Msp"/> or <see cref="ProviderType.MultiOrganizationEnterprise"/>.</exception>
+    /// <exception cref="BillingException">Thrown when the provided <see cref="planType"/> does not relate to a Stripe price ID.</exception>
+    public static string GetPriceId(
+        Provider provider,
+        Subscription subscription,
+        PlanType planType)
+    {
+        var priceIds = subscription.Items.Select(item => item.Price.Id);
+
+        var invalidPlanType =
+            new BillingException(message: $"PlanType {planType} does not have an associated provider price in Stripe");
+
+        return provider.Type switch
+        {
+            ProviderType.Msp => MSP.Legacy.List.Intersect(priceIds).Any()
+                ? planType switch
+                {
+                    PlanType.TeamsMonthly => MSP.Legacy.Teams,
+                    PlanType.EnterpriseMonthly => MSP.Legacy.Enterprise,
+                    _ => throw invalidPlanType
+                }
+                : planType switch
+                {
+                    PlanType.TeamsMonthly => MSP.Active.Teams,
+                    PlanType.EnterpriseMonthly => MSP.Active.Enterprise,
+                    _ => throw invalidPlanType
+                },
+            ProviderType.MultiOrganizationEnterprise => BusinessUnit.Legacy.List.Intersect(priceIds).Any()
+                ? planType switch
+                {
+                    PlanType.EnterpriseAnnually => BusinessUnit.Legacy.Annually,
+                    PlanType.EnterpriseMonthly => BusinessUnit.Legacy.Monthly,
+                    _ => throw invalidPlanType
+                }
+                : planType switch
+                {
+                    PlanType.EnterpriseAnnually => BusinessUnit.Active.Annually,
+                    PlanType.EnterpriseMonthly => BusinessUnit.Active.Monthly,
+                    _ => throw invalidPlanType
+                },
+            _ => throw new BillingException(
+                $"ProviderType {provider.Type} does not have any associated provider price IDs")
+        };
+    }
+
+    /// <summary>
+    /// Uses the <paramref name="provider"/>'s <see cref="Provider.Type"/> to return the active Stripe price ID for the provided
+    /// <paramref name="planType"/>.
+    /// </summary>
+    /// <param name="provider">The provider to get the Stripe price ID for.</param>
+    /// <param name="planType">The plan type correlating to the desired Stripe price ID.</param>
+    /// <returns>A Stripe <see cref="Stripe.Price"/> ID.</returns>
+    /// <exception cref="BillingException">Thrown when the provider's type is not <see cref="ProviderType.Msp"/> or <see cref="ProviderType.MultiOrganizationEnterprise"/>.</exception>
+    /// <exception cref="BillingException">Thrown when the provided <see cref="planType"/> does not relate to a Stripe price ID.</exception>
+    public static string GetActivePriceId(
+        Provider provider,
+        PlanType planType)
+    {
+        var invalidPlanType =
+            new BillingException(message: $"PlanType {planType} does not have an associated provider price in Stripe");
+
+        return provider.Type switch
+        {
+            ProviderType.Msp => planType switch
+            {
+                PlanType.TeamsMonthly => MSP.Active.Teams,
+                PlanType.EnterpriseMonthly => MSP.Active.Enterprise,
+                _ => throw invalidPlanType
+            },
+            ProviderType.MultiOrganizationEnterprise => planType switch
+            {
+                PlanType.EnterpriseAnnually => BusinessUnit.Active.Annually,
+                PlanType.EnterpriseMonthly => BusinessUnit.Active.Monthly,
+                _ => throw invalidPlanType
+            },
+            _ => throw new BillingException(
+                $"ProviderType {provider.Type} does not have any associated provider price IDs")
+        };
+    }
+}
diff --git a/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs b/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs
index 71a150a546..ab1000d631 100644
--- a/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs
@@ -4,6 +4,7 @@ using Bit.Commercial.Core.Billing;
 using Bit.Commercial.Core.Billing.Models;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
+using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Models.Data.Provider;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Constants;
@@ -115,6 +116,8 @@ public class ProviderBillingServiceTests
         SutProvider<ProviderBillingService> sutProvider)
     {
         // Arrange
+        provider.Type = ProviderType.MultiOrganizationEnterprise;
+
         var providerPlanRepository = sutProvider.GetDependency<IProviderPlanRepository>();
         var existingPlan = new ProviderPlan
         {
@@ -132,10 +135,7 @@ public class ProviderBillingServiceTests
         sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(existingPlan.PlanType)
             .Returns(StaticStore.GetPlan(existingPlan.PlanType));
 
-        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
-        stripeAdapter.ProviderSubscriptionGetAsync(
-                Arg.Is(provider.GatewaySubscriptionId),
-                Arg.Is(provider.Id))
+        sutProvider.GetDependency<ISubscriberService>().GetSubscriptionOrThrow(provider)
             .Returns(new Subscription
             {
                 Id = provider.GatewaySubscriptionId,
@@ -158,7 +158,7 @@ public class ProviderBillingServiceTests
             });
 
         var command =
-            new ChangeProviderPlanCommand(providerPlanId, PlanType.EnterpriseMonthly, provider.GatewaySubscriptionId);
+            new ChangeProviderPlanCommand(provider, providerPlanId, PlanType.EnterpriseMonthly);
 
         sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(command.NewPlan)
             .Returns(StaticStore.GetPlan(command.NewPlan));
@@ -170,6 +170,8 @@ public class ProviderBillingServiceTests
         await providerPlanRepository.Received(1)
             .ReplaceAsync(Arg.Is<ProviderPlan>(p => p.PlanType == PlanType.EnterpriseMonthly));
 
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
         await stripeAdapter.Received(1)
             .SubscriptionUpdateAsync(
                 Arg.Is(provider.GatewaySubscriptionId),
@@ -405,6 +407,23 @@ public class ProviderBillingServiceTests
 
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id).Returns(providerPlans);
 
+        var subscription = new Subscription
+        {
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data =
+                [
+                    new SubscriptionItem { Price = new Price { Id = ProviderPriceAdapter.MSP.Active.Teams } },
+                    new SubscriptionItem
+                    {
+                        Price = new Price { Id = ProviderPriceAdapter.MSP.Active.Enterprise }
+                    }
+                ]
+            }
+        };
+
+        sutProvider.GetDependency<ISubscriberService>().GetSubscriptionOrThrow(provider).Returns(subscription);
+
         // 50 seats currently assigned with a seat minimum of 100
         var teamsMonthlyPlan = StaticStore.GetPlan(PlanType.TeamsMonthly);
 
@@ -427,11 +446,9 @@ public class ProviderBillingServiceTests
         await sutProvider.Sut.ScaleSeats(provider, PlanType.TeamsMonthly, 10);
 
         // 50 assigned seats + 10 seat scale up = 60 seats, well below the 100 minimum
-        await sutProvider.GetDependency<IPaymentService>().DidNotReceiveWithAnyArgs().AdjustSeats(
-            Arg.Any<Provider>(),
-            Arg.Any<Bit.Core.Models.StaticStore.Plan>(),
-            Arg.Any<int>(),
-            Arg.Any<int>());
+        await sutProvider.GetDependency<IStripeAdapter>().DidNotReceiveWithAnyArgs().SubscriptionUpdateAsync(
+            Arg.Any<string>(),
+            Arg.Any<SubscriptionUpdateOptions>());
 
         await sutProvider.GetDependency<IProviderPlanRepository>().Received(1).ReplaceAsync(Arg.Is<ProviderPlan>(
             pPlan => pPlan.AllocatedSeats == 60));
@@ -474,6 +491,23 @@ public class ProviderBillingServiceTests
 
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id).Returns(providerPlans);
 
+        var subscription = new Subscription
+        {
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data =
+                [
+                    new SubscriptionItem { Price = new Price { Id = ProviderPriceAdapter.MSP.Active.Teams } },
+                    new SubscriptionItem
+                    {
+                        Price = new Price { Id = ProviderPriceAdapter.MSP.Active.Enterprise }
+                    }
+                ]
+            }
+        };
+
+        sutProvider.GetDependency<ISubscriberService>().GetSubscriptionOrThrow(provider).Returns(subscription);
+
         // 95 seats currently assigned with a seat minimum of 100
         var teamsMonthlyPlan = StaticStore.GetPlan(PlanType.TeamsMonthly);
 
@@ -496,11 +530,12 @@ public class ProviderBillingServiceTests
         await sutProvider.Sut.ScaleSeats(provider, PlanType.TeamsMonthly, 10);
 
         // 95 current + 10 seat scale = 105 seats, 5 above the minimum
-        await sutProvider.GetDependency<IPaymentService>().Received(1).AdjustSeats(
-            provider,
-            StaticStore.GetPlan(providerPlan.PlanType),
-            providerPlan.SeatMinimum!.Value,
-            105);
+        await sutProvider.GetDependency<IStripeAdapter>().Received(1).SubscriptionUpdateAsync(
+            provider.GatewaySubscriptionId,
+            Arg.Is<SubscriptionUpdateOptions>(
+                options =>
+                    options.Items.First().Price == ProviderPriceAdapter.MSP.Active.Teams &&
+                    options.Items.First().Quantity == 105));
 
         // 105 total seats - 100 minimum = 5 purchased seats
         await sutProvider.GetDependency<IProviderPlanRepository>().Received(1).ReplaceAsync(Arg.Is<ProviderPlan>(
@@ -544,6 +579,23 @@ public class ProviderBillingServiceTests
 
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id).Returns(providerPlans);
 
+        var subscription = new Subscription
+        {
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data =
+                [
+                    new SubscriptionItem { Price = new Price { Id = ProviderPriceAdapter.MSP.Active.Teams } },
+                    new SubscriptionItem
+                    {
+                        Price = new Price { Id = ProviderPriceAdapter.MSP.Active.Enterprise }
+                    }
+                ]
+            }
+        };
+
+        sutProvider.GetDependency<ISubscriberService>().GetSubscriptionOrThrow(provider).Returns(subscription);
+
         // 110 seats currently assigned with a seat minimum of 100
         var teamsMonthlyPlan = StaticStore.GetPlan(PlanType.TeamsMonthly);
 
@@ -566,11 +618,12 @@ public class ProviderBillingServiceTests
         await sutProvider.Sut.ScaleSeats(provider, PlanType.TeamsMonthly, 10);
 
         // 110 current + 10 seat scale up = 120 seats
-        await sutProvider.GetDependency<IPaymentService>().Received(1).AdjustSeats(
-            provider,
-            StaticStore.GetPlan(providerPlan.PlanType),
-            110,
-            120);
+        await sutProvider.GetDependency<IStripeAdapter>().Received(1).SubscriptionUpdateAsync(
+            provider.GatewaySubscriptionId,
+            Arg.Is<SubscriptionUpdateOptions>(
+                options =>
+                    options.Items.First().Price == ProviderPriceAdapter.MSP.Active.Teams &&
+                    options.Items.First().Quantity == 120));
 
         // 120 total seats - 100 seat minimum = 20 purchased seats
         await sutProvider.GetDependency<IProviderPlanRepository>().Received(1).ReplaceAsync(Arg.Is<ProviderPlan>(
@@ -614,6 +667,23 @@ public class ProviderBillingServiceTests
 
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id).Returns(providerPlans);
 
+        var subscription = new Subscription
+        {
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data =
+                [
+                    new SubscriptionItem { Price = new Price { Id = ProviderPriceAdapter.MSP.Active.Teams } },
+                    new SubscriptionItem
+                    {
+                        Price = new Price { Id = ProviderPriceAdapter.MSP.Active.Enterprise }
+                    }
+                ]
+            }
+        };
+
+        sutProvider.GetDependency<ISubscriberService>().GetSubscriptionOrThrow(provider).Returns(subscription);
+
         // 110 seats currently assigned with a seat minimum of 100
         var teamsMonthlyPlan = StaticStore.GetPlan(PlanType.TeamsMonthly);
 
@@ -636,11 +706,12 @@ public class ProviderBillingServiceTests
         await sutProvider.Sut.ScaleSeats(provider, PlanType.TeamsMonthly, -30);
 
         // 110 seats - 30 scale down seats = 80 seats, below the 100 seat minimum.
-        await sutProvider.GetDependency<IPaymentService>().Received(1).AdjustSeats(
-            provider,
-            StaticStore.GetPlan(providerPlan.PlanType),
-            110,
-            providerPlan.SeatMinimum!.Value);
+        await sutProvider.GetDependency<IStripeAdapter>().Received(1).SubscriptionUpdateAsync(
+            provider.GatewaySubscriptionId,
+            Arg.Is<SubscriptionUpdateOptions>(
+                options =>
+                    options.Items.First().Price == ProviderPriceAdapter.MSP.Active.Teams &&
+                    options.Items.First().Quantity == providerPlan.SeatMinimum!.Value));
 
         // Being below the seat minimum means no purchased seats.
         await sutProvider.GetDependency<IProviderPlanRepository>().Received(1).ReplaceAsync(Arg.Is<ProviderPlan>(
@@ -977,6 +1048,7 @@ public class ProviderBillingServiceTests
         SutProvider<ProviderBillingService> sutProvider,
         Provider provider)
     {
+        provider.Type = ProviderType.Msp;
         provider.GatewaySubscriptionId = null;
 
         var customer = new Customer
@@ -1020,9 +1092,6 @@ public class ProviderBillingServiceTests
         sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id)
             .Returns(providerPlans);
 
-        var teamsPlan = StaticStore.GetPlan(PlanType.TeamsMonthly);
-        var enterprisePlan = StaticStore.GetPlan(PlanType.EnterpriseMonthly);
-
         var expected = new Subscription { Id = "subscription_id", Status = StripeConstants.SubscriptionStatus.Active };
 
         sutProvider.GetDependency<IAutomaticTaxStrategy>()
@@ -1045,9 +1114,9 @@ public class ProviderBillingServiceTests
                 sub.Customer == "customer_id" &&
                 sub.DaysUntilDue == 30 &&
                 sub.Items.Count == 2 &&
-                sub.Items.ElementAt(0).Price == teamsPlan.PasswordManager.StripeProviderPortalSeatPlanId &&
+                sub.Items.ElementAt(0).Price == ProviderPriceAdapter.MSP.Active.Teams &&
                 sub.Items.ElementAt(0).Quantity == 100 &&
-                sub.Items.ElementAt(1).Price == enterprisePlan.PasswordManager.StripeProviderPortalSeatPlanId &&
+                sub.Items.ElementAt(1).Price == ProviderPriceAdapter.MSP.Active.Enterprise &&
                 sub.Items.ElementAt(1).Quantity == 100 &&
                 sub.Metadata["providerId"] == provider.Id.ToString() &&
                 sub.OffSession == true &&
@@ -1069,8 +1138,7 @@ public class ProviderBillingServiceTests
     {
         // Arrange
         var command = new UpdateProviderSeatMinimumsCommand(
-            provider.Id,
-            provider.GatewaySubscriptionId,
+            provider,
             [
                 (PlanType.TeamsMonthly, -10),
                 (PlanType.EnterpriseMonthly, 50)
@@ -1089,6 +1157,8 @@ public class ProviderBillingServiceTests
         SutProvider<ProviderBillingService> sutProvider)
     {
         // Arrange
+        provider.Type = ProviderType.Msp;
+
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
         var providerPlanRepository = sutProvider.GetDependency<IProviderPlanRepository>();
 
@@ -1118,9 +1188,7 @@ public class ProviderBillingServiceTests
             }
         };
 
-        stripeAdapter.ProviderSubscriptionGetAsync(
-            provider.GatewaySubscriptionId,
-            provider.Id).Returns(subscription);
+        sutProvider.GetDependency<ISubscriberService>().GetSubscriptionOrThrow(provider).Returns(subscription);
 
         var providerPlans = new List<ProviderPlan>
         {
@@ -1137,8 +1205,7 @@ public class ProviderBillingServiceTests
         providerPlanRepository.GetByProviderId(provider.Id).Returns(providerPlans);
 
         var command = new UpdateProviderSeatMinimumsCommand(
-            provider.Id,
-            provider.GatewaySubscriptionId,
+            provider,
             [
                 (PlanType.EnterpriseMonthly, 30),
                 (PlanType.TeamsMonthly, 20)
@@ -1170,6 +1237,8 @@ public class ProviderBillingServiceTests
         SutProvider<ProviderBillingService> sutProvider)
     {
         // Arrange
+        provider.Type = ProviderType.Msp;
+
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
         var providerPlanRepository = sutProvider.GetDependency<IProviderPlanRepository>();
 
@@ -1199,7 +1268,7 @@ public class ProviderBillingServiceTests
             }
         };
 
-        stripeAdapter.ProviderSubscriptionGetAsync(provider.GatewaySubscriptionId, provider.Id).Returns(subscription);
+        sutProvider.GetDependency<ISubscriberService>().GetSubscriptionOrThrow(provider).Returns(subscription);
 
         var providerPlans = new List<ProviderPlan>
         {
@@ -1216,8 +1285,7 @@ public class ProviderBillingServiceTests
         providerPlanRepository.GetByProviderId(provider.Id).Returns(providerPlans);
 
         var command = new UpdateProviderSeatMinimumsCommand(
-            provider.Id,
-            provider.GatewaySubscriptionId,
+            provider,
             [
                 (PlanType.EnterpriseMonthly, 70),
                 (PlanType.TeamsMonthly, 50)
@@ -1249,6 +1317,8 @@ public class ProviderBillingServiceTests
         SutProvider<ProviderBillingService> sutProvider)
     {
         // Arrange
+        provider.Type = ProviderType.Msp;
+
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
         var providerPlanRepository = sutProvider.GetDependency<IProviderPlanRepository>();
 
@@ -1278,7 +1348,7 @@ public class ProviderBillingServiceTests
             }
         };
 
-        stripeAdapter.ProviderSubscriptionGetAsync(provider.GatewaySubscriptionId, provider.Id).Returns(subscription);
+        sutProvider.GetDependency<ISubscriberService>().GetSubscriptionOrThrow(provider).Returns(subscription);
 
         var providerPlans = new List<ProviderPlan>
         {
@@ -1295,8 +1365,7 @@ public class ProviderBillingServiceTests
         providerPlanRepository.GetByProviderId(provider.Id).Returns(providerPlans);
 
         var command = new UpdateProviderSeatMinimumsCommand(
-            provider.Id,
-            provider.GatewaySubscriptionId,
+            provider,
             [
                 (PlanType.EnterpriseMonthly, 60),
                 (PlanType.TeamsMonthly, 60)
@@ -1322,6 +1391,8 @@ public class ProviderBillingServiceTests
         SutProvider<ProviderBillingService> sutProvider)
     {
         // Arrange
+        provider.Type = ProviderType.Msp;
+
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
         var providerPlanRepository = sutProvider.GetDependency<IProviderPlanRepository>();
 
@@ -1351,7 +1422,7 @@ public class ProviderBillingServiceTests
             }
         };
 
-        stripeAdapter.ProviderSubscriptionGetAsync(provider.GatewaySubscriptionId, provider.Id).Returns(subscription);
+        sutProvider.GetDependency<ISubscriberService>().GetSubscriptionOrThrow(provider).Returns(subscription);
 
         var providerPlans = new List<ProviderPlan>
         {
@@ -1368,8 +1439,7 @@ public class ProviderBillingServiceTests
         providerPlanRepository.GetByProviderId(provider.Id).Returns(providerPlans);
 
         var command = new UpdateProviderSeatMinimumsCommand(
-            provider.Id,
-            provider.GatewaySubscriptionId,
+            provider,
             [
                 (PlanType.EnterpriseMonthly, 80),
                 (PlanType.TeamsMonthly, 80)
@@ -1401,6 +1471,8 @@ public class ProviderBillingServiceTests
         SutProvider<ProviderBillingService> sutProvider)
     {
         // Arrange
+        provider.Type = ProviderType.Msp;
+
         var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
         var providerPlanRepository = sutProvider.GetDependency<IProviderPlanRepository>();
 
@@ -1430,7 +1502,7 @@ public class ProviderBillingServiceTests
             }
         };
 
-        stripeAdapter.ProviderSubscriptionGetAsync(provider.GatewaySubscriptionId, provider.Id).Returns(subscription);
+        sutProvider.GetDependency<ISubscriberService>().GetSubscriptionOrThrow(provider).Returns(subscription);
 
         var providerPlans = new List<ProviderPlan>
         {
@@ -1447,8 +1519,7 @@ public class ProviderBillingServiceTests
         providerPlanRepository.GetByProviderId(provider.Id).Returns(providerPlans);
 
         var command = new UpdateProviderSeatMinimumsCommand(
-            provider.Id,
-            provider.GatewaySubscriptionId,
+            provider,
             [
                 (PlanType.EnterpriseMonthly, 70),
                 (PlanType.TeamsMonthly, 30)
diff --git a/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderPriceAdapterTests.cs b/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderPriceAdapterTests.cs
new file mode 100644
index 0000000000..4fce78c05a
--- /dev/null
+++ b/bitwarden_license/test/Commercial.Core.Test/Billing/ProviderPriceAdapterTests.cs
@@ -0,0 +1,151 @@
+using Bit.Commercial.Core.Billing;
+using Bit.Core.AdminConsole.Entities.Provider;
+using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.Billing.Enums;
+using Stripe;
+using Xunit;
+
+namespace Bit.Commercial.Core.Test.Billing;
+
+public class ProviderPriceAdapterTests
+{
+    [Theory]
+    [InlineData("password-manager-provider-portal-enterprise-monthly-2024", PlanType.EnterpriseMonthly)]
+    [InlineData("password-manager-provider-portal-teams-monthly-2024", PlanType.TeamsMonthly)]
+    public void GetPriceId_MSP_Legacy_Succeeds(string priceId, PlanType planType)
+    {
+        var provider = new Provider
+        {
+            Id = Guid.NewGuid(),
+            Type = ProviderType.Msp
+        };
+
+        var subscription = new Subscription
+        {
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data =
+                [
+                    new SubscriptionItem { Price = new Price { Id = priceId } }
+                ]
+            }
+        };
+
+        var result = ProviderPriceAdapter.GetPriceId(provider, subscription, planType);
+
+        Assert.Equal(result, priceId);
+    }
+
+    [Theory]
+    [InlineData("provider-portal-enterprise-monthly-2025", PlanType.EnterpriseMonthly)]
+    [InlineData("provider-portal-teams-monthly-2025", PlanType.TeamsMonthly)]
+    public void GetPriceId_MSP_Active_Succeeds(string priceId, PlanType planType)
+    {
+        var provider = new Provider
+        {
+            Id = Guid.NewGuid(),
+            Type = ProviderType.Msp
+        };
+
+        var subscription = new Subscription
+        {
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data =
+                [
+                    new SubscriptionItem { Price = new Price { Id = priceId } }
+                ]
+            }
+        };
+
+        var result = ProviderPriceAdapter.GetPriceId(provider, subscription, planType);
+
+        Assert.Equal(result, priceId);
+    }
+
+    [Theory]
+    [InlineData("password-manager-provider-portal-enterprise-annually-2024", PlanType.EnterpriseAnnually)]
+    [InlineData("password-manager-provider-portal-enterprise-monthly-2024", PlanType.EnterpriseMonthly)]
+    public void GetPriceId_BusinessUnit_Legacy_Succeeds(string priceId, PlanType planType)
+    {
+        var provider = new Provider
+        {
+            Id = Guid.NewGuid(),
+            Type = ProviderType.MultiOrganizationEnterprise
+        };
+
+        var subscription = new Subscription
+        {
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data =
+                [
+                    new SubscriptionItem { Price = new Price { Id = priceId } }
+                ]
+            }
+        };
+
+        var result = ProviderPriceAdapter.GetPriceId(provider, subscription, planType);
+
+        Assert.Equal(result, priceId);
+    }
+
+    [Theory]
+    [InlineData("business-unit-portal-enterprise-annually-2025", PlanType.EnterpriseAnnually)]
+    [InlineData("business-unit-portal-enterprise-monthly-2025", PlanType.EnterpriseMonthly)]
+    public void GetPriceId_BusinessUnit_Active_Succeeds(string priceId, PlanType planType)
+    {
+        var provider = new Provider
+        {
+            Id = Guid.NewGuid(),
+            Type = ProviderType.MultiOrganizationEnterprise
+        };
+
+        var subscription = new Subscription
+        {
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data =
+                [
+                    new SubscriptionItem { Price = new Price { Id = priceId } }
+                ]
+            }
+        };
+
+        var result = ProviderPriceAdapter.GetPriceId(provider, subscription, planType);
+
+        Assert.Equal(result, priceId);
+    }
+
+    [Theory]
+    [InlineData("provider-portal-enterprise-monthly-2025", PlanType.EnterpriseMonthly)]
+    [InlineData("provider-portal-teams-monthly-2025", PlanType.TeamsMonthly)]
+    public void GetActivePriceId_MSP_Succeeds(string priceId, PlanType planType)
+    {
+        var provider = new Provider
+        {
+            Id = Guid.NewGuid(),
+            Type = ProviderType.Msp
+        };
+
+        var result = ProviderPriceAdapter.GetActivePriceId(provider, planType);
+
+        Assert.Equal(result, priceId);
+    }
+
+    [Theory]
+    [InlineData("business-unit-portal-enterprise-annually-2025", PlanType.EnterpriseAnnually)]
+    [InlineData("business-unit-portal-enterprise-monthly-2025", PlanType.EnterpriseMonthly)]
+    public void GetActivePriceId_BusinessUnit_Succeeds(string priceId, PlanType planType)
+    {
+        var provider = new Provider
+        {
+            Id = Guid.NewGuid(),
+            Type = ProviderType.MultiOrganizationEnterprise
+        };
+
+        var result = ProviderPriceAdapter.GetActivePriceId(provider, planType);
+
+        Assert.Equal(result, priceId);
+    }
+}
diff --git a/src/Admin/AdminConsole/Controllers/ProvidersController.cs b/src/Admin/AdminConsole/Controllers/ProvidersController.cs
index c38bb64419..0b1e4035df 100644
--- a/src/Admin/AdminConsole/Controllers/ProvidersController.cs
+++ b/src/Admin/AdminConsole/Controllers/ProvidersController.cs
@@ -300,8 +300,7 @@ public class ProvidersController : Controller
         {
             case ProviderType.Msp:
                 var updateMspSeatMinimumsCommand = new UpdateProviderSeatMinimumsCommand(
-                    provider.Id,
-                    provider.GatewaySubscriptionId,
+                    provider,
                     [
                         (Plan: PlanType.TeamsMonthly, SeatsMinimum: model.TeamsMonthlySeatMinimum),
                         (Plan: PlanType.EnterpriseMonthly, SeatsMinimum: model.EnterpriseMonthlySeatMinimum)
@@ -314,15 +313,14 @@ public class ProvidersController : Controller
 
                     // 1. Change the plan and take over any old values.
                     var changeMoePlanCommand = new ChangeProviderPlanCommand(
+                        provider,
                         existingMoePlan.Id,
-                        model.Plan!.Value,
-                        provider.GatewaySubscriptionId);
+                        model.Plan!.Value);
                     await _providerBillingService.ChangePlan(changeMoePlanCommand);
 
                     // 2. Update the seat minimums.
                     var updateMoeSeatMinimumsCommand = new UpdateProviderSeatMinimumsCommand(
-                        provider.Id,
-                        provider.GatewaySubscriptionId,
+                        provider,
                         [
                             (Plan: model.Plan!.Value, SeatsMinimum: model.EnterpriseMinimumSeats!.Value)
                         ]);
diff --git a/src/Core/Billing/Migration/Services/Implementations/ProviderMigrator.cs b/src/Core/Billing/Migration/Services/Implementations/ProviderMigrator.cs
index b5c4383556..384cfca1d1 100644
--- a/src/Core/Billing/Migration/Services/Implementations/ProviderMigrator.cs
+++ b/src/Core/Billing/Migration/Services/Implementations/ProviderMigrator.cs
@@ -309,8 +309,7 @@ public class ProviderMigrator(
                 .SeatMinimum ?? 0;
 
             var updateSeatMinimumsCommand = new UpdateProviderSeatMinimumsCommand(
-                provider.Id,
-                provider.GatewaySubscriptionId,
+                provider,
                 [
                     (Plan: PlanType.EnterpriseMonthly, SeatsMinimum: enterpriseSeatMinimum),
                     (Plan: PlanType.TeamsMonthly, SeatsMinimum: teamsSeatMinimum)
diff --git a/src/Core/Billing/Models/StaticStore/Plan.cs b/src/Core/Billing/Models/StaticStore/Plan.cs
index 5dbcd7ddc4..17aa78aa06 100644
--- a/src/Core/Billing/Models/StaticStore/Plan.cs
+++ b/src/Core/Billing/Models/StaticStore/Plan.cs
@@ -75,6 +75,7 @@ public abstract record Plan
         // Seats
         public string StripePlanId { get; init; }
         public string StripeSeatPlanId { get; init; }
+        [Obsolete("No longer used to retrieve a provider's price ID. Use ProviderPriceAdapter instead.")]
         public string StripeProviderPortalSeatPlanId { get; init; }
         public decimal BasePrice { get; init; }
         public decimal SeatPrice { get; init; }
diff --git a/src/Core/Billing/Services/Contracts/ChangeProviderPlansCommand.cs b/src/Core/Billing/Services/Contracts/ChangeProviderPlansCommand.cs
index 3e8fffdd11..385782c8ad 100644
--- a/src/Core/Billing/Services/Contracts/ChangeProviderPlansCommand.cs
+++ b/src/Core/Billing/Services/Contracts/ChangeProviderPlansCommand.cs
@@ -1,8 +1,9 @@
-using Bit.Core.Billing.Enums;
+using Bit.Core.AdminConsole.Entities.Provider;
+using Bit.Core.Billing.Enums;
 
 namespace Bit.Core.Billing.Services.Contracts;
 
 public record ChangeProviderPlanCommand(
+    Provider Provider,
     Guid ProviderPlanId,
-    PlanType NewPlan,
-    string GatewaySubscriptionId);
+    PlanType NewPlan);
diff --git a/src/Core/Billing/Services/Contracts/UpdateProviderSeatMinimumsCommand.cs b/src/Core/Billing/Services/Contracts/UpdateProviderSeatMinimumsCommand.cs
index 86a596ffb6..2d2535b60a 100644
--- a/src/Core/Billing/Services/Contracts/UpdateProviderSeatMinimumsCommand.cs
+++ b/src/Core/Billing/Services/Contracts/UpdateProviderSeatMinimumsCommand.cs
@@ -1,10 +1,10 @@
-using Bit.Core.Billing.Enums;
+using Bit.Core.AdminConsole.Entities.Provider;
+using Bit.Core.Billing.Enums;
 
 namespace Bit.Core.Billing.Services.Contracts;
 
-/// <param name="Id">The ID of the provider to update the seat minimums for.</param>
+/// <param name="Provider">The provider to update the seat minimums for.</param>
 /// <param name="Configuration">The new seat minimums for the provider.</param>
 public record UpdateProviderSeatMinimumsCommand(
-    Guid Id,
-    string GatewaySubscriptionId,
+    Provider Provider,
     IReadOnlyCollection<(PlanType Plan, int SeatsMinimum)> Configuration);
diff --git a/src/Core/Models/Business/ProviderSubscriptionUpdate.cs b/src/Core/Models/Business/ProviderSubscriptionUpdate.cs
deleted file mode 100644
index 1fd833ca1f..0000000000
--- a/src/Core/Models/Business/ProviderSubscriptionUpdate.cs
+++ /dev/null
@@ -1,62 +0,0 @@
-using Bit.Core.Billing;
-using Bit.Core.Billing.Enums;
-using Bit.Core.Billing.Extensions;
-using Stripe;
-using Plan = Bit.Core.Models.StaticStore.Plan;
-
-namespace Bit.Core.Models.Business;
-
-public class ProviderSubscriptionUpdate : SubscriptionUpdate
-{
-    private readonly string _planId;
-    private readonly int _previouslyPurchasedSeats;
-    private readonly int _newlyPurchasedSeats;
-
-    protected override List<string> PlanIds => [_planId];
-
-    public ProviderSubscriptionUpdate(
-        Plan plan,
-        int previouslyPurchasedSeats,
-        int newlyPurchasedSeats)
-    {
-        if (!plan.Type.SupportsConsolidatedBilling())
-        {
-            throw new BillingException(
-                message: $"Cannot create a {nameof(ProviderSubscriptionUpdate)} for {nameof(PlanType)} that doesn't support consolidated billing");
-        }
-
-        _planId = plan.PasswordManager.StripeProviderPortalSeatPlanId;
-        _previouslyPurchasedSeats = previouslyPurchasedSeats;
-        _newlyPurchasedSeats = newlyPurchasedSeats;
-    }
-
-    public override List<SubscriptionItemOptions> RevertItemsOptions(Subscription subscription)
-    {
-        var subscriptionItem = FindSubscriptionItem(subscription, _planId);
-
-        return
-        [
-            new SubscriptionItemOptions
-            {
-                Id = subscriptionItem.Id,
-                Price = _planId,
-                Quantity = _previouslyPurchasedSeats
-            }
-        ];
-    }
-
-    public override List<SubscriptionItemOptions> UpgradeItemsOptions(Subscription subscription)
-    {
-        var subscriptionItem = FindSubscriptionItem(subscription, _planId);
-
-        return
-        [
-            new SubscriptionItemOptions
-            {
-                Id = subscriptionItem.Id,
-                Price = _planId,
-                Quantity = _newlyPurchasedSeats
-            }
-        ];
-    }
-}
diff --git a/src/Core/Services/IPaymentService.cs b/src/Core/Services/IPaymentService.cs
index e3495c0e65..bd7efdbad4 100644
--- a/src/Core/Services/IPaymentService.cs
+++ b/src/Core/Services/IPaymentService.cs
@@ -1,5 +1,4 @@
 using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.Billing.Models;
 using Bit.Core.Billing.Models.Api.Requests.Accounts;
 using Bit.Core.Billing.Models.Api.Requests.Organizations;
@@ -25,11 +24,6 @@ public interface IPaymentService
         int? newlyPurchasedAdditionalSecretsManagerServiceAccounts,
         int newlyPurchasedAdditionalStorage);
     Task<string> AdjustSeatsAsync(Organization organization, Plan plan, int additionalSeats);
-    Task<string> AdjustSeats(
-        Provider provider,
-        Plan plan,
-        int currentlySubscribedSeats,
-        int newlySubscribedSeats);
     Task<string> AdjustSmSeatsAsync(Organization organization, Plan plan, int additionalSeats);
     Task<string> AdjustStorageAsync(IStorableSubscriber storableSubscriber, int additionalStorage, string storagePlanId);
 
diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index cdcd14ca90..d8889bca26 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -1,5 +1,4 @@
 using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Extensions;
 using Bit.Core.Billing.Models;
@@ -251,18 +250,6 @@ public class StripePaymentService : IPaymentService
     public Task<string> AdjustSeatsAsync(Organization organization, StaticStore.Plan plan, int additionalSeats) =>
         FinalizeSubscriptionChangeAsync(organization, new SeatSubscriptionUpdate(organization, plan, additionalSeats));
 
-    public Task<string> AdjustSeats(
-        Provider provider,
-        StaticStore.Plan plan,
-        int currentlySubscribedSeats,
-        int newlySubscribedSeats)
-        => FinalizeSubscriptionChangeAsync(
-            provider,
-            new ProviderSubscriptionUpdate(
-                plan,
-                currentlySubscribedSeats,
-                newlySubscribedSeats));
-
     public Task<string> AdjustSmSeatsAsync(Organization organization, StaticStore.Plan plan, int additionalSeats) =>
         FinalizeSubscriptionChangeAsync(
             organization,

From 0f0c3a4e5ad93708b634bac489dffff67e91d664 Mon Sep 17 00:00:00 2001
From: Vijay Oommen <voommen@livefront.com>
Date: Thu, 3 Apr 2025 08:35:29 -0500
Subject: [PATCH 156/184] [PM-19423] Update an existing org with license should
 set UseRiskInsights flag (#5539)

---
 src/Core/AdminConsole/Entities/Organization.cs                 | 1 +
 .../Models/Data/Organizations/SelfHostedOrganizationDetails.cs | 3 ++-
 src/Core/Billing/Licenses/LicenseConstants.cs                  | 1 +
 .../Implementations/OrganizationLicenseClaimsFactory.cs        | 1 +
 4 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/Core/AdminConsole/Entities/Organization.cs b/src/Core/AdminConsole/Entities/Organization.cs
index 54661e22a7..e91f1ede29 100644
--- a/src/Core/AdminConsole/Entities/Organization.cs
+++ b/src/Core/AdminConsole/Entities/Organization.cs
@@ -313,5 +313,6 @@ public class Organization : ITableObject<Guid>, IStorableSubscriber, IRevisable,
         UseSecretsManager = license.UseSecretsManager;
         SmSeats = license.SmSeats;
         SmServiceAccounts = license.SmServiceAccounts;
+        UseRiskInsights = license.UseRiskInsights;
     }
 }
diff --git a/src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs b/src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs
index c53ac8745c..ab2dfd7e0e 100644
--- a/src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs
+++ b/src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs
@@ -148,7 +148,8 @@ public class SelfHostedOrganizationDetails : Organization
             LimitCollectionDeletion = LimitCollectionDeletion,
             LimitItemDeletion = LimitItemDeletion,
             AllowAdminAccessToAllCollectionItems = AllowAdminAccessToAllCollectionItems,
-            Status = Status
+            Status = Status,
+            UseRiskInsights = UseRiskInsights,
         };
     }
 }
diff --git a/src/Core/Billing/Licenses/LicenseConstants.cs b/src/Core/Billing/Licenses/LicenseConstants.cs
index 564019affc..50510914a5 100644
--- a/src/Core/Billing/Licenses/LicenseConstants.cs
+++ b/src/Core/Billing/Licenses/LicenseConstants.cs
@@ -36,6 +36,7 @@ public static class OrganizationLicenseConstants
     public const string SmServiceAccounts = nameof(SmServiceAccounts);
     public const string LimitCollectionCreationDeletion = nameof(LimitCollectionCreationDeletion);
     public const string AllowAdminAccessToAllCollectionItems = nameof(AllowAdminAccessToAllCollectionItems);
+    public const string UseRiskInsights = nameof(UseRiskInsights);
     public const string Expires = nameof(Expires);
     public const string Refresh = nameof(Refresh);
     public const string ExpirationWithoutGracePeriod = nameof(ExpirationWithoutGracePeriod);
diff --git a/src/Core/Billing/Licenses/Services/Implementations/OrganizationLicenseClaimsFactory.cs b/src/Core/Billing/Licenses/Services/Implementations/OrganizationLicenseClaimsFactory.cs
index e436102012..62e1889564 100644
--- a/src/Core/Billing/Licenses/Services/Implementations/OrganizationLicenseClaimsFactory.cs
+++ b/src/Core/Billing/Licenses/Services/Implementations/OrganizationLicenseClaimsFactory.cs
@@ -47,6 +47,7 @@ public class OrganizationLicenseClaimsFactory : ILicenseClaimsFactory<Organizati
             new(nameof(OrganizationLicenseConstants.LimitCollectionCreationDeletion),
                 (entity.LimitCollectionCreation || entity.LimitCollectionDeletion).ToString()),
             new(nameof(OrganizationLicenseConstants.AllowAdminAccessToAllCollectionItems), entity.AllowAdminAccessToAllCollectionItems.ToString()),
+            new(nameof(OrganizationLicenseConstants.UseRiskInsights), entity.UseRiskInsights.ToString()),
             new(nameof(OrganizationLicenseConstants.Issued), DateTime.UtcNow.ToString(CultureInfo.InvariantCulture)),
             new(nameof(OrganizationLicenseConstants.Expires), expires.ToString(CultureInfo.InvariantCulture)),
             new(nameof(OrganizationLicenseConstants.Refresh), refresh.ToString(CultureInfo.InvariantCulture)),

From 60e9827196fd3a339ced28f30ee5980dacc9e994 Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Thu, 3 Apr 2025 10:03:31 -0500
Subject: [PATCH 157/184] Added more tests to catch more use cases and fix
 bugs. (#5598)

---
 .../v1/RestoreOrganizationUserCommand.cs      |  29 ++-
 .../RestoreOrganizationUserCommandTests.cs    | 212 +++++++++++++++++-
 2 files changed, 229 insertions(+), 12 deletions(-)

diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs
index 3d4b0fba5c..f122463a98 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs
@@ -87,7 +87,10 @@ public class RestoreOrganizationUserCommand(
                 .twoFactorIsEnabled;
         }
 
-        await CheckUserForOtherFreeOrganizationOwnershipAsync(organizationUser);
+        if (organization.PlanType == PlanType.Free)
+        {
+            await CheckUserForOtherFreeOrganizationOwnershipAsync(organizationUser);
+        }
 
         await CheckPoliciesBeforeRestoreAsync(organizationUser, userTwoFactorIsEnabled);
 
@@ -100,7 +103,7 @@ public class RestoreOrganizationUserCommand(
 
     private async Task CheckUserForOtherFreeOrganizationOwnershipAsync(OrganizationUser organizationUser)
     {
-        var relatedOrgUsersFromOtherOrgs = await organizationUserRepository.GetManyByUserAsync(organizationUser.UserId.Value);
+        var relatedOrgUsersFromOtherOrgs = await organizationUserRepository.GetManyByUserAsync(organizationUser.UserId!.Value);
         var otherOrgs = await organizationRepository.GetManyByUserIdAsync(organizationUser.UserId.Value);
 
         var orgOrgUserDict = relatedOrgUsersFromOtherOrgs
@@ -110,13 +113,16 @@ public class RestoreOrganizationUserCommand(
         CheckForOtherFreeOrganizationOwnership(organizationUser, orgOrgUserDict);
     }
 
-    private async Task<Dictionary<OrganizationUser, Organization>> GetRelatedOrganizationUsersAndOrganizations(
-        IEnumerable<OrganizationUser> organizationUsers)
+    private async Task<Dictionary<OrganizationUser, Organization>> GetRelatedOrganizationUsersAndOrganizationsAsync(
+        List<OrganizationUser> organizationUsers)
     {
-        var allUserIds = organizationUsers.Select(x => x.UserId.Value);
+        var allUserIds = organizationUsers
+            .Where(x => x.UserId.HasValue)
+            .Select(x => x.UserId.Value);
 
         var otherOrganizationUsers = (await organizationUserRepository.GetManyByManyUsersAsync(allUserIds))
-            .Where(x => organizationUsers.Any(y => y.Id == x.Id) == false);
+            .Where(x => organizationUsers.Any(y => y.Id == x.Id) == false)
+            .ToArray();
 
         var otherOrgs = await organizationRepository.GetManyByIdsAsync(otherOrganizationUsers
                 .Select(x => x.OrganizationId)
@@ -130,7 +136,9 @@ public class RestoreOrganizationUserCommand(
         Dictionary<OrganizationUser, Organization> otherOrgUsersAndOrgs)
     {
         var ownerOrAdminList = new[] { OrganizationUserType.Owner, OrganizationUserType.Admin };
-        if (otherOrgUsersAndOrgs.Any(x =>
+
+        if (ownerOrAdminList.Any(x => organizationUser.Type == x) &&
+            otherOrgUsersAndOrgs.Any(x =>
                 x.Key.UserId == organizationUser.UserId &&
                 ownerOrAdminList.Any(userType => userType == x.Key.Type) &&
                 x.Key.Status == OrganizationUserStatusType.Confirmed &&
@@ -170,7 +178,7 @@ public class RestoreOrganizationUserCommand(
         var organizationUsersTwoFactorEnabled = await twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(
             filteredUsers.Where(ou => ou.UserId.HasValue).Select(ou => ou.UserId.Value));
 
-        var orgUsersAndOrgs = await GetRelatedOrganizationUsersAndOrganizations(filteredUsers);
+        var orgUsersAndOrgs = await GetRelatedOrganizationUsersAndOrganizationsAsync(filteredUsers);
 
         var result = new List<Tuple<OrganizationUser, string>>();
 
@@ -201,7 +209,10 @@ public class RestoreOrganizationUserCommand(
 
                 await CheckPoliciesBeforeRestoreAsync(organizationUser, twoFactorIsEnabled);
 
-                CheckForOtherFreeOrganizationOwnership(organizationUser, orgUsersAndOrgs);
+                if (organization.PlanType == PlanType.Free)
+                {
+                    CheckForOtherFreeOrganizationOwnership(organizationUser, orgUsersAndOrgs);
+                }
 
                 var status = OrganizationService.GetPriorActiveOrganizationUserStatusType(organizationUser);
 
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/RestoreOrganizationUserCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/RestoreOrganizationUserCommandTests.cs
index 726664849d..f91ca779a8 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/RestoreOrganizationUserCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/RestoreOrganizationUserCommandTests.cs
@@ -471,10 +471,11 @@ public class RestoreOrganizationUserCommandTests
         Organization organization,
         Organization otherOrganization,
         [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
+        [OrganizationUser(OrganizationUserStatusType.Revoked, OrganizationUserType.Owner)] OrganizationUser organizationUser,
         [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser orgUserOwnerFromDifferentOrg,
         SutProvider<RestoreOrganizationUserCommand> sutProvider)
     {
+        organization.PlanType = PlanType.Free;
         organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
 
         orgUserOwnerFromDifferentOrg.UserId = organizationUser.UserId;
@@ -506,6 +507,107 @@ public class RestoreOrganizationUserCommandTests
         Assert.Equal("User is an owner/admin of another free organization. Please have them upgrade to a paid plan to restore their account.", exception.Message);
     }
 
+    [Theory, BitAutoData]
+    public async Task RestoreUser_WhenUserOwningAnotherFreeOrganizationAndIsOnlyAUserInCurrentOrg_ThenUserShouldBeRestored(
+        Organization organization,
+        Organization otherOrganization,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser orgUserOwnerFromDifferentOrg,
+        SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        organization.PlanType = PlanType.Free;
+        organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
+
+        orgUserOwnerFromDifferentOrg.UserId = organizationUser.UserId;
+        otherOrganization.Id = orgUserOwnerFromDifferentOrg.OrganizationId;
+        otherOrganization.PlanType = PlanType.Free;
+
+        RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
+
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        organizationUserRepository
+            .GetManyByUserAsync(organizationUser.UserId.Value)
+            .Returns([orgUserOwnerFromDifferentOrg]);
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetManyByUserIdAsync(organizationUser.UserId.Value)
+            .Returns([otherOrganization]);
+
+        sutProvider.GetDependency<IPolicyService>()
+            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication,
+                Arg.Any<OrganizationUserStatusType>())
+            .Returns([
+                new OrganizationUserPolicyDetails
+                {
+                    OrganizationId = organizationUser.OrganizationId,
+                    PolicyType = PolicyType.TwoFactorAuthentication
+                }
+            ]);
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
+            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)> { (organizationUser.UserId.Value, true) });
+
+        await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
+
+        await organizationUserRepository
+            .Received(1)
+            .RestoreAsync(organizationUser.Id,
+                Arg.Is<OrganizationUserStatusType>(x => x != OrganizationUserStatusType.Revoked));
+    }
+
+    [Theory, BitAutoData]
+    public async Task RestoreUser_WhenUserOwningAnotherFreeOrganizationAndCurrentOrgIsNotFree_ThenUserShouldBeRestored(
+        Organization organization,
+        Organization otherOrganization,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked, OrganizationUserType.Owner)] OrganizationUser organizationUser,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser orgUserOwnerFromDifferentOrg,
+        SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        organization.PlanType = PlanType.EnterpriseAnnually2023;
+
+        organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
+
+        orgUserOwnerFromDifferentOrg.UserId = organizationUser.UserId;
+        otherOrganization.Id = orgUserOwnerFromDifferentOrg.OrganizationId;
+        otherOrganization.PlanType = PlanType.Free;
+
+        RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
+
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        organizationUserRepository
+            .GetManyByUserAsync(organizationUser.UserId.Value)
+            .Returns([orgUserOwnerFromDifferentOrg]);
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetManyByUserIdAsync(organizationUser.UserId.Value)
+            .Returns([otherOrganization]);
+
+        sutProvider.GetDependency<IPolicyService>()
+            .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication,
+                Arg.Any<OrganizationUserStatusType>())
+            .Returns([
+                new OrganizationUserPolicyDetails
+                {
+                    OrganizationId = organizationUser.OrganizationId,
+                    PolicyType = PolicyType.TwoFactorAuthentication
+                }
+            ]);
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
+            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)> { (organizationUser.UserId.Value, true) });
+
+        await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
+
+        await organizationUserRepository
+            .Received(1)
+            .RestoreAsync(organizationUser.Id,
+                Arg.Is<OrganizationUserStatusType>(x => x != OrganizationUserStatusType.Revoked));
+    }
+
     [Theory, BitAutoData]
     public async Task RestoreUsers_Success(Organization organization,
     [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
@@ -612,7 +714,7 @@ public class RestoreOrganizationUserCommandTests
     [Theory, BitAutoData]
     public async Task RestoreUsers_UserOwnsAnotherFreeOrganization_BlocksOwnerUserFromBeingRestored(Organization organization,
         [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser1,
+        [OrganizationUser(OrganizationUserStatusType.Revoked, OrganizationUserType.Owner)] OrganizationUser orgUser1,
         [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser2,
         [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser3,
         [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser orgUserFromOtherOrg,
@@ -637,7 +739,7 @@ public class RestoreOrganizationUserCommandTests
 
         organizationUserRepository
             .GetManyAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.Id) && ids.Contains(orgUser2.Id) && ids.Contains(orgUser3.Id)))
-            .Returns(new[] { orgUser1, orgUser2, orgUser3 });
+            .Returns([orgUser1, orgUser2, orgUser3]);
 
         userRepository.GetByIdAsync(orgUser2.UserId!.Value).Returns(new User { Email = "test@example.com" });
 
@@ -674,6 +776,110 @@ public class RestoreOrganizationUserCommandTests
             .RestoreAsync(orgUser1.Id, OrganizationUserStatusType.Confirmed);
     }
 
+    [Theory, BitAutoData]
+    public async Task RestoreUsers_UserOwnsAnotherFreeOrganizationButReactivatingOrgIsPaid_RestoresUser(Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked, OrganizationUserType.Owner)] OrganizationUser orgUser1,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser orgUserFromOtherOrg,
+        Organization otherOrganization,
+        SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        organization.PlanType = PlanType.EnterpriseAnnually2023;
+
+        RestoreUser_Setup(organization, owner, orgUser1, sutProvider);
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        var policyService = sutProvider.GetDependency<IPolicyService>();
+        var userService = Substitute.For<IUserService>();
+
+        orgUser1.OrganizationId = organization.Id;
+
+        orgUserFromOtherOrg.UserId = orgUser1.UserId;
+
+        otherOrganization.Id = orgUserFromOtherOrg.OrganizationId;
+        otherOrganization.PlanType = PlanType.Free;
+
+        organizationUserRepository
+            .GetManyAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.Id)))
+            .Returns([orgUser1]);
+
+        organizationUserRepository
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([orgUserFromOtherOrg]);
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetManyByIdsAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUserFromOtherOrg.OrganizationId)))
+            .Returns([otherOrganization]);
+
+
+        // Setup 2FA policy
+        policyService.GetPoliciesApplicableToUserAsync(Arg.Any<Guid>(), PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
+            .Returns([new OrganizationUserPolicyDetails { OrganizationId = organization.Id, PolicyType = PolicyType.TwoFactorAuthentication }]);
+
+        // User1 has 2FA, User2 doesn't
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.UserId!.Value)))
+            .Returns(new List<(Guid userId, bool twoFactorIsEnabled)>
+            {
+                (orgUser1.UserId!.Value, true)
+            });
+
+        // Act
+        var result = await sutProvider.Sut.RestoreUsersAsync(organization.Id, [orgUser1.Id], owner.Id, userService);
+
+        // Assert
+        Assert.Single(result);
+        Assert.Equal(string.Empty, result[0].Item2);
+        await organizationUserRepository
+            .Received(1)
+            .RestoreAsync(orgUser1.Id, Arg.Is<OrganizationUserStatusType>(x => x != OrganizationUserStatusType.Revoked));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RestoreUsers_UserOwnsAnotherOrganizationButIsOnlyUserOfCurrentOrganization_UserShouldBeRestored(
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
+        [OrganizationUser(OrganizationUserStatusType.Revoked, OrganizationUserType.User)] OrganizationUser orgUser1,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser orgUserFromOtherOrg,
+        Organization otherOrganization,
+        SutProvider<RestoreOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        organization.PlanType = PlanType.Free;
+
+        RestoreUser_Setup(organization, owner, orgUser1, sutProvider);
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        var userService = Substitute.For<IUserService>();
+
+        orgUser1.OrganizationId = organization.Id;
+
+        orgUserFromOtherOrg.UserId = orgUser1.UserId;
+
+        otherOrganization.Id = orgUserFromOtherOrg.OrganizationId;
+        otherOrganization.PlanType = PlanType.Free;
+
+        organizationUserRepository
+            .GetManyAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.Id)))
+            .Returns([orgUser1]);
+
+        organizationUserRepository
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([orgUserFromOtherOrg]);
+
+        sutProvider.GetDependency<IPolicyService>().GetPoliciesApplicableToUserAsync(Arg.Any<Guid>(), PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
+            .Returns([new OrganizationUserPolicyDetails { OrganizationId = organization.Id, PolicyType = PolicyType.TwoFactorAuthentication }]);
+
+        // Act
+        var result = await sutProvider.Sut.RestoreUsersAsync(organization.Id, [orgUser1.Id], owner.Id, userService);
+
+        Assert.Single(result);
+        Assert.Equal(string.Empty, result[0].Item2);
+        await organizationUserRepository
+            .Received(1)
+            .RestoreAsync(orgUser1.Id, Arg.Is<OrganizationUserStatusType>(x => x != OrganizationUserStatusType.Revoked));
+    }
+
     private static void RestoreUser_Setup(
         Organization organization,
         OrganizationUser? requestingOrganizationUser,

From 33f5a19b9981d2cbb189e60d992b86e78c4b6737 Mon Sep 17 00:00:00 2001
From: Brant DeBow <125889545+brant-livefront@users.noreply.github.com>
Date: Thu, 3 Apr 2025 11:23:00 -0400
Subject: [PATCH 158/184] [PM-17562] Add Dapper and EF Repositories For
 Ogranization Integrations and Configurations (#5589)

* [PM-17562] Add Dapper and EF Repositories For Ogranization Integrations and Configurations

* Updated with changes from PR comments
---
 ...nizationIntegrationConfigurationDetails.cs | 64 +++++++++++++++
 ...ationIntegrationConfigurationRepository.cs | 13 +++
 .../IOrganizationIntegrationRepository.cs     |  7 ++
 ...ationIntegrationConfigurationRepository.cs | 43 ++++++++++
 .../OrganizationIntegrationRepository.cs      | 16 ++++
 ...ationIntegrationConfigurationRepository.cs | 33 ++++++++
 .../OrganizationIntegrationRepository.cs      | 14 ++++
 ...tTypeOrganizationIdIntegrationTypeQuery.cs | 39 +++++++++
 ...ityFrameworkServiceCollectionExtensions.cs |  2 +
 .../Repositories/DatabaseContext.cs           |  2 +
 ...ionIntegrationConfigurationDetailsTests.cs | 82 +++++++++++++++++++
 11 files changed, 315 insertions(+)
 create mode 100644 src/Core/AdminConsole/Models/Data/Organizations/OrganizationIntegrationConfigurationDetails.cs
 create mode 100644 src/Core/AdminConsole/Repositories/IOrganizationIntegrationConfigurationRepository.cs
 create mode 100644 src/Core/AdminConsole/Repositories/IOrganizationIntegrationRepository.cs
 create mode 100644 src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationIntegrationConfigurationRepository.cs
 create mode 100644 src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationIntegrationRepository.cs
 create mode 100644 src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationIntegrationConfigurationRepository.cs
 create mode 100644 src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationIntegrationRepository.cs
 create mode 100644 src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationIntegrationConfigurationDetailsReadManyByEventTypeOrganizationIdIntegrationTypeQuery.cs
 create mode 100644 test/Core.Test/AdminConsole/Models/Data/Organizations/OrganizationIntegrationConfigurationDetailsTests.cs

diff --git a/src/Core/AdminConsole/Models/Data/Organizations/OrganizationIntegrationConfigurationDetails.cs b/src/Core/AdminConsole/Models/Data/Organizations/OrganizationIntegrationConfigurationDetails.cs
new file mode 100644
index 0000000000..139a7aff25
--- /dev/null
+++ b/src/Core/AdminConsole/Models/Data/Organizations/OrganizationIntegrationConfigurationDetails.cs
@@ -0,0 +1,64 @@
+using System.Text.Json.Nodes;
+using Bit.Core.Enums;
+
+#nullable enable
+
+namespace Bit.Core.Models.Data.Organizations;
+
+public class OrganizationIntegrationConfigurationDetails
+{
+    public Guid Id { get; set; }
+    public Guid OrganizationIntegrationId { get; set; }
+    public IntegrationType IntegrationType { get; set; }
+    public EventType EventType { get; set; }
+    public string? Configuration { get; set; }
+    public string? IntegrationConfiguration { get; set; }
+    public string? Template { get; set; }
+
+    public JsonObject MergedConfiguration
+    {
+        get
+        {
+            var integrationJson = IntegrationConfigurationJson;
+
+            foreach (var kvp in ConfigurationJson)
+            {
+                integrationJson[kvp.Key] = kvp.Value?.DeepClone();
+            }
+
+            return integrationJson;
+        }
+    }
+
+    private JsonObject ConfigurationJson
+    {
+        get
+        {
+            try
+            {
+                var configuration = Configuration ?? string.Empty;
+                return JsonNode.Parse(configuration) as JsonObject ?? new JsonObject();
+            }
+            catch
+            {
+                return new JsonObject();
+            }
+        }
+    }
+
+    private JsonObject IntegrationConfigurationJson
+    {
+        get
+        {
+            try
+            {
+                var integration = IntegrationConfiguration ?? string.Empty;
+                return JsonNode.Parse(integration) as JsonObject ?? new JsonObject();
+            }
+            catch
+            {
+                return new JsonObject();
+            }
+        }
+    }
+}
diff --git a/src/Core/AdminConsole/Repositories/IOrganizationIntegrationConfigurationRepository.cs b/src/Core/AdminConsole/Repositories/IOrganizationIntegrationConfigurationRepository.cs
new file mode 100644
index 0000000000..516918fff9
--- /dev/null
+++ b/src/Core/AdminConsole/Repositories/IOrganizationIntegrationConfigurationRepository.cs
@@ -0,0 +1,13 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data.Organizations;
+
+namespace Bit.Core.Repositories;
+
+public interface IOrganizationIntegrationConfigurationRepository : IRepository<OrganizationIntegrationConfiguration, Guid>
+{
+    Task<List<OrganizationIntegrationConfigurationDetails>> GetConfigurationDetailsAsync(
+        Guid organizationId,
+        IntegrationType integrationType,
+        EventType eventType);
+}
diff --git a/src/Core/AdminConsole/Repositories/IOrganizationIntegrationRepository.cs b/src/Core/AdminConsole/Repositories/IOrganizationIntegrationRepository.cs
new file mode 100644
index 0000000000..cd7700c310
--- /dev/null
+++ b/src/Core/AdminConsole/Repositories/IOrganizationIntegrationRepository.cs
@@ -0,0 +1,7 @@
+using Bit.Core.AdminConsole.Entities;
+
+namespace Bit.Core.Repositories;
+
+public interface IOrganizationIntegrationRepository : IRepository<OrganizationIntegration, Guid>
+{
+}
diff --git a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationIntegrationConfigurationRepository.cs b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationIntegrationConfigurationRepository.cs
new file mode 100644
index 0000000000..f3227dfd22
--- /dev/null
+++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationIntegrationConfigurationRepository.cs
@@ -0,0 +1,43 @@
+using System.Data;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Repositories;
+using Bit.Core.Settings;
+using Bit.Infrastructure.Dapper.Repositories;
+using Dapper;
+using Microsoft.Data.SqlClient;
+
+namespace Bit.Infrastructure.Dapper.AdminConsole.Repositories;
+
+public class OrganizationIntegrationConfigurationRepository : Repository<OrganizationIntegrationConfiguration, Guid>, IOrganizationIntegrationConfigurationRepository
+{
+    public OrganizationIntegrationConfigurationRepository(GlobalSettings globalSettings)
+        : this(globalSettings.SqlServer.ConnectionString, globalSettings.SqlServer.ReadOnlyConnectionString)
+    { }
+
+    public OrganizationIntegrationConfigurationRepository(string connectionString, string readOnlyConnectionString)
+        : base(connectionString, readOnlyConnectionString)
+    { }
+
+    public async Task<List<OrganizationIntegrationConfigurationDetails>> GetConfigurationDetailsAsync(
+        Guid organizationId,
+        IntegrationType integrationType,
+        EventType eventType)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection.QueryAsync<OrganizationIntegrationConfigurationDetails>(
+                "[dbo].[OrganizationIntegrationConfigurationDetails_ReadManyByEventTypeOrganizationIdIntegrationType]",
+                new
+                {
+                    EventType = eventType,
+                    OrganizationId = organizationId,
+                    IntegrationType = integrationType
+                },
+                commandType: CommandType.StoredProcedure);
+
+            return results.ToList();
+        }
+    }
+}
diff --git a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationIntegrationRepository.cs b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationIntegrationRepository.cs
new file mode 100644
index 0000000000..99f0e35378
--- /dev/null
+++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationIntegrationRepository.cs
@@ -0,0 +1,16 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Repositories;
+using Bit.Core.Settings;
+
+namespace Bit.Infrastructure.Dapper.Repositories;
+
+public class OrganizationIntegrationRepository : Repository<OrganizationIntegration, Guid>, IOrganizationIntegrationRepository
+{
+    public OrganizationIntegrationRepository(GlobalSettings globalSettings)
+        : this(globalSettings.SqlServer.ConnectionString, globalSettings.SqlServer.ReadOnlyConnectionString)
+    { }
+
+    public OrganizationIntegrationRepository(string connectionString, string readOnlyConnectionString)
+        : base(connectionString, readOnlyConnectionString)
+    { }
+}
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationIntegrationConfigurationRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationIntegrationConfigurationRepository.cs
new file mode 100644
index 0000000000..f051830035
--- /dev/null
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationIntegrationConfigurationRepository.cs
@@ -0,0 +1,33 @@
+using AutoMapper;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Repositories;
+using Bit.Infrastructure.EntityFramework.AdminConsole.Models;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Bit.Infrastructure.EntityFramework.Repositories.Queries;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Infrastructure.EntityFramework.AdminConsole.Repositories;
+
+public class OrganizationIntegrationConfigurationRepository : Repository<Core.AdminConsole.Entities.OrganizationIntegrationConfiguration, OrganizationIntegrationConfiguration, Guid>, IOrganizationIntegrationConfigurationRepository
+{
+    public OrganizationIntegrationConfigurationRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper)
+        : base(serviceScopeFactory, mapper, context => context.OrganizationIntegrationConfigurations)
+    { }
+
+    public async Task<List<OrganizationIntegrationConfigurationDetails>> GetConfigurationDetailsAsync(
+        Guid organizationId,
+        IntegrationType integrationType,
+        EventType eventType)
+    {
+        using (var scope = ServiceScopeFactory.CreateScope())
+        {
+            var dbContext = GetDatabaseContext(scope);
+            var query = new OrganizationIntegrationConfigurationDetailsReadManyByEventTypeOrganizationIdIntegrationTypeQuery(
+                organizationId, eventType, integrationType
+                );
+            return await query.Run(dbContext).ToListAsync();
+        }
+    }
+}
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationIntegrationRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationIntegrationRepository.cs
new file mode 100644
index 0000000000..816ad3b25f
--- /dev/null
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationIntegrationRepository.cs
@@ -0,0 +1,14 @@
+using AutoMapper;
+using Bit.Core.Repositories;
+using Bit.Infrastructure.EntityFramework.AdminConsole.Models;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Infrastructure.EntityFramework.AdminConsole.Repositories;
+
+public class OrganizationIntegrationRepository : Repository<Core.AdminConsole.Entities.OrganizationIntegration, OrganizationIntegration, Guid>, IOrganizationIntegrationRepository
+{
+    public OrganizationIntegrationRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper)
+        : base(serviceScopeFactory, mapper, (DatabaseContext context) => context.OrganizationIntegrations)
+    { }
+}
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationIntegrationConfigurationDetailsReadManyByEventTypeOrganizationIdIntegrationTypeQuery.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationIntegrationConfigurationDetailsReadManyByEventTypeOrganizationIdIntegrationTypeQuery.cs
new file mode 100644
index 0000000000..1a54d6588a
--- /dev/null
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationIntegrationConfigurationDetailsReadManyByEventTypeOrganizationIdIntegrationTypeQuery.cs
@@ -0,0 +1,39 @@
+using Bit.Core.Enums;
+using Bit.Core.Models.Data.Organizations;
+
+namespace Bit.Infrastructure.EntityFramework.Repositories.Queries;
+
+public class OrganizationIntegrationConfigurationDetailsReadManyByEventTypeOrganizationIdIntegrationTypeQuery : IQuery<OrganizationIntegrationConfigurationDetails>
+{
+    private readonly Guid _organizationId;
+    private readonly EventType _eventType;
+    private readonly IntegrationType _integrationType;
+
+    public OrganizationIntegrationConfigurationDetailsReadManyByEventTypeOrganizationIdIntegrationTypeQuery(Guid organizationId, EventType eventType, IntegrationType integrationType)
+    {
+        _organizationId = organizationId;
+        _eventType = eventType;
+        _integrationType = integrationType;
+    }
+
+    public IQueryable<OrganizationIntegrationConfigurationDetails> Run(DatabaseContext dbContext)
+    {
+        var query = from oic in dbContext.OrganizationIntegrationConfigurations
+                    join oi in dbContext.OrganizationIntegrations on oic.OrganizationIntegrationId equals oi.Id into oioic
+                    from oi in dbContext.OrganizationIntegrations
+                    where oi.OrganizationId == _organizationId &&
+                          oi.Type == _integrationType &&
+                          oic.EventType == _eventType
+                    select new OrganizationIntegrationConfigurationDetails()
+                    {
+                        Id = oic.Id,
+                        OrganizationIntegrationId = oic.OrganizationIntegrationId,
+                        IntegrationType = oi.Type,
+                        EventType = oic.EventType,
+                        Configuration = oic.Configuration,
+                        IntegrationConfiguration = oi.Configuration,
+                        Template = oic.Template
+                    };
+        return query;
+    }
+}
diff --git a/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs b/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs
index 3f805bbe2c..ad6c7cf369 100644
--- a/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs
+++ b/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs
@@ -78,6 +78,8 @@ public static class EntityFrameworkServiceCollectionExtensions
         services.AddSingleton<IMaintenanceRepository, MaintenanceRepository>();
         services.AddSingleton<IOrganizationApiKeyRepository, OrganizationApiKeyRepository>();
         services.AddSingleton<IOrganizationConnectionRepository, OrganizationConnectionRepository>();
+        services.AddSingleton<IOrganizationIntegrationRepository, OrganizationIntegrationRepository>();
+        services.AddSingleton<IOrganizationIntegrationConfigurationRepository, OrganizationIntegrationConfigurationRepository>();
         services.AddSingleton<IOrganizationRepository, OrganizationRepository>();
         services.AddSingleton<IOrganizationSponsorshipRepository, OrganizationSponsorshipRepository>();
         services.AddSingleton<IOrganizationUserRepository, OrganizationUserRepository>();
diff --git a/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs b/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
index dd1b97b4f2..5c1c1bc87f 100644
--- a/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
@@ -55,6 +55,8 @@ public class DatabaseContext : DbContext
     public DbSet<OrganizationApiKey> OrganizationApiKeys { get; set; }
     public DbSet<OrganizationSponsorship> OrganizationSponsorships { get; set; }
     public DbSet<OrganizationConnection> OrganizationConnections { get; set; }
+    public DbSet<OrganizationIntegration> OrganizationIntegrations { get; set; }
+    public DbSet<OrganizationIntegrationConfiguration> OrganizationIntegrationConfigurations { get; set; }
     public DbSet<OrganizationUser> OrganizationUsers { get; set; }
     public DbSet<Policy> Policies { get; set; }
     public DbSet<Provider> Providers { get; set; }
diff --git a/test/Core.Test/AdminConsole/Models/Data/Organizations/OrganizationIntegrationConfigurationDetailsTests.cs b/test/Core.Test/AdminConsole/Models/Data/Organizations/OrganizationIntegrationConfigurationDetailsTests.cs
new file mode 100644
index 0000000000..99a11903b4
--- /dev/null
+++ b/test/Core.Test/AdminConsole/Models/Data/Organizations/OrganizationIntegrationConfigurationDetailsTests.cs
@@ -0,0 +1,82 @@
+using System.Text.Json;
+using Bit.Core.Models.Data.Organizations;
+using Xunit;
+
+namespace Bit.Core.Test.Models.Data.Organizations;
+
+public class OrganizationIntegrationConfigurationDetailsTests
+{
+    [Fact]
+    public void MergedConfiguration_WithValidConfigAndIntegration_ReturnsMergedJson()
+    {
+        var config = new { config = "A new config value" };
+        var integration = new { integration = "An integration value" };
+        var expectedObj = new { integration = "An integration value", config = "A new config value" };
+        var expected = JsonSerializer.Serialize(expectedObj);
+
+        var sut = new OrganizationIntegrationConfigurationDetails();
+        sut.Configuration = JsonSerializer.Serialize(config);
+        sut.IntegrationConfiguration = JsonSerializer.Serialize(integration);
+
+        var result = sut.MergedConfiguration;
+        Assert.Equal(expected, result.ToJsonString());
+    }
+
+    [Fact]
+    public void MergedConfiguration_WithInvalidJsonConfigAndIntegration_ReturnsEmptyJson()
+    {
+        var expectedObj = new { };
+        var expected = JsonSerializer.Serialize(expectedObj);
+
+        var sut = new OrganizationIntegrationConfigurationDetails();
+        sut.Configuration = "Not JSON";
+        sut.IntegrationConfiguration = "Not JSON";
+
+        var result = sut.MergedConfiguration;
+        Assert.Equal(expected, result.ToJsonString());
+    }
+
+    [Fact]
+    public void MergedConfiguration_WithNullConfigAndIntegration_ReturnsEmptyJson()
+    {
+        var expectedObj = new { };
+        var expected = JsonSerializer.Serialize(expectedObj);
+
+        var sut = new OrganizationIntegrationConfigurationDetails();
+        sut.Configuration = null;
+        sut.IntegrationConfiguration = null;
+
+        var result = sut.MergedConfiguration;
+        Assert.Equal(expected, result.ToJsonString());
+    }
+
+    [Fact]
+    public void MergedConfiguration_WithValidIntegrationAndNullConfig_ReturnsIntegrationJson()
+    {
+        var integration = new { integration = "An integration value" };
+        var expectedObj = new { integration = "An integration value" };
+        var expected = JsonSerializer.Serialize(expectedObj);
+
+        var sut = new OrganizationIntegrationConfigurationDetails();
+        sut.Configuration = null;
+        sut.IntegrationConfiguration = JsonSerializer.Serialize(integration);
+
+        var result = sut.MergedConfiguration;
+        Assert.Equal(expected, result.ToJsonString());
+    }
+
+    [Fact]
+    public void MergedConfiguration_WithValidConfigAndNullIntegration_ReturnsConfigJson()
+    {
+        var config = new { config = "A new config value" };
+        var expectedObj = new { config = "A new config value" };
+        var expected = JsonSerializer.Serialize(expectedObj);
+
+        var sut = new OrganizationIntegrationConfigurationDetails();
+        sut.Configuration = JsonSerializer.Serialize(config);
+        sut.IntegrationConfiguration = null;
+
+        var result = sut.MergedConfiguration;
+        Assert.Equal(expected, result.ToJsonString());
+    }
+}

From 38ae5ff885b2990f241e94b611934f2470766f5c Mon Sep 17 00:00:00 2001
From: Jimmy Vo <huynhmaivo82@gmail.com>
Date: Thu, 3 Apr 2025 11:35:09 -0400
Subject: [PATCH 159/184] [PM-19588] Ensure custom users cannot delete or
 remove admins. (#5590)

---
 ...teManagedOrganizationUserAccountCommand.cs |  6 ++++
 .../RemoveOrganizationUserCommand.cs          |  8 ++++-
 ...agedOrganizationUserAccountCommandTests.cs | 32 +++++++++++++++++++
 .../RemoveOrganizationUserCommandTests.cs     | 22 +++++++++++++
 4 files changed, 67 insertions(+), 1 deletion(-)

diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommand.cs
index 010f5de9bf..7b7d8003a3 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommand.cs
@@ -154,6 +154,12 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
             }
         }
 
+        if (orgUser.Type == OrganizationUserType.Admin && await _currentContext.OrganizationCustom(organizationId))
+        {
+            throw new BadRequestException("Custom users can not delete admins.");
+        }
+
+
         if (!managementStatus.TryGetValue(orgUser.Id, out var isManaged) || !isManaged)
         {
             throw new BadRequestException("Member is not managed by the organization.");
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs
index 9375a231ec..3568a2a2b9 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs
@@ -25,7 +25,8 @@ public class RemoveOrganizationUserCommand : IRemoveOrganizationUserCommand
     public const string UserNotFoundErrorMessage = "User not found.";
     public const string UsersInvalidErrorMessage = "Users invalid.";
     public const string RemoveYourselfErrorMessage = "You cannot remove yourself.";
-    public const string RemoveOwnerByNonOwnerErrorMessage = "Only owners can delete other owners.";
+    public const string RemoveOwnerByNonOwnerErrorMessage = "Only owners can remove other owners.";
+    public const string RemoveAdminByCustomUserErrorMessage = "Custom users can not remove admins.";
     public const string RemoveLastConfirmedOwnerErrorMessage = "Organization must have at least one confirmed owner.";
     public const string RemoveClaimedAccountErrorMessage = "Cannot remove member accounts claimed by the organization. To offboard a member, revoke or delete the account.";
 
@@ -153,6 +154,11 @@ public class RemoveOrganizationUserCommand : IRemoveOrganizationUserCommand
             }
         }
 
+        if (orgUser.Type == OrganizationUserType.Admin && await _currentContext.OrganizationCustom(orgUser.OrganizationId))
+        {
+            throw new BadRequestException(RemoveAdminByCustomUserErrorMessage);
+        }
+
         if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning) && deletingUserId.HasValue && eventSystemUser == null)
         {
             var managementStatus = await _getOrganizationUsersManagementStatusQuery.GetUsersOrganizationManagementStatusAsync(orgUser.OrganizationId, new[] { orgUser.Id });
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommandTests.cs
index b21ae5459f..f8f6bdb60d 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommandTests.cs
@@ -131,6 +131,38 @@ public class DeleteManagedOrganizationUserAccountCommandTests
             .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<DateTime?>());
     }
 
+    [Theory]
+    [BitAutoData]
+    public async Task DeleteUserAsync_WhenCustomUserDeletesAdmin_ThrowsException(
+        SutProvider<DeleteManagedOrganizationUserAccountCommand> sutProvider, User user,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Admin)] OrganizationUser organizationUser,
+        Guid deletingUserId)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(organizationUser.Id)
+            .Returns(organizationUser);
+
+        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(user.Id)
+            .Returns(user);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationCustom(organizationUser.OrganizationId)
+            .Returns(true);
+
+        // Act
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.DeleteUserAsync(organizationUser.OrganizationId, organizationUser.Id, deletingUserId));
+
+        // Assert
+        Assert.Equal("Custom users can not delete admins.", exception.Message);
+        await sutProvider.GetDependency<IUserService>().Received(0).DeleteAsync(Arg.Any<User>());
+        await sutProvider.GetDependency<IEventService>().Received(0)
+            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<DateTime?>());
+    }
+
     [Theory]
     [BitAutoData]
     public async Task DeleteUserAsync_DeletingOwnerWhenNotOwner_ThrowsException(
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommandTests.cs
index 6ab8236b8e..a60850c5a9 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommandTests.cs
@@ -171,6 +171,28 @@ public class RemoveOrganizationUserCommandTests
         Assert.Contains(RemoveOrganizationUserCommand.RemoveOwnerByNonOwnerErrorMessage, exception.Message);
     }
 
+    [Theory, BitAutoData]
+    public async Task RemoveUser_WhenCustomUserRemovesAdmin_ThrowsException(
+    [OrganizationUser(type: OrganizationUserType.Admin)] OrganizationUser organizationUser,
+    [OrganizationUser(type: OrganizationUserType.Custom)] OrganizationUser deletingUser,
+    SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        organizationUser.OrganizationId = deletingUser.OrganizationId;
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(organizationUser.Id)
+            .Returns(organizationUser);
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationCustom(organizationUser.OrganizationId)
+            .Returns(true);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RemoveUserAsync(organizationUser.OrganizationId, organizationUser.Id, deletingUser.UserId));
+        Assert.Contains(RemoveOrganizationUserCommand.RemoveAdminByCustomUserErrorMessage, exception.Message);
+    }
+
     [Theory, BitAutoData]
     public async Task RemoveUser_WithDeletingUserId_RemovingLastOwner_ThrowsException(
         [OrganizationUser(type: OrganizationUserType.Owner)] OrganizationUser organizationUser,

From 83e06c924100f4384e746d9a793d1486e60f8130 Mon Sep 17 00:00:00 2001
From: Jake Fink <jfink@bitwarden.com>
Date: Thu, 3 Apr 2025 11:57:51 -0400
Subject: [PATCH 160/184] [PM-19523] Filter expected webauthn keys for
 rotations by prf enabled (#5566)

* filter expected webauthn keys for rotations by prf enabled

* fix and add tests

* format
---
 .../WebAuthnLoginKeyRotationValidator.cs      | 16 +++---
 .../WebauthnLoginKeyRotationValidatorTests.cs | 56 +++++++++++++++++++
 2 files changed, 64 insertions(+), 8 deletions(-)

diff --git a/src/Api/KeyManagement/Validators/WebAuthnLoginKeyRotationValidator.cs b/src/Api/KeyManagement/Validators/WebAuthnLoginKeyRotationValidator.cs
index 1706aebd78..9c7efe0fbe 100644
--- a/src/Api/KeyManagement/Validators/WebAuthnLoginKeyRotationValidator.cs
+++ b/src/Api/KeyManagement/Validators/WebAuthnLoginKeyRotationValidator.cs
@@ -17,20 +17,20 @@ public class WebAuthnLoginKeyRotationValidator : IRotationValidator<IEnumerable<
 
     public async Task<IEnumerable<WebAuthnLoginRotateKeyData>> ValidateAsync(User user, IEnumerable<WebAuthnLoginRotateKeyRequestModel> keysToRotate)
     {
-        // 2024-06: Remove after 3 releases, for backward compatibility
-        if (keysToRotate == null)
-        {
-            return new List<WebAuthnLoginRotateKeyData>();
-        }
-
         var result = new List<WebAuthnLoginRotateKeyData>();
         var existing = await _webAuthnCredentialRepository.GetManyByUserIdAsync(user.Id);
-        if (existing == null || !existing.Any())
+        if (existing == null)
         {
             return result;
         }
 
-        foreach (var ea in existing)
+        var validCredentials = existing.Where(credential => credential.SupportsPrf);
+        if (!validCredentials.Any())
+        {
+            return result;
+        }
+
+        foreach (var ea in validCredentials)
         {
             var keyToRotate = keysToRotate.FirstOrDefault(c => c.Id == ea.Id);
             if (keyToRotate == null)
diff --git a/test/Api.Test/KeyManagement/Validators/WebauthnLoginKeyRotationValidatorTests.cs b/test/Api.Test/KeyManagement/Validators/WebauthnLoginKeyRotationValidatorTests.cs
index de661497e4..93652735ef 100644
--- a/test/Api.Test/KeyManagement/Validators/WebauthnLoginKeyRotationValidatorTests.cs
+++ b/test/Api.Test/KeyManagement/Validators/WebauthnLoginKeyRotationValidatorTests.cs
@@ -14,6 +14,59 @@ namespace Bit.Api.Test.KeyManagement.Validators;
 [SutProviderCustomize]
 public class WebAuthnLoginKeyRotationValidatorTests
 {
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_Succeeds_ReturnsValidCredentials(
+        SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
+        IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
+    {
+        var guid = Guid.NewGuid();
+
+        var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel
+        {
+            Id = guid,
+            EncryptedPublicKey = e.EncryptedPublicKey,
+            EncryptedUserKey = e.EncryptedUserKey
+        }).ToList();
+
+        var data = new WebAuthnCredential
+        {
+            Id = guid,
+            SupportsPrf = true,
+            EncryptedPublicKey = "TestKey",
+            EncryptedUserKey = "Test"
+        };
+        sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id)
+            .Returns(new List<WebAuthnCredential> { data });
+
+        var result = await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate);
+        Assert.Single(result);
+        Assert.Equal(guid, result.First().Id);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_DoesNotSupportPRF_Ignores(
+        SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
+        IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
+    {
+        var guid = Guid.NewGuid();
+        var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel
+        {
+            Id = guid,
+            EncryptedUserKey = e.EncryptedUserKey,
+            EncryptedPublicKey = e.EncryptedPublicKey,
+        }).ToList();
+
+        var data = new WebAuthnCredential { Id = guid, EncryptedUserKey = "Test", EncryptedPublicKey = "TestKey" };
+
+        sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id)
+            .Returns(new List<WebAuthnCredential> { data });
+
+        var result = await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate);
+        Assert.Empty(result);
+    }
+
     [Theory]
     [BitAutoData]
     public async Task ValidateAsync_WrongWebAuthnKeys_Throws(
@@ -30,6 +83,7 @@ public class WebAuthnLoginKeyRotationValidatorTests
         var data = new WebAuthnCredential
         {
             Id = Guid.Parse("00000000-0000-0000-0000-000000000002"),
+            SupportsPrf = true,
             EncryptedPublicKey = "TestKey",
             EncryptedUserKey = "Test"
         };
@@ -55,6 +109,7 @@ public class WebAuthnLoginKeyRotationValidatorTests
         var data = new WebAuthnCredential
         {
             Id = guid,
+            SupportsPrf = true,
             EncryptedPublicKey = "TestKey",
             EncryptedUserKey = "Test"
         };
@@ -81,6 +136,7 @@ public class WebAuthnLoginKeyRotationValidatorTests
         var data = new WebAuthnCredential
         {
             Id = guid,
+            SupportsPrf = true,
             EncryptedPublicKey = "TestKey",
             EncryptedUserKey = "Test"
         };

From 559101d7e21c0ef44a3f147a8935b49f0d62e948 Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Thu, 3 Apr 2025 12:59:19 -0400
Subject: [PATCH 161/184] Add SMTP Mail Tests (#5597)

* Add SMTP Mail Tests

Co-authored-by: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com>

* Update test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs

* Add Skipped Tests for upcoming feature

* Safer TCS Completion

---------

Co-authored-by: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com>
---
 bitwarden-server.sln                          |   7 +
 .../MailKitSmtpMailDeliveryService.cs         |  29 +-
 .../Core.IntegrationTest.csproj               |  29 ++
 .../MailKitSmtpMailDeliveryServiceTests.cs    | 410 ++++++++++++++++++
 4 files changed, 468 insertions(+), 7 deletions(-)
 create mode 100644 test/Core.IntegrationTest/Core.IntegrationTest.csproj
 create mode 100644 test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs

diff --git a/bitwarden-server.sln b/bitwarden-server.sln
index e9aff53f8e..892d2f4255 100644
--- a/bitwarden-server.sln
+++ b/bitwarden-server.sln
@@ -127,6 +127,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Infrastructure.Dapper.Test"
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Events.IntegrationTest", "test\Events.IntegrationTest\Events.IntegrationTest.csproj", "{4F4C63A9-AEE2-48C4-AB86-A5BCD665E401}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Core.IntegrationTest", "test\Core.IntegrationTest\Core.IntegrationTest.csproj", "{3631BA42-6731-4118-A917-DAA43C5032B9}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -319,6 +321,10 @@ Global
 		{4F4C63A9-AEE2-48C4-AB86-A5BCD665E401}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{4F4C63A9-AEE2-48C4-AB86-A5BCD665E401}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{4F4C63A9-AEE2-48C4-AB86-A5BCD665E401}.Release|Any CPU.Build.0 = Release|Any CPU
+		{3631BA42-6731-4118-A917-DAA43C5032B9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{3631BA42-6731-4118-A917-DAA43C5032B9}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{3631BA42-6731-4118-A917-DAA43C5032B9}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{3631BA42-6731-4118-A917-DAA43C5032B9}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -370,6 +376,7 @@ Global
 		{90D85D8F-5577-4570-A96E-5A2E185F0F6F} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84F}
 		{4A725DB3-BE4F-4C23-9087-82D0610D67AF} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84F}
 		{4F4C63A9-AEE2-48C4-AB86-A5BCD665E401} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84F}
+		{3631BA42-6731-4118-A917-DAA43C5032B9} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84F}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {E01CBF68-2E20-425F-9EDB-E0A6510CA92F}
diff --git a/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs b/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs
index 4e7b7ee105..dc4e89aa23 100644
--- a/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs
+++ b/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs
@@ -34,6 +34,9 @@ public class MailKitSmtpMailDeliveryService : IMailDeliveryService
     }
 
     public async Task SendEmailAsync(Models.Mail.MailMessage message)
+        => await SendEmailAsync(message, CancellationToken.None);
+
+    public async Task SendEmailAsync(Models.Mail.MailMessage message, CancellationToken cancellationToken)
     {
         var mimeMessage = new MimeMessage();
         mimeMessage.From.Add(new MailboxAddress(_globalSettings.SiteName, _replyEmail));
@@ -76,25 +79,37 @@ public class MailKitSmtpMailDeliveryService : IMailDeliveryService
             if (!_globalSettings.Mail.Smtp.StartTls && !_globalSettings.Mail.Smtp.Ssl &&
                 _globalSettings.Mail.Smtp.Port == 25)
             {
-                await client.ConnectAsync(_globalSettings.Mail.Smtp.Host, _globalSettings.Mail.Smtp.Port,
-                    MailKit.Security.SecureSocketOptions.None);
+                await client.ConnectAsync(
+                    _globalSettings.Mail.Smtp.Host,
+                    _globalSettings.Mail.Smtp.Port,
+                    MailKit.Security.SecureSocketOptions.None,
+                    cancellationToken
+                );
             }
             else
             {
                 var useSsl = _globalSettings.Mail.Smtp.Port == 587 && !_globalSettings.Mail.Smtp.SslOverride ?
                     false : _globalSettings.Mail.Smtp.Ssl;
-                await client.ConnectAsync(_globalSettings.Mail.Smtp.Host, _globalSettings.Mail.Smtp.Port, useSsl);
+                await client.ConnectAsync(
+                    _globalSettings.Mail.Smtp.Host,
+                    _globalSettings.Mail.Smtp.Port,
+                    useSsl,
+                    cancellationToken
+                );
             }
 
             if (CoreHelpers.SettingHasValue(_globalSettings.Mail.Smtp.Username) &&
                 CoreHelpers.SettingHasValue(_globalSettings.Mail.Smtp.Password))
             {
-                await client.AuthenticateAsync(_globalSettings.Mail.Smtp.Username,
-                    _globalSettings.Mail.Smtp.Password);
+                await client.AuthenticateAsync(
+                    _globalSettings.Mail.Smtp.Username,
+                    _globalSettings.Mail.Smtp.Password,
+                    cancellationToken
+                );
             }
 
-            await client.SendAsync(mimeMessage);
-            await client.DisconnectAsync(true);
+            await client.SendAsync(mimeMessage, cancellationToken);
+            await client.DisconnectAsync(true, cancellationToken);
         }
     }
 }
diff --git a/test/Core.IntegrationTest/Core.IntegrationTest.csproj b/test/Core.IntegrationTest/Core.IntegrationTest.csproj
new file mode 100644
index 0000000000..6094209f23
--- /dev/null
+++ b/test/Core.IntegrationTest/Core.IntegrationTest.csproj
@@ -0,0 +1,29 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+
+    <IsPackable>false</IsPackable>
+    <IsTestProject>true</IsTestProject>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="coverlet.collector" Version="6.0.0" />
+    <PackageReference Include="MartinCostello.Logging.XUnit" Version="0.5.1" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.8.0" />
+    <PackageReference Include="Rnwood.SmtpServer" Version="3.1.0-ci0868" />
+    <PackageReference Include="xunit" Version="2.5.3" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.5.3" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <Using Include="Xunit" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Core\Core.csproj" />
+  </ItemGroup>
+
+</Project>
diff --git a/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs b/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs
new file mode 100644
index 0000000000..db2b945fda
--- /dev/null
+++ b/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs
@@ -0,0 +1,410 @@
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using Bit.Core.Models.Mail;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+using MailKit.Security;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
+using Rnwood.SmtpServer;
+using Rnwood.SmtpServer.Extensions.Auth;
+using Xunit.Abstractions;
+
+namespace Bit.Core.IntegrationTest;
+
+public class MailKitSmtpMailDeliveryServiceTests
+{
+    private readonly X509Certificate2 _selfSignedCert;
+
+    public MailKitSmtpMailDeliveryServiceTests(ITestOutputHelper testOutputHelper)
+    {
+        ConfigureSmtpServerLogging(testOutputHelper);
+
+        _selfSignedCert = CreateSelfSignedCert("localhost");
+    }
+
+    private static X509Certificate2 CreateSelfSignedCert(string commonName)
+    {
+        using var rsa = RSA.Create(2048);
+        var certRequest = new CertificateRequest($"CN={commonName}", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+        return certRequest.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(1));
+    }
+
+    private static async Task SaveCertAsync(string filePath, X509Certificate2 certificate)
+    {
+        await File.WriteAllBytesAsync(filePath, certificate.Export(X509ContentType.Cert));
+    }
+
+    private static void ConfigureSmtpServerLogging(ITestOutputHelper testOutputHelper)
+    {
+        // Unfortunately this package doesn't public expose its logging infrastructure
+        // so we use private reflection to try and access it. 
+        try
+        {
+            var loggingType = typeof(DefaultServerBehaviour).Assembly.GetType("Rnwood.SmtpServer.Logging")
+                ?? throw new Exception("No type found in RnWood.SmtpServer named 'Logging'");
+
+            var factoryProperty = loggingType.GetProperty("Factory")
+                ?? throw new Exception($"No property named 'Factory' found on class {loggingType.FullName}");
+
+            var factoryPropertyGet = factoryProperty.GetMethod
+                ?? throw new Exception($"{loggingType.FullName}.{factoryProperty.Name} does not have a get method.");
+
+            if (factoryPropertyGet.Invoke(null, null) is not ILoggerFactory loggerFactory)
+            {
+                throw new Exception($"{loggingType.FullName}.{factoryProperty.Name} is not of type 'ILoggerFactory'" +
+                    $"instead it's type '{factoryProperty.PropertyType.FullName}'");
+            }
+
+            loggerFactory.AddXUnit(testOutputHelper);
+        }
+        catch (Exception ex)
+        {
+            testOutputHelper.WriteLine($"Failed to configure logging for RnWood.SmtpServer (logging will not be configured):\n{ex.Message}");
+        }
+    }
+    private static int RandomPort()
+    {
+        return Random.Shared.Next(50000, 60000);
+    }
+
+    private static GlobalSettings GetSettings(Action<GlobalSettings> configure)
+    {
+        var globalSettings = new GlobalSettings();
+        globalSettings.SiteName = "TestSiteName";
+        globalSettings.Mail.ReplyToEmail = "test@example.com";
+        globalSettings.Mail.Smtp.Host = "localhost";
+        // Set common defaults
+        configure(globalSettings);
+        return globalSettings;
+    }
+
+    [Fact]
+    public async Task SendEmailAsync_SmtpServerUsingSelfSignedCert_CertNotInTrustedRootStore_ThrowsException()
+    {
+        // If an SMTP server is using a self signed cert we currently require
+        // that the certificate for their SMTP server is installed in the root CA
+        // we are building the ability to do so without installing it, when we add that
+        // this test can be copied, and changed to utilize that new feature and instead of
+        // failing it should successfully send the email.
+        var port = RandomPort();
+        var behavior = new DefaultServerBehaviour(false, port, _selfSignedCert);
+        using var smtpServer = new SmtpServer(behavior);
+        smtpServer.Start();
+
+        var globalSettings = GetSettings(gs =>
+        {
+            gs.Mail.Smtp.Port = port;
+            gs.Mail.Smtp.Ssl = true;
+        });
+
+        var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
+            globalSettings,
+            NullLogger<MailKitSmtpMailDeliveryService>.Instance
+        );
+
+        await Assert.ThrowsAsync<SslHandshakeException>(
+            async () => await mailKitDeliveryService.SendEmailAsync(new MailMessage
+            {
+                Subject = "Test",
+                ToEmails = ["test@example.com"],
+                TextContent = "Hi",
+            }, new CancellationTokenSource(TimeSpan.FromSeconds(5)).Token)
+        );
+    }
+
+    [Fact(Skip = "Upcoming feature")]
+    public async Task SendEmailAsync_SmtpServerUsingSelfSignedCert_CertInCustomLocation_Works()
+    {
+        // If an SMTP server is using a self signed cert we will in the future
+        // allow a custom location for certificates to be stored and the certitifactes 
+        // stored there will also be trusted.
+        var port = RandomPort();
+        var behavior = new DefaultServerBehaviour(false, port, _selfSignedCert);
+        using var smtpServer = new SmtpServer(behavior);
+        smtpServer.Start();
+
+        var globalSettings = GetSettings(gs =>
+        {
+            gs.Mail.Smtp.Port = port;
+            gs.Mail.Smtp.Ssl = true;
+        });
+
+        // TODO: Setup custom location and save self signed cert there.
+        // await SaveCertAsync("./my-location", _selfSignedCert);
+
+        var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
+            globalSettings,
+            NullLogger<MailKitSmtpMailDeliveryService>.Instance
+        );
+
+        var tcs = new TaskCompletionSource();
+        var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5));
+        cts.Token.Register(() => _ = tcs.TrySetCanceled());
+
+        behavior.MessageReceivedEventHandler += (sender, args) =>
+        {
+            if (args.Message.Recipients.Contains("test1@example.com"))
+            {
+                tcs.SetResult();
+            }
+            return Task.CompletedTask;
+        };
+
+        await mailKitDeliveryService.SendEmailAsync(new MailMessage
+        {
+            Subject = "Test",
+            ToEmails = ["test1@example.com"],
+            TextContent = "Hi",
+        }, cts.Token);
+
+        // Wait for email
+        await tcs.Task;
+    }
+
+    [Fact(Skip = "Upcoming feature")]
+    public async Task SendEmailAsync_SmtpServerUsingSelfSignedCert_CertInCustomLocation_WithUnrelatedCerts_Works()
+    {
+        // If an SMTP server is using a self signed cert we will in the future
+        // allow a custom location for certificates to be stored and the certitifactes 
+        // stored there will also be trusted.
+        var port = RandomPort();
+        var behavior = new DefaultServerBehaviour(false, port, _selfSignedCert);
+        using var smtpServer = new SmtpServer(behavior);
+        smtpServer.Start();
+
+        var globalSettings = GetSettings(gs =>
+        {
+            gs.Mail.Smtp.Port = port;
+            gs.Mail.Smtp.Ssl = true;
+        });
+
+        // TODO: Setup custom location and save self signed cert there
+        // along with another self signed cert that is not related to 
+        // the SMTP server.
+        // await SaveCertAsync("./my-location", _selfSignedCert);
+        // await SaveCertAsync("./my-location", CreateSelfSignedCert("example.com"));
+
+        var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
+            globalSettings,
+            NullLogger<MailKitSmtpMailDeliveryService>.Instance
+        );
+
+        var tcs = new TaskCompletionSource();
+        var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5));
+        cts.Token.Register(() => _ = tcs.TrySetCanceled());
+
+        behavior.MessageReceivedEventHandler += (sender, args) =>
+        {
+            if (args.Message.Recipients.Contains("test1@example.com"))
+            {
+                tcs.SetResult();
+            }
+            return Task.CompletedTask;
+        };
+
+        await mailKitDeliveryService.SendEmailAsync(new MailMessage
+        {
+            Subject = "Test",
+            ToEmails = ["test1@example.com"],
+            TextContent = "Hi",
+        }, cts.Token);
+
+        // Wait for email
+        await tcs.Task;
+    }
+
+    [Fact]
+    public async Task SendEmailAsync_Succeeds_WhenCertIsSelfSigned_ServerIsTrusted()
+    {
+        // When the setting `TrustServer = true` is set even if the cert is 
+        // self signed and the cert is not trusted in anyway the connection should
+        // still go through.
+        var port = RandomPort();
+        var behavior = new DefaultServerBehaviour(false, port, _selfSignedCert);
+        using var smtpServer = new SmtpServer(behavior);
+        smtpServer.Start();
+
+        var globalSettings = GetSettings(gs =>
+        {
+            gs.Mail.Smtp.Port = port;
+            gs.Mail.Smtp.Ssl = true;
+            gs.Mail.Smtp.TrustServer = true;
+        });
+
+        var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
+            globalSettings,
+            NullLogger<MailKitSmtpMailDeliveryService>.Instance
+        );
+
+        var tcs = new TaskCompletionSource();
+        var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5));
+        cts.Token.Register(() => _ = tcs.TrySetCanceled());
+
+        behavior.MessageReceivedEventHandler += (sender, args) =>
+        {
+            if (args.Message.Recipients.Contains("test1@example.com"))
+            {
+                tcs.SetResult();
+            }
+            return Task.CompletedTask;
+        };
+
+        await mailKitDeliveryService.SendEmailAsync(new MailMessage
+        {
+            Subject = "Test",
+            ToEmails = ["test1@example.com"],
+            TextContent = "Hi",
+        }, cts.Token);
+
+        // Wait for email
+        await tcs.Task;
+    }
+
+    [Fact]
+    public async Task SendEmailAsync_FailsConnectingWithTls_ServerDoesNotSupportTls()
+    {
+        // If the SMTP server is not setup to use TLS but our server is expecting it
+        // to, we should fail.
+        var port = RandomPort();
+        var behavior = new DefaultServerBehaviour(false, port);
+        using var smtpServer = new SmtpServer(behavior);
+        smtpServer.Start();
+
+        var globalSettings = GetSettings(gs =>
+        {
+            gs.Mail.Smtp.Port = port;
+            gs.Mail.Smtp.Ssl = true;
+            gs.Mail.Smtp.TrustServer = true;
+        });
+
+        var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
+            globalSettings,
+            NullLogger<MailKitSmtpMailDeliveryService>.Instance
+        );
+
+        var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5));
+
+        await Assert.ThrowsAsync<SslHandshakeException>(
+            async () => await mailKitDeliveryService.SendEmailAsync(new MailMessage
+            {
+                Subject = "Test",
+                ToEmails = ["test1@example.com"],
+                TextContent = "Hi",
+            }, cts.Token)
+        );
+    }
+
+    [Fact(Skip = "Requires permission to privileged port")]
+    public async Task SendEmailAsync_Works_NoSsl()
+    {
+        // If the SMTP server isn't set up with any SSL/TLS and we dont' expect
+        // any, then the email should go through just fine. Just without encryption.
+        // This test has to use port 25
+        var port = 25;
+        var behavior = new DefaultServerBehaviour(false, port);
+        using var smtpServer = new SmtpServer(behavior);
+        smtpServer.Start();
+
+        var globalSettings = GetSettings(gs =>
+        {
+            gs.Mail.Smtp.Port = port;
+            gs.Mail.Smtp.Ssl = false;
+            gs.Mail.Smtp.StartTls = false;
+        });
+
+        var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
+            globalSettings,
+            NullLogger<MailKitSmtpMailDeliveryService>.Instance
+        );
+
+        var tcs = new TaskCompletionSource();
+        var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5));
+        cts.Token.Register(() => _ = tcs.TrySetCanceled());
+
+        behavior.MessageReceivedEventHandler += (sender, args) =>
+        {
+            if (args.Message.Recipients.Contains("test1@example.com"))
+            {
+                tcs.SetResult();
+            }
+            return Task.CompletedTask;
+        };
+
+        await mailKitDeliveryService.SendEmailAsync(new MailMessage
+        {
+            Subject = "Test",
+            ToEmails = ["test1@example.com"],
+            TextContent = "Hi",
+        }, cts.Token);
+
+        // Wait for email
+        await tcs.Task;
+    }
+
+    [Fact]
+    public async Task SendEmailAsync_Succeeds_WhenServerNeedsToAuthenticate()
+    {
+        // When the setting `TrustServer = true` is set even if the cert is 
+        // self signed and the cert is not trusted in anyway the connection should
+        // still go through.
+        var port = RandomPort();
+        var behavior = new DefaultServerBehaviour(false, port, _selfSignedCert);
+        behavior.AuthenticationCredentialsValidationRequiredEventHandler += (sender, args) =>
+        {
+            args.AuthenticationResult = AuthenticationResult.Failure;
+            if (args.Credentials is not UsernameAndPasswordAuthenticationCredentials usernameAndPasswordCreds)
+            {
+                return Task.CompletedTask;
+            }
+
+            if (usernameAndPasswordCreds.Username != "test" || usernameAndPasswordCreds.Password != "password")
+            {
+                return Task.CompletedTask;
+            }
+
+            args.AuthenticationResult = AuthenticationResult.Success;
+            return Task.CompletedTask;
+        };
+        using var smtpServer = new SmtpServer(behavior);
+        smtpServer.Start();
+
+        var globalSettings = GetSettings(gs =>
+        {
+            gs.Mail.Smtp.Port = port;
+            gs.Mail.Smtp.Ssl = true;
+            gs.Mail.Smtp.TrustServer = true;
+
+            gs.Mail.Smtp.Username = "test";
+            gs.Mail.Smtp.Password = "password";
+        });
+
+        var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
+            globalSettings,
+            NullLogger<MailKitSmtpMailDeliveryService>.Instance
+        );
+
+        var tcs = new TaskCompletionSource();
+        var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5));
+        cts.Token.Register(() => _ = tcs.TrySetCanceled());
+
+        behavior.MessageReceivedEventHandler += (sender, args) =>
+        {
+            if (args.Message.Recipients.Contains("test1@example.com"))
+            {
+                tcs.SetResult();
+            }
+            return Task.CompletedTask;
+        };
+
+        await mailKitDeliveryService.SendEmailAsync(new MailMessage
+        {
+            Subject = "Test",
+            ToEmails = ["test1@example.com"],
+            TextContent = "Hi",
+        }, cts.Token);
+
+        // Wait for email
+        await tcs.Task;
+    }
+}

From 67d7d685a619a5fc413f8532dacb09681ee5c956 Mon Sep 17 00:00:00 2001
From: Jonas Hendrickx <jhendrickx@bitwarden.com>
Date: Fri, 4 Apr 2025 09:11:00 +0200
Subject: [PATCH 162/184] [PM-19048] Replace AddMvc with AddControllers (#5481)

---
 src/Billing/Billing.csproj              |  1 -
 src/Billing/Startup.cs                  |  3 +-
 src/Billing/Views/Home/Index.cshtml     |  6 ----
 src/Billing/Views/Login/Index.cshtml    | 21 -------------
 src/Billing/Views/Shared/Error.cshtml   | 14 ---------
 src/Billing/Views/Shared/_Layout.cshtml | 41 -------------------------
 src/Billing/Views/_ViewImports.cshtml   |  3 --
 src/Billing/Views/_ViewStart.cshtml     |  3 --
 src/Billing/wwwroot/styles/billing.css  |  6 ----
 9 files changed, 1 insertion(+), 97 deletions(-)
 delete mode 100644 src/Billing/Views/Home/Index.cshtml
 delete mode 100644 src/Billing/Views/Login/Index.cshtml
 delete mode 100644 src/Billing/Views/Shared/Error.cshtml
 delete mode 100644 src/Billing/Views/Shared/_Layout.cshtml
 delete mode 100644 src/Billing/Views/_ViewImports.cshtml
 delete mode 100644 src/Billing/Views/_ViewStart.cshtml
 delete mode 100644 src/Billing/wwwroot/styles/billing.css

diff --git a/src/Billing/Billing.csproj b/src/Billing/Billing.csproj
index f32eccfe8c..01a8bbdd9b 100644
--- a/src/Billing/Billing.csproj
+++ b/src/Billing/Billing.csproj
@@ -2,7 +2,6 @@
 
   <PropertyGroup>
     <UserSecretsId>bitwarden-Billing</UserSecretsId>
-    <MvcRazorCompileOnPublish>false</MvcRazorCompileOnPublish>
   </PropertyGroup>
 
   <PropertyGroup Condition=" '$(RunConfiguration)' == 'Billing' " />
diff --git a/src/Billing/Startup.cs b/src/Billing/Startup.cs
index e9f2f53488..afb01f4801 100644
--- a/src/Billing/Startup.cs
+++ b/src/Billing/Startup.cs
@@ -87,8 +87,7 @@ public class Startup
         // TODO: no longer be required - see PM-1880
         services.AddScoped<IServiceAccountRepository, NoopServiceAccountRepository>();
 
-        // Mvc
-        services.AddMvc(config =>
+        services.AddControllers(config =>
         {
             config.Filters.Add(new LoggingExceptionHandlerFilterAttribute());
         });
diff --git a/src/Billing/Views/Home/Index.cshtml b/src/Billing/Views/Home/Index.cshtml
deleted file mode 100644
index b35636857c..0000000000
--- a/src/Billing/Views/Home/Index.cshtml
+++ /dev/null
@@ -1,6 +0,0 @@
-@{
-    ViewData["Title"] = "Index";
-}
-
-<h2>Index</h2>
-
diff --git a/src/Billing/Views/Login/Index.cshtml b/src/Billing/Views/Login/Index.cshtml
deleted file mode 100644
index 6761a185b8..0000000000
--- a/src/Billing/Views/Login/Index.cshtml
+++ /dev/null
@@ -1,21 +0,0 @@
-@model LoginModel
-@{
-    ViewData["Title"] = "Login";
-}
-
-<div class="row justify-content-md-center">
-    <div class="col-4">
-        <p>Please enter your email address below to log in.</p>
-        <form asp-action="" method="post">
-            <div asp-validation-summary="ModelOnly" class="text-danger"></div>
-            <div class="form-group">
-                <label asp-for="Email" class="sr-only">Email Address</label>
-                <input asp-for="Email" type="email" class="form-control" placeholder="ex. john@example.com"
-                       required autofocus>
-                <span asp-validation-for="Email" class="invalid-feedback"></span>
-                <small class="form-text text-body-secondary">We'll email you a secure login link.</small>
-            </div>
-            <button class="btn btn-primary btn-block" type="submit">Continue</button>
-        </form>
-    </div>
-</div>
diff --git a/src/Billing/Views/Shared/Error.cshtml b/src/Billing/Views/Shared/Error.cshtml
deleted file mode 100644
index e514139c45..0000000000
--- a/src/Billing/Views/Shared/Error.cshtml
+++ /dev/null
@@ -1,14 +0,0 @@
-@{
-    ViewData["Title"] = "Error";
-}
-
-<h1 class="text-danger">Error.</h1>
-<h2 class="text-danger">An error occurred while processing your request.</h2>
-
-<h3>Development Mode</h3>
-<p>
-    Swapping to <strong>Development</strong> environment will display more detailed information about the error that occurred.
-</p>
-<p>
-    <strong>Development environment should not be enabled in deployed applications</strong>, as it can result in sensitive information from exceptions being displayed to end users. For local debugging, development environment can be enabled by setting the <strong>ASPNETCORE_ENVIRONMENT</strong> environment variable to <strong>Development</strong>, and restarting the application.
-</p>
diff --git a/src/Billing/Views/Shared/_Layout.cshtml b/src/Billing/Views/Shared/_Layout.cshtml
deleted file mode 100644
index ff49126012..0000000000
--- a/src/Billing/Views/Shared/_Layout.cshtml
+++ /dev/null
@@ -1,41 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <title>@ViewData["Title"] | Bitwarden Billing Portal</title>
-
-    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css"
-          integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous">
-    <link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet"
-          integrity="sha384-wvfXpqpZZVQGK6TAh5PVlGOfQNHSoD2xbE+QkPxCAFlNEevoEH3Sl0sibVcOQVnN" crossorigin="anonymous">
-    <link rel="stylesheet" href="~/styles/billing.css">
-</head>
-<body>
-    <nav class="navbar navbar-expand-md navbar-dark bg-dark mb-4">
-        <div class="container">
-            <a class="navbar-brand" href="#"><i class="fa fa-lg fa-fw fa-shield"></i> Billing</a>
-            <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarCollapse"
-                    aria-controls="navbarCollapse" aria-expanded="false" aria-label="Toggle navigation">
-                <span class="navbar-toggler-icon"></span>
-            </button>
-            <div class="collapse navbar-collapse" id="navbarCollapse">
-                <ul class="navbar-nav mr-auto">
-                    <li class="nav-item active">
-                        <a class="nav-link" href="#">Home <span class="sr-only">(current)</span></a>
-                    </li>
-                    <li class="nav-item">
-                        <a class="nav-link" href="#">Link</a>
-                    </li>
-                </ul>
-            </div>
-        </div>
-    </nav>
-
-    <main role="main" class="container">
-        @RenderBody()
-    </main>
-
-    @RenderSection("Scripts", required: false)
-</body>
-</html>
diff --git a/src/Billing/Views/_ViewImports.cshtml b/src/Billing/Views/_ViewImports.cshtml
deleted file mode 100644
index 226c509d07..0000000000
--- a/src/Billing/Views/_ViewImports.cshtml
+++ /dev/null
@@ -1,3 +0,0 @@
-@using Bit.Billing
-@using Bit.Billing.Models
-@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
diff --git a/src/Billing/Views/_ViewStart.cshtml b/src/Billing/Views/_ViewStart.cshtml
deleted file mode 100644
index a5f10045db..0000000000
--- a/src/Billing/Views/_ViewStart.cshtml
+++ /dev/null
@@ -1,3 +0,0 @@
-@{
-    Layout = "_Layout";
-}
diff --git a/src/Billing/wwwroot/styles/billing.css b/src/Billing/wwwroot/styles/billing.css
deleted file mode 100644
index 7624ec9285..0000000000
--- a/src/Billing/wwwroot/styles/billing.css
+++ /dev/null
@@ -1,6 +0,0 @@
-.custom-select.input-validation-error ~ .invalid-feedback,
-.custom-select.input-validation-error ~ .invalid-tooltip,
-.form-control.input-validation-error ~ .invalid-feedback,
-.form-control.input-validation-error ~ .invalid-tooltip {
-    display: block;
-}

From e176e6e06eead447f8fa8b2aa1427d471426841f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Fri, 4 Apr 2025 14:52:57 +0100
Subject: [PATCH 163/184] [PM-17615] Refactor OrganizationService to remove
 feature flag check for PushSyncOrgKeysOnRevokeRestore (#5547)

* Refactor OrganizationService to remove feature flag check for PushSyncOrgKeysOnRevokeRestore

* Remove redundant tests

* Remove unused IFeatureService dependency from RestoreOrganizationUserCommand class
---
 .../v1/RestoreOrganizationUserCommand.cs      | 10 ++---
 .../Implementations/OrganizationService.cs    |  6 +--
 .../RestoreOrganizationUserCommandTests.cs    | 39 -------------------
 .../Services/OrganizationServiceTests.cs      | 39 -------------------
 4 files changed, 6 insertions(+), 88 deletions(-)

diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs
index f122463a98..74165a5a71 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs
@@ -16,7 +16,6 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUs
 public class RestoreOrganizationUserCommand(
     ICurrentContext currentContext,
     IEventService eventService,
-    IFeatureService featureService,
     IPushNotificationService pushNotificationService,
     IOrganizationUserRepository organizationUserRepository,
     IOrganizationRepository organizationRepository,
@@ -41,8 +40,7 @@ public class RestoreOrganizationUserCommand(
         await RepositoryRestoreUserAsync(organizationUser);
         await eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
 
-        if (featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) &&
-            organizationUser.UserId.HasValue)
+        if (organizationUser.UserId.HasValue)
         {
             await pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
         }
@@ -54,8 +52,7 @@ public class RestoreOrganizationUserCommand(
         await eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored,
             systemUser);
 
-        if (featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) &&
-            organizationUser.UserId.HasValue)
+        if (organizationUser.UserId.HasValue)
         {
             await pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
         }
@@ -219,8 +216,7 @@ public class RestoreOrganizationUserCommand(
                 await organizationUserRepository.RestoreAsync(organizationUser.Id, status);
                 organizationUser.Status = status;
                 await eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
-                if (featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) &&
-                    organizationUser.UserId.HasValue)
+                if (organizationUser.UserId.HasValue)
                 {
                     await pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
                 }
diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 32fcbb0608..78f880b15c 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -1791,7 +1791,7 @@ public class OrganizationService : IOrganizationService
         await RepositoryRevokeUserAsync(organizationUser);
         await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Revoked);
 
-        if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
+        if (organizationUser.UserId.HasValue)
         {
             await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
         }
@@ -1803,7 +1803,7 @@ public class OrganizationService : IOrganizationService
         await RepositoryRevokeUserAsync(organizationUser);
         await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Revoked, systemUser);
 
-        if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
+        if (organizationUser.UserId.HasValue)
         {
             await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
         }
@@ -1872,7 +1872,7 @@ public class OrganizationService : IOrganizationService
                 await _organizationUserRepository.RevokeAsync(organizationUser.Id);
                 organizationUser.Status = OrganizationUserStatusType.Revoked;
                 await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Revoked);
-                if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
+                if (organizationUser.UserId.HasValue)
                 {
                     await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
                 }
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/RestoreOrganizationUserCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/RestoreOrganizationUserCommandTests.cs
index f91ca779a8..d6880a3a12 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/RestoreOrganizationUserCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/RestoreOrganizationUserCommandTests.cs
@@ -31,26 +31,6 @@ public class RestoreOrganizationUserCommandTests
 
         await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
 
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .Received(1)
-            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
-        await sutProvider.GetDependency<IEventService>()
-            .Received(1)
-            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
-    }
-
-    [Theory, BitAutoData]
-    public async Task RestoreUser_WithPushSyncOrgKeysOnRevokeRestoreEnabled_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, SutProvider<RestoreOrganizationUserCommand> sutProvider)
-    {
-        RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
-
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore)
-            .Returns(true);
-
-        await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
-
         await sutProvider.GetDependency<IOrganizationUserRepository>()
             .Received(1)
             .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
@@ -69,25 +49,6 @@ public class RestoreOrganizationUserCommandTests
 
         await sutProvider.Sut.RestoreUserAsync(organizationUser, eventSystemUser);
 
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .Received(1)
-            .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
-        await sutProvider.GetDependency<IEventService>()
-            .Received(1)
-            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored, eventSystemUser);
-    }
-
-    [Theory, BitAutoData]
-    public async Task RestoreUser_WithEventSystemUser_WithPushSyncOrgKeysOnRevokeRestoreEnabled_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, EventSystemUser eventSystemUser, SutProvider<RestoreOrganizationUserCommand> sutProvider)
-    {
-        RestoreUser_Setup(organization, null, organizationUser, sutProvider);
-
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore)
-            .Returns(true);
-
-        await sutProvider.Sut.RestoreUserAsync(organizationUser, eventSystemUser);
-
         await sutProvider.GetDependency<IOrganizationUserRepository>()
             .Received(1)
             .RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
diff --git a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
index bd8ae1daaf..53101900e5 100644
--- a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
+++ b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
@@ -1162,26 +1162,6 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
 
         await sutProvider.Sut.RevokeUserAsync(organizationUser, owner.Id);
 
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .Received(1)
-            .RevokeAsync(organizationUser.Id);
-        await sutProvider.GetDependency<IEventService>()
-            .Received(1)
-            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Revoked);
-    }
-
-    [Theory, BitAutoData]
-    public async Task RevokeUser_WithPushSyncOrgKeysOnRevokeRestoreEnabled_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        [OrganizationUser] OrganizationUser organizationUser, SutProvider<OrganizationService> sutProvider)
-    {
-        RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
-
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore)
-            .Returns(true);
-
-        await sutProvider.Sut.RevokeUserAsync(organizationUser, owner.Id);
-
         await sutProvider.GetDependency<IOrganizationUserRepository>()
             .Received(1)
             .RevokeAsync(organizationUser.Id);
@@ -1200,25 +1180,6 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
 
         await sutProvider.Sut.RevokeUserAsync(organizationUser, eventSystemUser);
 
-        await sutProvider.GetDependency<IOrganizationUserRepository>()
-            .Received(1)
-            .RevokeAsync(organizationUser.Id);
-        await sutProvider.GetDependency<IEventService>()
-            .Received(1)
-            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Revoked, eventSystemUser);
-    }
-
-    [Theory, BitAutoData]
-    public async Task RevokeUser_WithEventSystemUser_WithPushSyncOrgKeysOnRevokeRestoreEnabled_Success(Organization organization, [OrganizationUser] OrganizationUser organizationUser, EventSystemUser eventSystemUser, SutProvider<OrganizationService> sutProvider)
-    {
-        RestoreRevokeUser_Setup(organization, null, organizationUser, sutProvider);
-
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore)
-            .Returns(true);
-
-        await sutProvider.Sut.RevokeUserAsync(organizationUser, eventSystemUser);
-
         await sutProvider.GetDependency<IOrganizationUserRepository>()
             .Received(1)
             .RevokeAsync(organizationUser.Id);

From 39ac93326db1622447f8305a776fffc8d91cef16 Mon Sep 17 00:00:00 2001
From: Andy Pixley <3723676+pixman20@users.noreply.github.com>
Date: Fri, 4 Apr 2025 09:53:12 -0400
Subject: [PATCH 164/184] [BRE-457] Updating CODEOWNERS for self-host ownership
 (#5593)

---
 .github/CODEOWNERS | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index aa868cd1b5..03dbb7aac4 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -20,12 +20,19 @@
 # Database Operations for database changes
 src/Sql/** @bitwarden/dept-dbops
 util/EfShared/** @bitwarden/dept-dbops
-util/Migrator/** @bitwarden/dept-dbops
+util/Migrator/** @bitwarden/team-platform-dev # The Platform team owns the Migrator project code
+util/Migrator/DbScripts/** @bitwarden/dept-dbops
+util/Migrator/DbScripts_finalization/** @bitwarden/dept-dbops
+util/Migrator/DbScripts_transition/** @bitwarden/dept-dbops
+util/Migrator/MySql/** @bitwarden/dept-dbops
 util/MySqlMigrations/** @bitwarden/dept-dbops
 util/PostgresMigrations/** @bitwarden/dept-dbops
 util/SqlServerEFScaffold/** @bitwarden/dept-dbops
 util/SqliteMigrations/** @bitwarden/dept-dbops
 
+# Shared util projects
+util/Setup/** @bitwarden/dept-bre @bitwarden/team-platform-dev
+
 # Auth team
 **/Auth @bitwarden/team-auth-dev
 bitwarden_license/src/Sso @bitwarden/team-auth-dev

From 190328c0cfaa5fe436f8fa4e5f555940aafd7a20 Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Fri, 4 Apr 2025 11:58:15 -0400
Subject: [PATCH 165/184] Introduce options for adding certificates to the
 X509ChainPolicy.CustomTrustStore

Co-authored-by: tangowithfoxtrot <tangowithfoxtrot@users.noreply.github.com>
---
 .../PostConfigureX509ChainOptions.cs          |  94 ++++++++++++
 ...ustomizationServiceCollectionExtensions.cs |  53 +++++++
 .../X509ChainOptions.cs                       |  72 +++++++++
 .../MailKitSmtpMailDeliveryService.cs         |  17 ++-
 .../MailKitSmtpMailDeliveryServiceTests.cs    |  49 +++++--
 ...izationServiceCollectionExtensionsTests.cs | 137 ++++++++++++++++++
 .../Services/HandlebarsMailServiceTests.cs    |   4 +-
 .../MailKitSmtpMailDeliveryServiceTests.cs    |   7 +-
 8 files changed, 412 insertions(+), 21 deletions(-)
 create mode 100644 src/Core/Platform/X509ChainCustomization/PostConfigureX509ChainOptions.cs
 create mode 100644 src/Core/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensions.cs
 create mode 100644 src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs
 create mode 100644 test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs

diff --git a/src/Core/Platform/X509ChainCustomization/PostConfigureX509ChainOptions.cs b/src/Core/Platform/X509ChainCustomization/PostConfigureX509ChainOptions.cs
new file mode 100644
index 0000000000..3361201093
--- /dev/null
+++ b/src/Core/Platform/X509ChainCustomization/PostConfigureX509ChainOptions.cs
@@ -0,0 +1,94 @@
+#nullable enable
+
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.Extensions.Options;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Hosting;
+using Bit.Core.Settings;
+
+namespace Bit.Core.Platform.X509ChainCustomization;
+
+internal sealed class PostConfigureX509ChainOptions : IPostConfigureOptions<X509ChainOptions>
+{
+    const string CertificateSearchPattern = "*.crt";
+
+    private readonly ILogger<PostConfigureX509ChainOptions> _logger;
+    private readonly IHostEnvironment _hostEnvironment;
+    private readonly GlobalSettings _globalSettings;
+
+    public PostConfigureX509ChainOptions(
+        ILogger<PostConfigureX509ChainOptions> logger,
+        IHostEnvironment hostEnvironment,
+        GlobalSettings globalSettings)
+    {
+        _logger = logger;
+        _hostEnvironment = hostEnvironment;
+        _globalSettings = globalSettings;
+    }
+
+    public void PostConfigure(string? name, X509ChainOptions options)
+    {
+        if (name != Options.DefaultName)
+        {
+            return;
+        }
+
+        // We only allow this setting to be configured on self host.
+        if (!_globalSettings.SelfHosted)
+        {
+            options.AdditionalCustomTrustCertificatesDirectory = null;
+            return;
+        }
+
+        if (options.AdditionalCustomTrustCertificates != null)
+        {
+            // Additional certificates were added directly, this overwrites the need to
+            // read them from the directory.
+            _logger.LogInformation(
+                "Additional custom trust certificates were added directly, skipping loading them from '{Directory}'",
+                options.AdditionalCustomTrustCertificatesDirectory
+            );
+            return;
+        }
+
+        if (string.IsNullOrEmpty(options.AdditionalCustomTrustCertificatesDirectory))
+        {
+            return;
+        }
+
+        if (!Directory.Exists(options.AdditionalCustomTrustCertificatesDirectory))
+        {
+            // The default directory is volume mounted via the default Bitwarden setup process.
+            // If the directory doesn't exist it could indicate a error in configuration but this
+            // directory is never expected in a normal development environment so lower the log
+            // level in that case.
+            var logLevel = _hostEnvironment.IsDevelopment()
+                ? LogLevel.Debug
+                : LogLevel.Warning;
+            _logger.Log(
+                logLevel,
+                "An additional custom trust certificate directory was given '{Directory}' but that directory does not exist.",
+                options.AdditionalCustomTrustCertificatesDirectory
+            );
+            return;
+        }
+
+        var certificates = new List<X509Certificate2>();
+
+        foreach (var certFile in Directory.EnumerateFiles(options.AdditionalCustomTrustCertificatesDirectory, CertificateSearchPattern))
+        {
+            certificates.Add(new X509Certificate2(certFile));
+        }
+
+        if (options.AdditionalCustomTrustCertificatesDirectory != X509ChainOptions.DefaultAdditionalCustomTrustCertificatesDirectory && certificates.Count == 0)
+        {
+            // They have intentionally given us a non-default directory but there weren't certificates, that is odd.
+            _logger.LogWarning(
+                "No additional custom trust certificates were found in '{Directory}'",
+                options.AdditionalCustomTrustCertificatesDirectory
+            );
+        }
+
+        options.AdditionalCustomTrustCertificates = certificates;
+    }
+}
diff --git a/src/Core/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensions.cs b/src/Core/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensions.cs
new file mode 100644
index 0000000000..45de2c5460
--- /dev/null
+++ b/src/Core/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensions.cs
@@ -0,0 +1,53 @@
+using Bit.Core.Platform.X509ChainCustomization;
+using Microsoft.Extensions.Options;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+
+namespace Microsoft.Extensions.DependencyInjection;
+
+/// <summary>
+/// Extension methods for setting up the ability to provide customization to how TLS works in an <see cref="IServiceCollection"/>.
+/// </summary>
+public static class X509ChainCustomizationServiceCollectionExtensions
+{
+    /// <summary>
+    /// Configures X509ChainPolicy customization through the root level <c>TlsOptions</c> configuration section
+    /// and configures the primary <see cref="HttpMessageHandler"/> to use custom certificate validation
+    /// when customized to do so.
+    /// </summary>
+    /// <param name="services">The <see cref="IServiceCollection"/>.</param>
+    /// <returns>The <see cref="IServiceCollection"/> for additional chaining.</returns>
+    public static IServiceCollection AddX509ChainCustomization(this IServiceCollection services)
+    {
+        ArgumentNullException.ThrowIfNull(services);
+
+        services.AddOptions<X509ChainOptions>()
+            .BindConfiguration(nameof(X509ChainOptions));
+
+        // Use TryAddEnumerable to make sure `PostConfigureTlsOptions` isn't added multiple
+        // times even if this method is called multiple times.
+        services.TryAddEnumerable(ServiceDescriptor.Singleton<IPostConfigureOptions<X509ChainOptions>, PostConfigureX509ChainOptions>());
+
+        services.AddHttpClient()
+            .ConfigureHttpClientDefaults(builder =>
+            {
+                builder.ConfigurePrimaryHttpMessageHandler(sp =>
+                {
+                    var tlsOptions = sp.GetRequiredService<IOptions<X509ChainOptions>>().Value;
+
+                    var handler = new HttpClientHandler();
+
+                    if (tlsOptions.TryGetCustomRemoteCertificateValidationCallback(out var callback))
+                    {
+                        handler.ServerCertificateCustomValidationCallback = (sender, certificate, chain, errors) =>
+                        {
+                            return callback(certificate, chain, errors);
+                        };
+                    }
+
+                    return handler;
+                });
+            });
+
+        return services;
+    }
+}
diff --git a/src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs b/src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs
new file mode 100644
index 0000000000..19cbd73ae3
--- /dev/null
+++ b/src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs
@@ -0,0 +1,72 @@
+#nullable enable
+
+using System.Diagnostics.CodeAnalysis;
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Bit.Core.Platform.X509ChainCustomization;
+
+/// <summary>
+/// Allows for customization of 
+/// </summary>
+public sealed class X509ChainOptions
+{
+    // This is the directory that we historically used to allow certificates be added inside our container
+    // and then on start of the container we would move them to `/usr/local/share/ca-certificates/` and call
+    // `update-ca-certificates` but since that operation requires root we can't do it in a rootless container.
+    // Ref: https://github.com/bitwarden/server/blob/67d7d685a619a5fc413f8532dacb09681ee5c956/src/Api/entrypoint.sh#L38-L41
+    public const string DefaultAdditionalCustomTrustCertificatesDirectory = "/etc/bitwarden/ca-certificates/";
+
+    /// <summary>
+    /// A directory where additional certificates should be read from and included in <see cref="X509ChainPolicy.CustomTrustStore"/>.
+    /// </summary>
+    /// <remarks>
+    /// Only certificates suffixed with <c>*.crt</c> will be read. If <see cref="AdditionalCustomTrustCertificates"/> is
+    /// set, then this directory will not be read from.
+    /// </remarks>
+    public string? AdditionalCustomTrustCertificatesDirectory { get; set; } = DefaultAdditionalCustomTrustCertificatesDirectory;
+
+    /// <summary>
+    /// A list of additional certificates that should be included in <see cref="X509ChainPolicy.CustomTrustStore"/>.
+    /// </summary>
+    /// <remarks>
+    /// If this value is set manually, then <see cref="AdditionalCustomTrustCertificatesDirectory"/> will be ignored.
+    /// </remarks>
+    public List<X509Certificate2>? AdditionalCustomTrustCertificates { get; set; }
+
+    /// <summary>
+    /// Attempts to retrieve a custom remote certificate validation callback.
+    /// </summary>
+    /// <param name="callback"></param>
+    /// <returns>Returns <see langword="true"/> when we have custom remote certification that should be added,
+    /// <see langword="false"/> when no custom validation is needed and the default validation callback should
+    /// be used instead.
+    /// </returns>
+    [MemberNotNullWhen(true, nameof(AdditionalCustomTrustCertificates))]
+    public bool TryGetCustomRemoteCertificateValidationCallback(
+        [MaybeNullWhen(false)]out Func<X509Certificate2?, X509Chain?, SslPolicyErrors, bool> callback)
+    {
+        callback = null;
+        if (AdditionalCustomTrustCertificates == null || AdditionalCustomTrustCertificates.Count == 0)
+        {
+            return false;
+        }
+
+        // Ref: https://github.com/dotnet/runtime/issues/39835#issuecomment-663020581
+        callback = (certificate, chain, errors) =>
+        {
+            if (chain == null || certificate == null)
+            {
+                return false;
+            }
+
+            chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
+            foreach (var additionalCertificate in AdditionalCustomTrustCertificates)
+            {
+                chain.ChainPolicy.CustomTrustStore.Add(additionalCertificate);
+            }
+            return chain.Build(certificate);
+        };
+        return true;
+    }
+}
diff --git a/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs b/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs
index dc4e89aa23..f9a6762772 100644
--- a/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs
+++ b/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs
@@ -1,7 +1,10 @@
-using Bit.Core.Settings;
+using System.Security.Cryptography.X509Certificates;
+using Bit.Core.Platform.X509ChainCustomization;
+using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using MailKit.Net.Smtp;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 using MimeKit;
 
 namespace Bit.Core.Services;
@@ -10,12 +13,14 @@ public class MailKitSmtpMailDeliveryService : IMailDeliveryService
 {
     private readonly GlobalSettings _globalSettings;
     private readonly ILogger<MailKitSmtpMailDeliveryService> _logger;
+    private readonly X509ChainOptions _x509CertificateCustomization;
     private readonly string _replyDomain;
     private readonly string _replyEmail;
 
     public MailKitSmtpMailDeliveryService(
         GlobalSettings globalSettings,
-        ILogger<MailKitSmtpMailDeliveryService> logger)
+        ILogger<MailKitSmtpMailDeliveryService> logger,
+        IOptions<X509ChainOptions> tlsOptions)
     {
         if (globalSettings.Mail?.Smtp?.Host == null)
         {
@@ -31,6 +36,7 @@ public class MailKitSmtpMailDeliveryService : IMailDeliveryService
 
         _globalSettings = globalSettings;
         _logger = logger;
+        _x509CertificateCustomization = tlsOptions.Value;
     }
 
     public async Task SendEmailAsync(Models.Mail.MailMessage message)
@@ -75,6 +81,13 @@ public class MailKitSmtpMailDeliveryService : IMailDeliveryService
             {
                 client.ServerCertificateValidationCallback = (s, c, h, e) => true;
             }
+            else if (_x509CertificateCustomization.TryGetCustomRemoteCertificateValidationCallback(out var callback))
+            {
+                client.ServerCertificateValidationCallback = (sender, cert, chain, errors) =>
+                {
+                    return callback(new X509Certificate2(cert), chain, errors);
+                };
+            }
 
             if (!_globalSettings.Mail.Smtp.StartTls && !_globalSettings.Mail.Smtp.Ssl &&
                 _globalSettings.Mail.Smtp.Port == 25)
diff --git a/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs b/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs
index db2b945fda..7914a6d147 100644
--- a/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs
+++ b/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs
@@ -3,9 +3,11 @@ using System.Security.Cryptography.X509Certificates;
 using Bit.Core.Models.Mail;
 using Bit.Core.Services;
 using Bit.Core.Settings;
+using Bit.Core.Platform.TlsCustomization;
 using MailKit.Security;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
 using Rnwood.SmtpServer;
 using Rnwood.SmtpServer.Extensions.Auth;
 using Xunit.Abstractions;
@@ -100,7 +102,8 @@ public class MailKitSmtpMailDeliveryServiceTests
 
         var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
             globalSettings,
-            NullLogger<MailKitSmtpMailDeliveryService>.Instance
+            NullLogger<MailKitSmtpMailDeliveryService>.Instance,
+            Options.Create(new X509CertificateCustomizationOptions())
         );
 
         await Assert.ThrowsAsync<SslHandshakeException>(
@@ -113,7 +116,7 @@ public class MailKitSmtpMailDeliveryServiceTests
         );
     }
 
-    [Fact(Skip = "Upcoming feature")]
+    [Fact]
     public async Task SendEmailAsync_SmtpServerUsingSelfSignedCert_CertInCustomLocation_Works()
     {
         // If an SMTP server is using a self signed cert we will in the future
@@ -130,12 +133,18 @@ public class MailKitSmtpMailDeliveryServiceTests
             gs.Mail.Smtp.Ssl = true;
         });
 
-        // TODO: Setup custom location and save self signed cert there.
-        // await SaveCertAsync("./my-location", _selfSignedCert);
+        var tlsOptions = new X509CertificateCustomizationOptions
+        {
+            AdditionalCustomTrustCertificates =
+            [
+                _selfSignedCert,
+            ],
+        };
 
         var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
             globalSettings,
-            NullLogger<MailKitSmtpMailDeliveryService>.Instance
+            NullLogger<MailKitSmtpMailDeliveryService>.Instance,
+            Options.Create(tlsOptions)
         );
 
         var tcs = new TaskCompletionSource();
@@ -162,7 +171,7 @@ public class MailKitSmtpMailDeliveryServiceTests
         await tcs.Task;
     }
 
-    [Fact(Skip = "Upcoming feature")]
+    [Fact]
     public async Task SendEmailAsync_SmtpServerUsingSelfSignedCert_CertInCustomLocation_WithUnrelatedCerts_Works()
     {
         // If an SMTP server is using a self signed cert we will in the future
@@ -179,15 +188,19 @@ public class MailKitSmtpMailDeliveryServiceTests
             gs.Mail.Smtp.Ssl = true;
         });
 
-        // TODO: Setup custom location and save self signed cert there
-        // along with another self signed cert that is not related to 
-        // the SMTP server.
-        // await SaveCertAsync("./my-location", _selfSignedCert);
-        // await SaveCertAsync("./my-location", CreateSelfSignedCert("example.com"));
+        var tlsOptions = new X509CertificateCustomizationOptions
+        {
+            AdditionalCustomTrustCertificates =
+            [
+                _selfSignedCert,
+                CreateSelfSignedCert("example.com"),
+            ],
+        };
 
         var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
             globalSettings,
-            NullLogger<MailKitSmtpMailDeliveryService>.Instance
+            NullLogger<MailKitSmtpMailDeliveryService>.Instance,
+            Options.Create(tlsOptions)
         );
 
         var tcs = new TaskCompletionSource();
@@ -234,7 +247,8 @@ public class MailKitSmtpMailDeliveryServiceTests
 
         var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
             globalSettings,
-            NullLogger<MailKitSmtpMailDeliveryService>.Instance
+            NullLogger<MailKitSmtpMailDeliveryService>.Instance,
+            Options.Create(new X509CertificateCustomizationOptions())
         );
 
         var tcs = new TaskCompletionSource();
@@ -280,7 +294,8 @@ public class MailKitSmtpMailDeliveryServiceTests
 
         var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
             globalSettings,
-            NullLogger<MailKitSmtpMailDeliveryService>.Instance
+            NullLogger<MailKitSmtpMailDeliveryService>.Instance,
+            Options.Create(new X509CertificateCustomizationOptions())
         );
 
         var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5));
@@ -315,7 +330,8 @@ public class MailKitSmtpMailDeliveryServiceTests
 
         var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
             globalSettings,
-            NullLogger<MailKitSmtpMailDeliveryService>.Instance
+            NullLogger<MailKitSmtpMailDeliveryService>.Instance,
+            Options.Create(new X509CertificateCustomizationOptions())
         );
 
         var tcs = new TaskCompletionSource();
@@ -381,7 +397,8 @@ public class MailKitSmtpMailDeliveryServiceTests
 
         var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
             globalSettings,
-            NullLogger<MailKitSmtpMailDeliveryService>.Instance
+            NullLogger<MailKitSmtpMailDeliveryService>.Instance,
+            Options.Create(new X509CertificateCustomizationOptions())
         );
 
         var tcs = new TaskCompletionSource();
diff --git a/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs b/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
new file mode 100644
index 0000000000..2af9b7cc8a
--- /dev/null
+++ b/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
@@ -0,0 +1,137 @@
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using Bit.Core.Platform.X509ChainCustomization;
+using Bit.Core.Settings;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Options;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Platform.TlsCustomization;
+
+public class X509ChainCustomizationServiceCollectionExtensionsTests
+{
+    private static X509Certificate2 CreateSelfSignedCert(string commonName)
+    {
+        using var rsa = RSA.Create(2048);
+        var certRequest = new CertificateRequest($"CN={commonName}", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+        return certRequest.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(1));
+    }
+
+    [Fact]
+    public async Task OptionsPatternReturnsCachedValue()
+    {
+        var tempDir = Directory.CreateTempSubdirectory("certs");
+        
+        var tempCert = Path.Combine(tempDir.FullName, "test.crt");
+        await File.WriteAllBytesAsync(tempCert, CreateSelfSignedCert("localhost").Export(X509ContentType.Cert));
+
+        var services = CreateServices((gs, environment, config) =>
+        {
+            gs.SelfHosted = true;
+
+            environment.EnvironmentName = "Development";
+
+            config["X509ChainOptions:AdditionalCustomTrustCertificatesDirectory"] = tempDir.FullName;
+        });
+        
+        // Create options once
+        var firstOptions = services.GetRequiredService<IOptions<X509ChainOptions>>().Value;
+
+        Assert.NotNull(firstOptions.AdditionalCustomTrustCertificates);
+        var cert = Assert.Single(firstOptions.AdditionalCustomTrustCertificates);
+        Assert.Equal("CN=localhost", cert.Subject);
+
+        // Since the second resolution should have cached values, deleting the file during operation
+        // should have no impact.
+        File.Delete(tempCert);
+
+        // This is expected to be a cached version and doesn't actually need to go and read the file system
+        var secondOptions = services.GetRequiredService<IOptions<X509ChainOptions>>().Value;
+        Assert.Same(firstOptions, secondOptions);
+
+        // This is the same reference as the first one so it shouldn't be different but just in case.
+        Assert.NotNull(secondOptions.AdditionalCustomTrustCertificates);
+        Assert.Single(secondOptions.AdditionalCustomTrustCertificates);
+    }
+
+    [Fact]
+    public async Task DoesNotProvideCustomCallbackOnCloud()
+    {
+        var tempDir = Directory.CreateTempSubdirectory("certs");
+        
+        var tempCert = Path.Combine(tempDir.FullName, "test.crt");
+        await File.WriteAllBytesAsync(tempCert, CreateSelfSignedCert("localhost").Export(X509ContentType.Cert));
+
+        var options = CreateOptions((gs, environment, config) =>
+        {
+            gs.SelfHosted = false;
+
+            environment.EnvironmentName = "Development";
+
+            config["X509ChainOptions:AdditionalCustomTrustCertificatesDirectory"] = tempDir.FullName;
+        });
+
+        Assert.False(options.TryGetCustomRemoteCertificateValidationCallback(out _));
+    }
+
+    [Fact]
+    public async Task ManuallyAddingOptionsTakesPrecedence()
+    {
+        var tempDir = Directory.CreateTempSubdirectory("certs");
+        
+        var tempCert = Path.Combine(tempDir.FullName, "test.crt");
+        await File.WriteAllBytesAsync(tempCert, CreateSelfSignedCert("localhost").Export(X509ContentType.Cert));
+
+        var options = CreateOptions((gs, environment, config) =>
+        {
+            gs.SelfHosted = false;
+
+            environment.EnvironmentName = "Development";
+
+            config["X509ChainOptions:AdditionalCustomTrustCertificatesDirectory"] = tempDir.FullName;
+        }, services =>
+        {
+            services.Configure<X509ChainOptions>(options =>
+            {
+                options.AdditionalCustomTrustCertificates = [CreateSelfSignedCert("example.com")];
+            });
+        });
+
+        Assert.True(options.TryGetCustomRemoteCertificateValidationCallback(out var callback));
+        var cert = Assert.Single(options.AdditionalCustomTrustCertificates);
+        Assert.Equal("CN=example.com", cert.Subject);
+    }
+
+    private static X509ChainOptions CreateOptions(Action<GlobalSettings, IHostEnvironment, Dictionary<string, string>> configure, Action<IServiceCollection>? after = null)
+    {
+        var services = CreateServices(configure, after);
+        return services.GetRequiredService<IOptions<X509ChainOptions>>().Value;
+    }
+
+    private static IServiceProvider CreateServices(Action<GlobalSettings, IHostEnvironment, Dictionary<string, string>> configure, Action<IServiceCollection>? after = null)
+    {
+        var globalSettings = new GlobalSettings();
+        var hostEnvironment = Substitute.For<IHostEnvironment>();
+        var config = new Dictionary<string, string>();
+
+        configure(globalSettings, hostEnvironment, config);
+
+        var services = new ServiceCollection();
+        services.AddSingleton(globalSettings);
+        services.AddSingleton(hostEnvironment);
+        services.AddSingleton<IConfiguration>(
+            new ConfigurationBuilder()
+                .AddInMemoryCollection(config)
+                .Build()
+        );
+
+        services.AddX509ChainCustomization();
+
+        after?.Invoke(services);
+
+        return services.BuildServiceProvider();
+    }
+}
diff --git a/test/Core.Test/Services/HandlebarsMailServiceTests.cs b/test/Core.Test/Services/HandlebarsMailServiceTests.cs
index 89d9a211e0..35c2f8fe3b 100644
--- a/test/Core.Test/Services/HandlebarsMailServiceTests.cs
+++ b/test/Core.Test/Services/HandlebarsMailServiceTests.cs
@@ -4,9 +4,11 @@ using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Models.Business;
 using Bit.Core.Entities;
+using Bit.Core.Platform.X509ChainCustomization;
 using Bit.Core.Services;
 using Bit.Core.Settings;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 using NSubstitute;
 using Xunit;
 
@@ -136,7 +138,7 @@ public class HandlebarsMailServiceTests
             SiteName = "Bitwarden",
         };
 
-        var mailDeliveryService = new MailKitSmtpMailDeliveryService(globalSettings, Substitute.For<ILogger<MailKitSmtpMailDeliveryService>>());
+        var mailDeliveryService = new MailKitSmtpMailDeliveryService(globalSettings, Substitute.For<ILogger<MailKitSmtpMailDeliveryService>>(), Options.Create(new X509ChainOptions()));
 
         var handlebarsService = new HandlebarsMailService(globalSettings, mailDeliveryService, new BlockingMailEnqueuingService());
 
diff --git a/test/Core.Test/Services/MailKitSmtpMailDeliveryServiceTests.cs b/test/Core.Test/Services/MailKitSmtpMailDeliveryServiceTests.cs
index 4e7e36fe02..06ee99dbef 100644
--- a/test/Core.Test/Services/MailKitSmtpMailDeliveryServiceTests.cs
+++ b/test/Core.Test/Services/MailKitSmtpMailDeliveryServiceTests.cs
@@ -1,6 +1,8 @@
-using Bit.Core.Services;
+using Bit.Core.Platform.X509ChainCustomization;
+using Bit.Core.Services;
 using Bit.Core.Settings;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 using NSubstitute;
 using Xunit;
 
@@ -23,7 +25,8 @@ public class MailKitSmtpMailDeliveryServiceTests
 
         _sut = new MailKitSmtpMailDeliveryService(
             _globalSettings,
-            _logger
+            _logger,
+            Options.Create(new X509ChainOptions())
         );
     }
 

From 56e82b1c15bf9f569edfefb21fa9cb485c9bdf59 Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Fri, 4 Apr 2025 12:04:10 -0400
Subject: [PATCH 166/184] Add comments

---
 .../X509ChainCustomization/PostConfigureX509ChainOptions.cs    | 2 ++
 src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs   | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/Core/Platform/X509ChainCustomization/PostConfigureX509ChainOptions.cs b/src/Core/Platform/X509ChainCustomization/PostConfigureX509ChainOptions.cs
index 3361201093..583672f2f2 100644
--- a/src/Core/Platform/X509ChainCustomization/PostConfigureX509ChainOptions.cs
+++ b/src/Core/Platform/X509ChainCustomization/PostConfigureX509ChainOptions.cs
@@ -28,6 +28,8 @@ internal sealed class PostConfigureX509ChainOptions : IPostConfigureOptions<X509
 
     public void PostConfigure(string? name, X509ChainOptions options)
     {
+        // We don't register or request a named instance of these options,
+        // so don't customize it.
         if (name != Options.DefaultName)
         {
             return;
diff --git a/src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs b/src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs
index 19cbd73ae3..bcfed0d437 100644
--- a/src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs
+++ b/src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs
@@ -7,7 +7,8 @@ using System.Security.Cryptography.X509Certificates;
 namespace Bit.Core.Platform.X509ChainCustomization;
 
 /// <summary>
-/// Allows for customization of 
+/// Allows for customization of the <see cref="X509ChainPolicy"/> and access to a custom server certificate validator
+/// if customization has been made.
 /// </summary>
 public sealed class X509ChainOptions
 {

From 665ae0cf2464311061bedf30ad60680586ebefd9 Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Fri, 4 Apr 2025 12:08:52 -0400
Subject: [PATCH 167/184] Fix places I am still calling it TLS options

---
 ...ustomizationServiceCollectionExtensions.cs | 10 +++++-----
 .../MailKitSmtpMailDeliveryService.cs         |  8 ++++----
 .../MailKitSmtpMailDeliveryServiceTests.cs    | 20 +++++++++----------
 ...izationServiceCollectionExtensionsTests.cs |  2 +-
 4 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/src/Core/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensions.cs b/src/Core/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensions.cs
index 45de2c5460..780bf70f7f 100644
--- a/src/Core/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensions.cs
+++ b/src/Core/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensions.cs
@@ -5,12 +5,12 @@ using Microsoft.Extensions.DependencyInjection.Extensions;
 namespace Microsoft.Extensions.DependencyInjection;
 
 /// <summary>
-/// Extension methods for setting up the ability to provide customization to how TLS works in an <see cref="IServiceCollection"/>.
+/// Extension methods for setting up the ability to provide customization to how X509 chain validation works in an <see cref="IServiceCollection"/>.
 /// </summary>
 public static class X509ChainCustomizationServiceCollectionExtensions
 {
     /// <summary>
-    /// Configures X509ChainPolicy customization through the root level <c>TlsOptions</c> configuration section
+    /// Configures X509ChainPolicy customization through the root level <c>X509ChainOptions</c> configuration section
     /// and configures the primary <see cref="HttpMessageHandler"/> to use custom certificate validation
     /// when customized to do so.
     /// </summary>
@@ -23,7 +23,7 @@ public static class X509ChainCustomizationServiceCollectionExtensions
         services.AddOptions<X509ChainOptions>()
             .BindConfiguration(nameof(X509ChainOptions));
 
-        // Use TryAddEnumerable to make sure `PostConfigureTlsOptions` isn't added multiple
+        // Use TryAddEnumerable to make sure `PostConfigureX509ChainOptions` isn't added multiple
         // times even if this method is called multiple times.
         services.TryAddEnumerable(ServiceDescriptor.Singleton<IPostConfigureOptions<X509ChainOptions>, PostConfigureX509ChainOptions>());
 
@@ -32,11 +32,11 @@ public static class X509ChainCustomizationServiceCollectionExtensions
             {
                 builder.ConfigurePrimaryHttpMessageHandler(sp =>
                 {
-                    var tlsOptions = sp.GetRequiredService<IOptions<X509ChainOptions>>().Value;
+                    var x509ChainOptions = sp.GetRequiredService<IOptions<X509ChainOptions>>().Value;
 
                     var handler = new HttpClientHandler();
 
-                    if (tlsOptions.TryGetCustomRemoteCertificateValidationCallback(out var callback))
+                    if (x509ChainOptions.TryGetCustomRemoteCertificateValidationCallback(out var callback))
                     {
                         handler.ServerCertificateCustomValidationCallback = (sender, certificate, chain, errors) =>
                         {
diff --git a/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs b/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs
index f9a6762772..3a7cabd39e 100644
--- a/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs
+++ b/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs
@@ -13,14 +13,14 @@ public class MailKitSmtpMailDeliveryService : IMailDeliveryService
 {
     private readonly GlobalSettings _globalSettings;
     private readonly ILogger<MailKitSmtpMailDeliveryService> _logger;
-    private readonly X509ChainOptions _x509CertificateCustomization;
+    private readonly X509ChainOptions _x509ChainOptions;
     private readonly string _replyDomain;
     private readonly string _replyEmail;
 
     public MailKitSmtpMailDeliveryService(
         GlobalSettings globalSettings,
         ILogger<MailKitSmtpMailDeliveryService> logger,
-        IOptions<X509ChainOptions> tlsOptions)
+        IOptions<X509ChainOptions> x509ChainOptions)
     {
         if (globalSettings.Mail?.Smtp?.Host == null)
         {
@@ -36,7 +36,7 @@ public class MailKitSmtpMailDeliveryService : IMailDeliveryService
 
         _globalSettings = globalSettings;
         _logger = logger;
-        _x509CertificateCustomization = tlsOptions.Value;
+        _x509ChainOptions = x509ChainOptions.Value;
     }
 
     public async Task SendEmailAsync(Models.Mail.MailMessage message)
@@ -81,7 +81,7 @@ public class MailKitSmtpMailDeliveryService : IMailDeliveryService
             {
                 client.ServerCertificateValidationCallback = (s, c, h, e) => true;
             }
-            else if (_x509CertificateCustomization.TryGetCustomRemoteCertificateValidationCallback(out var callback))
+            else if (_x509ChainOptions.TryGetCustomRemoteCertificateValidationCallback(out var callback))
             {
                 client.ServerCertificateValidationCallback = (sender, cert, chain, errors) =>
                 {
diff --git a/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs b/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs
index 7914a6d147..8668263fa4 100644
--- a/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs
+++ b/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs
@@ -1,9 +1,9 @@
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using Bit.Core.Models.Mail;
+using Bit.Core.Platform.X509ChainCustomization;
 using Bit.Core.Services;
 using Bit.Core.Settings;
-using Bit.Core.Platform.TlsCustomization;
 using MailKit.Security;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
@@ -103,7 +103,7 @@ public class MailKitSmtpMailDeliveryServiceTests
         var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
             globalSettings,
             NullLogger<MailKitSmtpMailDeliveryService>.Instance,
-            Options.Create(new X509CertificateCustomizationOptions())
+            Options.Create(new X509ChainOptions())
         );
 
         await Assert.ThrowsAsync<SslHandshakeException>(
@@ -133,7 +133,7 @@ public class MailKitSmtpMailDeliveryServiceTests
             gs.Mail.Smtp.Ssl = true;
         });
 
-        var tlsOptions = new X509CertificateCustomizationOptions
+        var x509ChainOptions = new X509ChainOptions
         {
             AdditionalCustomTrustCertificates =
             [
@@ -144,7 +144,7 @@ public class MailKitSmtpMailDeliveryServiceTests
         var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
             globalSettings,
             NullLogger<MailKitSmtpMailDeliveryService>.Instance,
-            Options.Create(tlsOptions)
+            Options.Create(x509ChainOptions)
         );
 
         var tcs = new TaskCompletionSource();
@@ -188,7 +188,7 @@ public class MailKitSmtpMailDeliveryServiceTests
             gs.Mail.Smtp.Ssl = true;
         });
 
-        var tlsOptions = new X509CertificateCustomizationOptions
+        var x509ChainOptions = new X509ChainOptions
         {
             AdditionalCustomTrustCertificates =
             [
@@ -200,7 +200,7 @@ public class MailKitSmtpMailDeliveryServiceTests
         var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
             globalSettings,
             NullLogger<MailKitSmtpMailDeliveryService>.Instance,
-            Options.Create(tlsOptions)
+            Options.Create(x509ChainOptions)
         );
 
         var tcs = new TaskCompletionSource();
@@ -248,7 +248,7 @@ public class MailKitSmtpMailDeliveryServiceTests
         var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
             globalSettings,
             NullLogger<MailKitSmtpMailDeliveryService>.Instance,
-            Options.Create(new X509CertificateCustomizationOptions())
+            Options.Create(new X509ChainOptions())
         );
 
         var tcs = new TaskCompletionSource();
@@ -295,7 +295,7 @@ public class MailKitSmtpMailDeliveryServiceTests
         var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
             globalSettings,
             NullLogger<MailKitSmtpMailDeliveryService>.Instance,
-            Options.Create(new X509CertificateCustomizationOptions())
+            Options.Create(new X509ChainOptions())
         );
 
         var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5));
@@ -331,7 +331,7 @@ public class MailKitSmtpMailDeliveryServiceTests
         var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
             globalSettings,
             NullLogger<MailKitSmtpMailDeliveryService>.Instance,
-            Options.Create(new X509CertificateCustomizationOptions())
+            Options.Create(new X509ChainOptions())
         );
 
         var tcs = new TaskCompletionSource();
@@ -398,7 +398,7 @@ public class MailKitSmtpMailDeliveryServiceTests
         var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
             globalSettings,
             NullLogger<MailKitSmtpMailDeliveryService>.Instance,
-            Options.Create(new X509CertificateCustomizationOptions())
+            Options.Create(new X509ChainOptions())
         );
 
         var tcs = new TaskCompletionSource();
diff --git a/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs b/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
index 2af9b7cc8a..30eb19d8c0 100644
--- a/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
+++ b/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
@@ -9,7 +9,7 @@ using Microsoft.Extensions.Options;
 using NSubstitute;
 using Xunit;
 
-namespace Bit.Core.Test.Platform.TlsCustomization;
+namespace Bit.Core.Test.Platform.X509ChainCustomization;
 
 public class X509ChainCustomizationServiceCollectionExtensionsTests
 {

From 32567f0fecf341835e9701c36b65f66b505fab8a Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Fri, 4 Apr 2025 12:22:43 -0400
Subject: [PATCH 168/184] Format

---
 ...ainCustomizationServiceCollectionExtensionsTests.cs | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs b/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
index 30eb19d8c0..d4f927f4a1 100644
--- a/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
+++ b/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
@@ -1,4 +1,4 @@
-using System.Security.Cryptography;
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using Bit.Core.Platform.X509ChainCustomization;
 using Bit.Core.Settings;
@@ -24,7 +24,7 @@ public class X509ChainCustomizationServiceCollectionExtensionsTests
     public async Task OptionsPatternReturnsCachedValue()
     {
         var tempDir = Directory.CreateTempSubdirectory("certs");
-        
+
         var tempCert = Path.Combine(tempDir.FullName, "test.crt");
         await File.WriteAllBytesAsync(tempCert, CreateSelfSignedCert("localhost").Export(X509ContentType.Cert));
 
@@ -36,7 +36,7 @@ public class X509ChainCustomizationServiceCollectionExtensionsTests
 
             config["X509ChainOptions:AdditionalCustomTrustCertificatesDirectory"] = tempDir.FullName;
         });
-        
+
         // Create options once
         var firstOptions = services.GetRequiredService<IOptions<X509ChainOptions>>().Value;
 
@@ -61,7 +61,7 @@ public class X509ChainCustomizationServiceCollectionExtensionsTests
     public async Task DoesNotProvideCustomCallbackOnCloud()
     {
         var tempDir = Directory.CreateTempSubdirectory("certs");
-        
+
         var tempCert = Path.Combine(tempDir.FullName, "test.crt");
         await File.WriteAllBytesAsync(tempCert, CreateSelfSignedCert("localhost").Export(X509ContentType.Cert));
 
@@ -81,7 +81,7 @@ public class X509ChainCustomizationServiceCollectionExtensionsTests
     public async Task ManuallyAddingOptionsTakesPrecedence()
     {
         var tempDir = Directory.CreateTempSubdirectory("certs");
-        
+
         var tempCert = Path.Combine(tempDir.FullName, "test.crt");
         await File.WriteAllBytesAsync(tempCert, CreateSelfSignedCert("localhost").Export(X509ContentType.Cert));
 

From c34c31aaa195935a92e5538615f5eacb3fd0de0c Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Fri, 4 Apr 2025 12:31:07 -0400
Subject: [PATCH 169/184] Format from root

---
 .../PostConfigureX509ChainOptions.cs                      | 8 ++++----
 .../X509ChainCustomizationServiceCollectionExtensions.cs  | 4 ++--
 .../Platform/X509ChainCustomization/X509ChainOptions.cs   | 4 ++--
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/Core/Platform/X509ChainCustomization/PostConfigureX509ChainOptions.cs b/src/Core/Platform/X509ChainCustomization/PostConfigureX509ChainOptions.cs
index 583672f2f2..963294e85f 100644
--- a/src/Core/Platform/X509ChainCustomization/PostConfigureX509ChainOptions.cs
+++ b/src/Core/Platform/X509ChainCustomization/PostConfigureX509ChainOptions.cs
@@ -1,10 +1,10 @@
-#nullable enable
+#nullable enable
 
 using System.Security.Cryptography.X509Certificates;
-using Microsoft.Extensions.Options;
-using Microsoft.Extensions.Logging;
-using Microsoft.Extensions.Hosting;
 using Bit.Core.Settings;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 
 namespace Bit.Core.Platform.X509ChainCustomization;
 
diff --git a/src/Core/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensions.cs b/src/Core/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensions.cs
index 780bf70f7f..46bd5b37e6 100644
--- a/src/Core/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensions.cs
+++ b/src/Core/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensions.cs
@@ -1,6 +1,6 @@
-using Bit.Core.Platform.X509ChainCustomization;
-using Microsoft.Extensions.Options;
+using Bit.Core.Platform.X509ChainCustomization;
 using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Options;
 
 namespace Microsoft.Extensions.DependencyInjection;
 
diff --git a/src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs b/src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs
index bcfed0d437..189a1087f5 100644
--- a/src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs
+++ b/src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs
@@ -1,4 +1,4 @@
-#nullable enable
+#nullable enable
 
 using System.Diagnostics.CodeAnalysis;
 using System.Net.Security;
@@ -45,7 +45,7 @@ public sealed class X509ChainOptions
     /// </returns>
     [MemberNotNullWhen(true, nameof(AdditionalCustomTrustCertificates))]
     public bool TryGetCustomRemoteCertificateValidationCallback(
-        [MaybeNullWhen(false)]out Func<X509Certificate2?, X509Chain?, SslPolicyErrors, bool> callback)
+        [MaybeNullWhen(false)] out Func<X509Certificate2?, X509Chain?, SslPolicyErrors, bool> callback)
     {
         callback = null;
         if (AdditionalCustomTrustCertificates == null || AdditionalCustomTrustCertificates.Count == 0)

From f5e10d606281b328b5a14f3fc80a03ffaddbede7 Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Fri, 4 Apr 2025 13:56:51 -0400
Subject: [PATCH 170/184] Add more tests

---
 test/Core.Test/Core.Test.csproj               |   1 +
 ...izationServiceCollectionExtensionsTests.cs | 111 ++++++++++++++++--
 2 files changed, 100 insertions(+), 12 deletions(-)

diff --git a/test/Core.Test/Core.Test.csproj b/test/Core.Test/Core.Test.csproj
index baace97710..cc19c50c35 100644
--- a/test/Core.Test/Core.Test.csproj
+++ b/test/Core.Test/Core.Test.csproj
@@ -10,6 +10,7 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
+    <PackageReference Include="Microsoft.Extensions.Diagnostics.Testing" Version="9.3.0" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />
     <PackageReference Include="NSubstitute" Version="$(NSubstituteVersion)" />
     <PackageReference Include="xunit" Version="$(XUnitVersion)" />
diff --git a/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs b/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
index d4f927f4a1..703a37cc30 100644
--- a/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
+++ b/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
@@ -5,6 +5,7 @@ using Bit.Core.Settings;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using NSubstitute;
 using Xunit;
@@ -30,10 +31,6 @@ public class X509ChainCustomizationServiceCollectionExtensionsTests
 
         var services = CreateServices((gs, environment, config) =>
         {
-            gs.SelfHosted = true;
-
-            environment.EnvironmentName = "Development";
-
             config["X509ChainOptions:AdditionalCustomTrustCertificatesDirectory"] = tempDir.FullName;
         });
 
@@ -69,8 +66,6 @@ public class X509ChainCustomizationServiceCollectionExtensionsTests
         {
             gs.SelfHosted = false;
 
-            environment.EnvironmentName = "Development";
-
             config["X509ChainOptions:AdditionalCustomTrustCertificatesDirectory"] = tempDir.FullName;
         });
 
@@ -85,12 +80,8 @@ public class X509ChainCustomizationServiceCollectionExtensionsTests
         var tempCert = Path.Combine(tempDir.FullName, "test.crt");
         await File.WriteAllBytesAsync(tempCert, CreateSelfSignedCert("localhost").Export(X509ContentType.Cert));
 
-        var options = CreateOptions((gs, environment, config) =>
+        var services = CreateServices((gs, environment, config) =>
         {
-            gs.SelfHosted = false;
-
-            environment.EnvironmentName = "Development";
-
             config["X509ChainOptions:AdditionalCustomTrustCertificatesDirectory"] = tempDir.FullName;
         }, services =>
         {
@@ -100,9 +91,95 @@ public class X509ChainCustomizationServiceCollectionExtensionsTests
             });
         });
 
+        var options = services.GetRequiredService<IOptions<X509ChainOptions>>().Value;
+
         Assert.True(options.TryGetCustomRemoteCertificateValidationCallback(out var callback));
         var cert = Assert.Single(options.AdditionalCustomTrustCertificates);
         Assert.Equal("CN=example.com", cert.Subject);
+
+        var fakeLogCollector = services.GetFakeLogCollector();
+
+        Assert.Contains(fakeLogCollector.GetSnapshot(),
+            r => r.Message == $"Additional custom trust certificates were added directly, skipping loading them from '{tempDir}'");
+    }
+
+    [Fact]
+    public void NullCustomDirectory_SkipsTryingToLoad()
+    {
+        var services = CreateServices((gs, environment, config) =>
+        {
+            config["X509ChainOptions:AdditionalCustomTrustCertificatesDirectory"] = null;
+        });
+
+        var options = services.GetRequiredService<IOptions<X509ChainOptions>>().Value;
+
+        Assert.False(options.TryGetCustomRemoteCertificateValidationCallback(out _));
+    }
+
+    [Theory]
+    [InlineData("Development", LogLevel.Debug)]
+    [InlineData("Production", LogLevel.Warning)]
+    public void CustomDirectoryDoesNotExist_Logs(string environment, LogLevel logLevel)
+    {
+        var fakeDir = "/fake/dir/that/does/not/exist";
+        var services = CreateServices((gs, hostEnvironment, config) =>
+        {
+            hostEnvironment.EnvironmentName = environment;
+
+            config["X509ChainOptions:AdditionalCustomTrustCertificatesDirectory"] = fakeDir;
+        });
+
+        var options = services.GetRequiredService<IOptions<X509ChainOptions>>().Value;
+
+        Assert.False(options.TryGetCustomRemoteCertificateValidationCallback(out _));
+
+        var fakeLogCollector = services.GetFakeLogCollector();
+
+        Assert.Contains(fakeLogCollector.GetSnapshot(),
+            r => r.Message == $"An additional custom trust certificate directory was given '{fakeDir}' but that directory does not exist."
+                && r.Level == logLevel
+        );
+    }
+
+    [Fact]
+    public async Task NamedOptions_NotConfiguredAsync()
+    {
+        // To help make sure this fails for the right reason we should add certs to the directory
+        var tempDir = Directory.CreateTempSubdirectory("certs");
+
+        var tempCert = Path.Combine(tempDir.FullName, "test.crt");
+        await File.WriteAllBytesAsync(tempCert, CreateSelfSignedCert("localhost").Export(X509ContentType.Cert));
+
+        var services = CreateServices((gs, environment, config) =>
+        {
+            config["X509ChainOptions:AdditionalCustomTrustCertificatesDirectory"] = tempDir.FullName;
+        });
+
+        var options = services.GetRequiredService<IOptionsMonitor<X509ChainOptions>>();
+
+        var namedOptions = options.Get("SomeName");
+
+        Assert.Null(namedOptions.AdditionalCustomTrustCertificates);
+    }
+
+    [Fact]
+    public void CustomLocation_NoCertificates_Logs()
+    {
+        var tempDir = Directory.CreateTempSubdirectory("certs");
+        var services = CreateServices((gs, hostEnvironment, config) =>
+        {
+            config["X509ChainOptions:AdditionalCustomTrustCertificatesDirectory"] = tempDir.FullName;
+        });
+
+        var options = services.GetRequiredService<IOptions<X509ChainOptions>>().Value;
+
+        Assert.False(options.TryGetCustomRemoteCertificateValidationCallback(out _));
+
+        var fakeLogCollector = services.GetFakeLogCollector();
+
+        Assert.Contains(fakeLogCollector.GetSnapshot(),
+            r => r.Message == $"No additional custom trust certificates were found in '{tempDir.FullName}'"
+        );
     }
 
     private static X509ChainOptions CreateOptions(Action<GlobalSettings, IHostEnvironment, Dictionary<string, string>> configure, Action<IServiceCollection>? after = null)
@@ -113,13 +190,23 @@ public class X509ChainCustomizationServiceCollectionExtensionsTests
 
     private static IServiceProvider CreateServices(Action<GlobalSettings, IHostEnvironment, Dictionary<string, string>> configure, Action<IServiceCollection>? after = null)
     {
-        var globalSettings = new GlobalSettings();
+        var globalSettings = new GlobalSettings
+        {
+            // A solid default for these tests as these settings aren't allowed to work in cloud.
+            SelfHosted = true,
+        };
         var hostEnvironment = Substitute.For<IHostEnvironment>();
+        hostEnvironment.EnvironmentName = "Development";
         var config = new Dictionary<string, string>();
 
         configure(globalSettings, hostEnvironment, config);
 
         var services = new ServiceCollection();
+        services.AddLogging(logging =>
+        {
+            logging.SetMinimumLevel(LogLevel.Debug);
+            logging.AddFakeLogging();
+        });
         services.AddSingleton(globalSettings);
         services.AddSingleton(hostEnvironment);
         services.AddSingleton<IConfiguration>(

From 62bdd91cf3095b1cb170cdd1007e1aa3d3145127 Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Fri, 4 Apr 2025 15:02:21 -0400
Subject: [PATCH 171/184] Add HTTP Tests

---
 ...izationServiceCollectionExtensionsTests.cs | 104 +++++++++++++++++-
 1 file changed, 103 insertions(+), 1 deletion(-)

diff --git a/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs b/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
index 703a37cc30..06ce513b51 100644
--- a/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
+++ b/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
@@ -1,7 +1,11 @@
-using System.Security.Cryptography;
+using System.Security.Authentication;
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using Bit.Core.Platform.X509ChainCustomization;
 using Bit.Core.Settings;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Server.Kestrel.Https;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
@@ -182,6 +186,104 @@ public class X509ChainCustomizationServiceCollectionExtensionsTests
         );
     }
 
+    [Fact]
+    public async Task CallHttpWithSelfSignedCert_SelfSignedCertificateConfigured_Works()
+    {
+        var selfSignedCertificate = CreateSelfSignedCert("localhost");
+        await using var app = await CreateServerAsync(55555, options =>
+        {
+            options.ServerCertificate = selfSignedCertificate;
+        });
+
+        var services = CreateServices((gs, environment, config) => {}, services =>
+        {
+            services.Configure<X509ChainOptions>(options =>
+            {
+                options.AdditionalCustomTrustCertificates = [selfSignedCertificate];
+            });
+        });
+
+        var httpClient = services.GetRequiredService<IHttpClientFactory>().CreateClient();
+
+        var response = await httpClient.GetStringAsync("https://localhost:55555");
+        Assert.Equal("Hi", response);
+    }
+
+    [Fact]
+    public async Task CallHttpWithSelfSignedCert_SelfSignedCertificateNotConfigured_Throws()
+    {
+        var selfSignedCertificate = CreateSelfSignedCert("localhost");
+        await using var app = await CreateServerAsync(55556, options =>
+        {
+            options.ServerCertificate = selfSignedCertificate;
+        });
+
+        var services = CreateServices((gs, environment, config) => {}, services =>
+        {
+            services.Configure<X509ChainOptions>(options =>
+            {
+                options.AdditionalCustomTrustCertificates = [CreateSelfSignedCert("example.com")];
+            });
+        });
+
+        var httpClient = services.GetRequiredService<IHttpClientFactory>().CreateClient();
+
+        var requestException = await Assert.ThrowsAsync<HttpRequestException>(async () => await httpClient.GetStringAsync("https://localhost:55556"));
+        Assert.NotNull(requestException.InnerException);
+        var authenticationException = Assert.IsAssignableFrom<AuthenticationException>(requestException.InnerException);
+        Assert.Equal("The remote certificate was rejected by the provided RemoteCertificateValidationCallback.", authenticationException.Message);
+    }
+
+    [Fact]
+    public async Task CallHttpWithSelfSignedCert_SelfSignedCertificateConfigured_WithExtraCert_Works()
+    {
+        var selfSignedCertificate = CreateSelfSignedCert("localhost");
+        await using var app = await CreateServerAsync(55557, options =>
+        {
+            options.ServerCertificate = selfSignedCertificate;
+        });
+
+        var services = CreateServices((gs, environment, config) => {}, services =>
+        {
+            services.Configure<X509ChainOptions>(options =>
+            {
+                options.AdditionalCustomTrustCertificates = [selfSignedCertificate, CreateSelfSignedCert("example.com")];
+            });
+        });
+
+        var httpClient = services.GetRequiredService<IHttpClientFactory>().CreateClient();
+
+        var response = await httpClient.GetStringAsync("https://localhost:55557");
+        Assert.Equal("Hi", response);
+    }
+
+    private static async Task<IAsyncDisposable> CreateServerAsync(int port, Action<HttpsConnectionAdapterOptions> configure)
+    {
+        // Start HTTP Server with self signed cert
+        var builder = WebApplication.CreateSlimBuilder();
+        builder.Logging.AddFakeLogging();
+        builder.Services.AddRoutingCore();
+        builder.WebHost.UseKestrelCore()
+            .ConfigureKestrel(options =>
+            {
+                options.ListenLocalhost(port, listenOptions =>
+                {
+                    listenOptions.UseHttps(httpsOptions =>
+                    {
+                        configure(httpsOptions);
+                    });
+                });
+            });
+
+        var app = builder.Build();
+
+        app.MapGet("/", () => "Hi");
+
+        await app.StartAsync();
+
+        return app;
+    }
+
     private static X509ChainOptions CreateOptions(Action<GlobalSettings, IHostEnvironment, Dictionary<string, string>> configure, Action<IServiceCollection>? after = null)
     {
         var services = CreateServices(configure, after);

From 0400ae187af10c93a5d4ce3336b59a4e9b46b0d3 Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Fri, 4 Apr 2025 15:03:59 -0400
Subject: [PATCH 172/184] Format

---
 ...509ChainCustomizationServiceCollectionExtensionsTests.cs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs b/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
index 06ce513b51..a9762e3a65 100644
--- a/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
+++ b/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
@@ -195,7 +195,7 @@ public class X509ChainCustomizationServiceCollectionExtensionsTests
             options.ServerCertificate = selfSignedCertificate;
         });
 
-        var services = CreateServices((gs, environment, config) => {}, services =>
+        var services = CreateServices((gs, environment, config) => { }, services =>
         {
             services.Configure<X509ChainOptions>(options =>
             {
@@ -218,7 +218,7 @@ public class X509ChainCustomizationServiceCollectionExtensionsTests
             options.ServerCertificate = selfSignedCertificate;
         });
 
-        var services = CreateServices((gs, environment, config) => {}, services =>
+        var services = CreateServices((gs, environment, config) => { }, services =>
         {
             services.Configure<X509ChainOptions>(options =>
             {
@@ -243,7 +243,7 @@ public class X509ChainCustomizationServiceCollectionExtensionsTests
             options.ServerCertificate = selfSignedCertificate;
         });
 
-        var services = CreateServices((gs, environment, config) => {}, services =>
+        var services = CreateServices((gs, environment, config) => { }, services =>
         {
             services.Configure<X509ChainOptions>(options =>
             {

From 0bad7a6e5f265b5bcfeacd77b489e9f0cc21739c Mon Sep 17 00:00:00 2001
From: Shane Melton <smelton@bitwarden.com>
Date: Fri, 4 Apr 2025 13:43:11 -0700
Subject: [PATCH 173/184] [PM-10611] Add missing TaskId to push notification
 payloads (#5604)

* [PM-10611] Add missing TaskId to push notification payloads

* [PM-10611] Fix test
---
 src/Core/Models/PushNotification.cs                             | 1 +
 .../NotificationHub/NotificationHubPushNotificationService.cs   | 2 ++
 .../Platform/Push/Services/AzureQueuePushNotificationService.cs | 2 ++
 .../Push/Services/NotificationsApiPushNotificationService.cs    | 2 ++
 src/Core/Platform/Push/Services/RelayPushNotificationService.cs | 2 ++
 .../NotificationHubPushNotificationServiceTests.cs              | 1 +
 6 files changed, 10 insertions(+)

diff --git a/src/Core/Models/PushNotification.cs b/src/Core/Models/PushNotification.cs
index 63058be692..83c6f577d4 100644
--- a/src/Core/Models/PushNotification.cs
+++ b/src/Core/Models/PushNotification.cs
@@ -56,6 +56,7 @@ public class NotificationPushNotification
     public Guid? UserId { get; set; }
     public Guid? OrganizationId { get; set; }
     public Guid? InstallationId { get; set; }
+    public Guid? TaskId { get; set; }
     public string? Title { get; set; }
     public string? Body { get; set; }
     public DateTime CreationDate { get; set; }
diff --git a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
index a28b21f465..55badf80e4 100644
--- a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
+++ b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
@@ -212,6 +212,7 @@ public class NotificationHubPushNotificationService : IPushNotificationService
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
             InstallationId = installationId,
+            TaskId = notification.TaskId,
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,
@@ -263,6 +264,7 @@ public class NotificationHubPushNotificationService : IPushNotificationService
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
             InstallationId = installationId,
+            TaskId = notification.TaskId,
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,
diff --git a/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
index e61dd15f0d..a9140796f2 100644
--- a/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
@@ -188,6 +188,7 @@ public class AzureQueuePushNotificationService : IPushNotificationService
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
             InstallationId = notification.Global ? _globalSettings.Installation.Id : null,
+            TaskId = notification.TaskId,
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,
@@ -208,6 +209,7 @@ public class AzureQueuePushNotificationService : IPushNotificationService
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
             InstallationId = notification.Global ? _globalSettings.Installation.Id : null,
+            TaskId = notification.TaskId,
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,
diff --git a/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
index 53a0de9a27..d5cc0819cd 100644
--- a/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
@@ -201,6 +201,7 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
             InstallationId = notification.Global ? _globalSettings.Installation.Id : null,
+            TaskId = notification.TaskId,
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,
@@ -221,6 +222,7 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
             InstallationId = notification.Global ? _globalSettings.Installation.Id : null,
+            TaskId = notification.TaskId,
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,
diff --git a/src/Core/Platform/Push/Services/RelayPushNotificationService.cs b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
index 53f5835322..c9e77bf17f 100644
--- a/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
@@ -210,6 +210,7 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
             InstallationId = notification.Global ? _globalSettings.Installation.Id : null,
+            TaskId = notification.TaskId,
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,
@@ -247,6 +248,7 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
             InstallationId = notification.Global ? _globalSettings.Installation.Id : null,
+            TaskId = notification.TaskId,
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,
diff --git a/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs b/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs
index 831d048224..2ae3d739a8 100644
--- a/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs
+++ b/test/Core.Test/NotificationHub/NotificationHubPushNotificationServiceTests.cs
@@ -507,6 +507,7 @@ public class NotificationHubPushNotificationServiceTests
             UserId = notification.UserId,
             OrganizationId = notification.OrganizationId,
             InstallationId = installationId,
+            TaskId = notification.TaskId,
             Title = notification.Title,
             Body = notification.Body,
             CreationDate = notification.CreationDate,

From ee4678453bc96d137c2f7be372f44f0d283ce67a Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Sun, 6 Apr 2025 10:06:42 -0400
Subject: [PATCH 174/184] Switch to empty builder

---
 .../X509ChainCustomizationServiceCollectionExtensionsTests.cs | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs b/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
index a9762e3a65..2a4ed55489 100644
--- a/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
+++ b/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
@@ -259,9 +259,7 @@ public class X509ChainCustomizationServiceCollectionExtensionsTests
 
     private static async Task<IAsyncDisposable> CreateServerAsync(int port, Action<HttpsConnectionAdapterOptions> configure)
     {
-        // Start HTTP Server with self signed cert
-        var builder = WebApplication.CreateSlimBuilder();
-        builder.Logging.AddFakeLogging();
+        var builder = WebApplication.CreateEmptyBuilder(new WebApplicationOptions());
         builder.Services.AddRoutingCore();
         builder.WebHost.UseKestrelCore()
             .ConfigureKestrel(options =>

From 2c27c8447d885f9893f2bc713af90ba00489f724 Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Sun, 6 Apr 2025 10:28:07 -0400
Subject: [PATCH 175/184] Remove unneeded helper

---
 .../MailKitSmtpMailDeliveryServiceTests.cs                 | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs b/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs
index 8668263fa4..24c477cf05 100644
--- a/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs
+++ b/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs
@@ -1,4 +1,4 @@
-using System.Security.Cryptography;
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using Bit.Core.Models.Mail;
 using Bit.Core.Platform.X509ChainCustomization;
@@ -32,11 +32,6 @@ public class MailKitSmtpMailDeliveryServiceTests
         return certRequest.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(1));
     }
 
-    private static async Task SaveCertAsync(string filePath, X509Certificate2 certificate)
-    {
-        await File.WriteAllBytesAsync(filePath, certificate.Export(X509ContentType.Cert));
-    }
-
     private static void ConfigureSmtpServerLogging(ITestOutputHelper testOutputHelper)
     {
         // Unfortunately this package doesn't public expose its logging infrastructure

From a94e7047e79e29d29e279adb45d75d1c3b657eef Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Sun, 6 Apr 2025 10:29:57 -0400
Subject: [PATCH 176/184] Configure logging only once

---
 .../MailKitSmtpMailDeliveryServiceTests.cs               | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs b/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs
index 24c477cf05..38c18f26f9 100644
--- a/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs
+++ b/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs
@@ -1,4 +1,4 @@
-using System.Security.Cryptography;
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using Bit.Core.Models.Mail;
 using Bit.Core.Platform.X509ChainCustomization;
@@ -16,6 +16,7 @@ namespace Bit.Core.IntegrationTest;
 
 public class MailKitSmtpMailDeliveryServiceTests
 {
+    private static int _loggingConfigured;
     private readonly X509Certificate2 _selfSignedCert;
 
     public MailKitSmtpMailDeliveryServiceTests(ITestOutputHelper testOutputHelper)
@@ -34,6 +35,12 @@ public class MailKitSmtpMailDeliveryServiceTests
 
     private static void ConfigureSmtpServerLogging(ITestOutputHelper testOutputHelper)
     {
+        // The logging in SmtpServer is configured statically so if we add it for each test it duplicates
+        // but we cant add the logger statically either because we need ITestOutputHelper
+        if (Interlocked.CompareExchange(ref _loggingConfigured, 1, 0) == 0)
+        {
+            return;
+        }
         // Unfortunately this package doesn't public expose its logging infrastructure
         // so we use private reflection to try and access it. 
         try

From e53e701097ad28854f2aa8f3ccdb6e69fd87db8b Mon Sep 17 00:00:00 2001
From: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com>
Date: Mon, 7 Apr 2025 11:32:38 +0100
Subject: [PATCH 177/184] Initial commit (#5612)

---
 .../SubscriptionDeletedHandlerTests.cs        | 176 +++++++++
 .../SubscriptionUpdatedHandlerTests.cs        | 361 ++++++++++++++++++
 2 files changed, 537 insertions(+)
 create mode 100644 test/Billing.Test/Services/SubscriptionDeletedHandlerTests.cs
 create mode 100644 test/Billing.Test/Services/SubscriptionUpdatedHandlerTests.cs

diff --git a/test/Billing.Test/Services/SubscriptionDeletedHandlerTests.cs b/test/Billing.Test/Services/SubscriptionDeletedHandlerTests.cs
new file mode 100644
index 0000000000..2797b2e589
--- /dev/null
+++ b/test/Billing.Test/Services/SubscriptionDeletedHandlerTests.cs
@@ -0,0 +1,176 @@
+using Bit.Billing.Constants;
+using Bit.Billing.Services;
+using Bit.Billing.Services.Implementations;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
+using Bit.Core.Services;
+using NSubstitute;
+using Stripe;
+using Xunit;
+
+namespace Bit.Billing.Test.Services;
+
+public class SubscriptionDeletedHandlerTests
+{
+    private readonly IStripeEventService _stripeEventService;
+    private readonly IUserService _userService;
+    private readonly IStripeEventUtilityService _stripeEventUtilityService;
+    private readonly IOrganizationDisableCommand _organizationDisableCommand;
+    private readonly SubscriptionDeletedHandler _sut;
+
+    public SubscriptionDeletedHandlerTests()
+    {
+        _stripeEventService = Substitute.For<IStripeEventService>();
+        _userService = Substitute.For<IUserService>();
+        _stripeEventUtilityService = Substitute.For<IStripeEventUtilityService>();
+        _organizationDisableCommand = Substitute.For<IOrganizationDisableCommand>();
+        _sut = new SubscriptionDeletedHandler(
+            _stripeEventService,
+            _userService,
+            _stripeEventUtilityService,
+            _organizationDisableCommand);
+    }
+
+    [Fact]
+    public async Task HandleAsync_SubscriptionNotCanceled_DoesNothing()
+    {
+        // Arrange
+        var stripeEvent = new Event();
+        var subscription = new Subscription
+        {
+            Status = "active",
+            CurrentPeriodEnd = DateTime.UtcNow.AddDays(30),
+            Metadata = new Dictionary<string, string>()
+        };
+
+        _stripeEventService.GetSubscription(stripeEvent, true).Returns(subscription);
+        _stripeEventUtilityService.GetIdsFromMetadata(subscription.Metadata)
+            .Returns(Tuple.Create<Guid?, Guid?, Guid?>(null, null, null));
+
+        // Act
+        await _sut.HandleAsync(stripeEvent);
+
+        // Assert
+        await _organizationDisableCommand.DidNotReceiveWithAnyArgs().DisableAsync(default, default);
+        await _userService.DidNotReceiveWithAnyArgs().DisablePremiumAsync(default, default);
+    }
+
+    [Fact]
+    public async Task HandleAsync_OrganizationSubscriptionCanceled_DisablesOrganization()
+    {
+        // Arrange
+        var stripeEvent = new Event();
+        var organizationId = Guid.NewGuid();
+        var subscription = new Subscription
+        {
+            Status = StripeSubscriptionStatus.Canceled,
+            CurrentPeriodEnd = DateTime.UtcNow.AddDays(30),
+            Metadata = new Dictionary<string, string>
+            {
+                { "organizationId", organizationId.ToString() }
+            }
+        };
+
+        _stripeEventService.GetSubscription(stripeEvent, true).Returns(subscription);
+        _stripeEventUtilityService.GetIdsFromMetadata(subscription.Metadata)
+            .Returns(Tuple.Create<Guid?, Guid?, Guid?>(organizationId, null, null));
+
+        // Act
+        await _sut.HandleAsync(stripeEvent);
+
+        // Assert
+        await _organizationDisableCommand.Received(1)
+            .DisableAsync(organizationId, subscription.CurrentPeriodEnd);
+    }
+
+    [Fact]
+    public async Task HandleAsync_UserSubscriptionCanceled_DisablesUserPremium()
+    {
+        // Arrange
+        var stripeEvent = new Event();
+        var userId = Guid.NewGuid();
+        var subscription = new Subscription
+        {
+            Status = StripeSubscriptionStatus.Canceled,
+            CurrentPeriodEnd = DateTime.UtcNow.AddDays(30),
+            Metadata = new Dictionary<string, string>
+            {
+                { "userId", userId.ToString() }
+            }
+        };
+
+        _stripeEventService.GetSubscription(stripeEvent, true).Returns(subscription);
+        _stripeEventUtilityService.GetIdsFromMetadata(subscription.Metadata)
+            .Returns(Tuple.Create<Guid?, Guid?, Guid?>(null, userId, null));
+
+        // Act
+        await _sut.HandleAsync(stripeEvent);
+
+        // Assert
+        await _userService.Received(1)
+            .DisablePremiumAsync(userId, subscription.CurrentPeriodEnd);
+    }
+
+    [Fact]
+    public async Task HandleAsync_ProviderMigrationCancellation_DoesNotDisableOrganization()
+    {
+        // Arrange
+        var stripeEvent = new Event();
+        var organizationId = Guid.NewGuid();
+        var subscription = new Subscription
+        {
+            Status = StripeSubscriptionStatus.Canceled,
+            CurrentPeriodEnd = DateTime.UtcNow.AddDays(30),
+            Metadata = new Dictionary<string, string>
+            {
+                { "organizationId", organizationId.ToString() }
+            },
+            CancellationDetails = new SubscriptionCancellationDetails
+            {
+                Comment = "Cancelled as part of provider migration to Consolidated Billing"
+            }
+        };
+
+        _stripeEventService.GetSubscription(stripeEvent, true).Returns(subscription);
+        _stripeEventUtilityService.GetIdsFromMetadata(subscription.Metadata)
+            .Returns(Tuple.Create<Guid?, Guid?, Guid?>(organizationId, null, null));
+
+        // Act
+        await _sut.HandleAsync(stripeEvent);
+
+        // Assert
+        await _organizationDisableCommand.DidNotReceiveWithAnyArgs()
+            .DisableAsync(default, default);
+    }
+
+    [Fact]
+    public async Task HandleAsync_AddedToProviderCancellation_DoesNotDisableOrganization()
+    {
+        // Arrange
+        var stripeEvent = new Event();
+        var organizationId = Guid.NewGuid();
+        var subscription = new Subscription
+        {
+            Status = StripeSubscriptionStatus.Canceled,
+            CurrentPeriodEnd = DateTime.UtcNow.AddDays(30),
+            Metadata = new Dictionary<string, string>
+            {
+                { "organizationId", organizationId.ToString() }
+            },
+            CancellationDetails = new SubscriptionCancellationDetails
+            {
+                Comment = "Organization was added to Provider"
+            }
+        };
+
+        _stripeEventService.GetSubscription(stripeEvent, true).Returns(subscription);
+        _stripeEventUtilityService.GetIdsFromMetadata(subscription.Metadata)
+            .Returns(Tuple.Create<Guid?, Guid?, Guid?>(organizationId, null, null));
+
+        // Act
+        await _sut.HandleAsync(stripeEvent);
+
+        // Assert
+        await _organizationDisableCommand.DidNotReceiveWithAnyArgs()
+            .DisableAsync(default, default);
+    }
+}
diff --git a/test/Billing.Test/Services/SubscriptionUpdatedHandlerTests.cs b/test/Billing.Test/Services/SubscriptionUpdatedHandlerTests.cs
new file mode 100644
index 0000000000..a6ac7e9512
--- /dev/null
+++ b/test/Billing.Test/Services/SubscriptionUpdatedHandlerTests.cs
@@ -0,0 +1,361 @@
+using Bit.Billing.Constants;
+using Bit.Billing.Services;
+using Bit.Billing.Services.Implementations;
+using Bit.Core;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Models.StaticStore.Plans;
+using Bit.Core.Billing.Pricing;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Newtonsoft.Json.Linq;
+using NSubstitute;
+using Quartz;
+using Stripe;
+using Xunit;
+using Event = Stripe.Event;
+
+namespace Bit.Billing.Test.Services;
+
+public class SubscriptionUpdatedHandlerTests
+{
+    private readonly IStripeEventService _stripeEventService;
+    private readonly IStripeEventUtilityService _stripeEventUtilityService;
+    private readonly IOrganizationService _organizationService;
+    private readonly IStripeFacade _stripeFacade;
+    private readonly IOrganizationSponsorshipRenewCommand _organizationSponsorshipRenewCommand;
+    private readonly IUserService _userService;
+    private readonly IPushNotificationService _pushNotificationService;
+    private readonly IOrganizationRepository _organizationRepository;
+    private readonly ISchedulerFactory _schedulerFactory;
+    private readonly IFeatureService _featureService;
+    private readonly IOrganizationEnableCommand _organizationEnableCommand;
+    private readonly IOrganizationDisableCommand _organizationDisableCommand;
+    private readonly IPricingClient _pricingClient;
+    private readonly IScheduler _scheduler;
+    private readonly SubscriptionUpdatedHandler _sut;
+
+    public SubscriptionUpdatedHandlerTests()
+    {
+        _stripeEventService = Substitute.For<IStripeEventService>();
+        _stripeEventUtilityService = Substitute.For<IStripeEventUtilityService>();
+        _organizationService = Substitute.For<IOrganizationService>();
+        _stripeFacade = Substitute.For<IStripeFacade>();
+        _organizationSponsorshipRenewCommand = Substitute.For<IOrganizationSponsorshipRenewCommand>();
+        _userService = Substitute.For<IUserService>();
+        _pushNotificationService = Substitute.For<IPushNotificationService>();
+        _organizationRepository = Substitute.For<IOrganizationRepository>();
+        _schedulerFactory = Substitute.For<ISchedulerFactory>();
+        _featureService = Substitute.For<IFeatureService>();
+        _organizationEnableCommand = Substitute.For<IOrganizationEnableCommand>();
+        _organizationDisableCommand = Substitute.For<IOrganizationDisableCommand>();
+        _pricingClient = Substitute.For<IPricingClient>();
+        _scheduler = Substitute.For<IScheduler>();
+
+        _schedulerFactory.GetScheduler().Returns(_scheduler);
+
+        _sut = new SubscriptionUpdatedHandler(
+            _stripeEventService,
+            _stripeEventUtilityService,
+            _organizationService,
+            _stripeFacade,
+            _organizationSponsorshipRenewCommand,
+            _userService,
+            _pushNotificationService,
+            _organizationRepository,
+            _schedulerFactory,
+            _featureService,
+            _organizationEnableCommand,
+            _organizationDisableCommand,
+            _pricingClient);
+    }
+
+    [Fact]
+    public async Task HandleAsync_UnpaidOrganizationSubscription_DisablesOrganizationAndSchedulesCancellation()
+    {
+        // Arrange
+        var organizationId = Guid.NewGuid();
+        var subscriptionId = "sub_123";
+        var currentPeriodEnd = DateTime.UtcNow.AddDays(30);
+        var subscription = new Subscription
+        {
+            Id = subscriptionId,
+            Status = StripeSubscriptionStatus.Unpaid,
+            CurrentPeriodEnd = currentPeriodEnd,
+            Metadata = new Dictionary<string, string> { { "organizationId", organizationId.ToString() } },
+            LatestInvoice = new Invoice { BillingReason = "subscription_cycle" }
+        };
+
+        var parsedEvent = new Event { Data = new EventData() };
+
+        _stripeEventService.GetSubscription(Arg.Any<Event>(), Arg.Any<bool>(), Arg.Any<List<string>>())
+            .Returns(subscription);
+
+        _stripeEventUtilityService.GetIdsFromMetadata(Arg.Any<Dictionary<string, string>>())
+            .Returns(Tuple.Create<Guid?, Guid?, Guid?>(organizationId, null, null));
+
+        _featureService.IsEnabled(FeatureFlagKeys.ResellerManagedOrgAlert)
+            .Returns(true);
+
+        // Act
+        await _sut.HandleAsync(parsedEvent);
+
+        // Assert
+        await _organizationDisableCommand.Received(1)
+            .DisableAsync(organizationId, currentPeriodEnd);
+        await _scheduler.Received(1).ScheduleJob(
+            Arg.Is<IJobDetail>(j => j.Key.Name == $"cancel-sub-{subscriptionId}"),
+            Arg.Is<ITrigger>(t => t.Key.Name == $"cancel-trigger-{subscriptionId}"));
+    }
+
+    [Fact]
+    public async Task HandleAsync_UnpaidUserSubscription_DisablesPremiumAndCancelsSubscription()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var subscriptionId = "sub_123";
+        var currentPeriodEnd = DateTime.UtcNow.AddDays(30);
+        var subscription = new Subscription
+        {
+            Id = subscriptionId,
+            Status = StripeSubscriptionStatus.Unpaid,
+            CurrentPeriodEnd = currentPeriodEnd,
+            Metadata = new Dictionary<string, string> { { "userId", userId.ToString() } },
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data = new List<SubscriptionItem>
+                {
+                    new() { Price = new Price { Id = IStripeEventUtilityService.PremiumPlanId } }
+                }
+            }
+        };
+
+        var parsedEvent = new Event { Data = new EventData() };
+
+        _stripeEventService.GetSubscription(Arg.Any<Event>(), Arg.Any<bool>(), Arg.Any<List<string>>())
+            .Returns(subscription);
+
+        _stripeEventUtilityService.GetIdsFromMetadata(Arg.Any<Dictionary<string, string>>())
+            .Returns(Tuple.Create<Guid?, Guid?, Guid?>(null, userId, null));
+
+        _stripeFacade.ListInvoices(Arg.Any<InvoiceListOptions>())
+            .Returns(new StripeList<Invoice> { Data = new List<Invoice>() });
+
+        // Act
+        await _sut.HandleAsync(parsedEvent);
+
+        // Assert
+        await _userService.Received(1)
+            .DisablePremiumAsync(userId, currentPeriodEnd);
+        await _stripeFacade.Received(1)
+            .CancelSubscription(subscriptionId, Arg.Any<SubscriptionCancelOptions>());
+        await _stripeFacade.Received(1)
+            .ListInvoices(Arg.Is<InvoiceListOptions>(o =>
+                o.Status == StripeInvoiceStatus.Open && o.Subscription == subscriptionId));
+    }
+
+    [Fact]
+    public async Task HandleAsync_ActiveOrganizationSubscription_EnablesOrganizationAndUpdatesExpiration()
+    {
+        // Arrange
+        var organizationId = Guid.NewGuid();
+        var currentPeriodEnd = DateTime.UtcNow.AddDays(30);
+        var subscription = new Subscription
+        {
+            Status = StripeSubscriptionStatus.Active,
+            CurrentPeriodEnd = currentPeriodEnd,
+            Metadata = new Dictionary<string, string> { { "organizationId", organizationId.ToString() } }
+        };
+
+        var organization = new Organization
+        {
+            Id = organizationId,
+            PlanType = PlanType.EnterpriseAnnually2023
+        };
+        var parsedEvent = new Event { Data = new EventData() };
+
+        _stripeEventService.GetSubscription(Arg.Any<Event>(), Arg.Any<bool>(), Arg.Any<List<string>>())
+            .Returns(subscription);
+
+        _stripeEventUtilityService.GetIdsFromMetadata(Arg.Any<Dictionary<string, string>>())
+            .Returns(Tuple.Create<Guid?, Guid?, Guid?>(organizationId, null, null));
+
+        _organizationRepository.GetByIdAsync(organizationId)
+            .Returns(organization);
+
+        _stripeFacade.ListInvoices(Arg.Any<InvoiceListOptions>())
+            .Returns(new StripeList<Invoice> { Data = new List<Invoice> { new Invoice { Id = "inv_123" } } });
+
+        var plan = new Enterprise2023Plan(true);
+        _pricingClient.GetPlanOrThrow(organization.PlanType)
+            .Returns(plan);
+
+        // Act
+        await _sut.HandleAsync(parsedEvent);
+
+        // Assert
+        await _organizationEnableCommand.Received(1)
+            .EnableAsync(organizationId);
+        await _organizationService.Received(1)
+            .UpdateExpirationDateAsync(organizationId, currentPeriodEnd);
+        await _pushNotificationService.Received(1)
+            .PushSyncOrganizationStatusAsync(organization);
+    }
+
+    [Fact]
+    public async Task HandleAsync_ActiveUserSubscription_EnablesPremiumAndUpdatesExpiration()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var currentPeriodEnd = DateTime.UtcNow.AddDays(30);
+        var subscription = new Subscription
+        {
+            Status = StripeSubscriptionStatus.Active,
+            CurrentPeriodEnd = currentPeriodEnd,
+            Metadata = new Dictionary<string, string> { { "userId", userId.ToString() } }
+        };
+
+        var parsedEvent = new Event { Data = new EventData() };
+
+        _stripeEventService.GetSubscription(Arg.Any<Event>(), Arg.Any<bool>(), Arg.Any<List<string>>())
+            .Returns(subscription);
+
+        _stripeEventUtilityService.GetIdsFromMetadata(Arg.Any<Dictionary<string, string>>())
+            .Returns(Tuple.Create<Guid?, Guid?, Guid?>(null, userId, null));
+
+        // Act
+        await _sut.HandleAsync(parsedEvent);
+
+        // Assert
+        await _userService.Received(1)
+            .EnablePremiumAsync(userId, currentPeriodEnd);
+        await _userService.Received(1)
+            .UpdatePremiumExpirationAsync(userId, currentPeriodEnd);
+    }
+
+    [Fact]
+    public async Task HandleAsync_SponsoredSubscription_RenewsSponsorship()
+    {
+        // Arrange
+        var organizationId = Guid.NewGuid();
+        var currentPeriodEnd = DateTime.UtcNow.AddDays(30);
+        var subscription = new Subscription
+        {
+            Status = StripeSubscriptionStatus.Active,
+            CurrentPeriodEnd = currentPeriodEnd,
+            Metadata = new Dictionary<string, string> { { "organizationId", organizationId.ToString() } }
+        };
+
+        var parsedEvent = new Event { Data = new EventData() };
+
+        _stripeEventService.GetSubscription(Arg.Any<Event>(), Arg.Any<bool>(), Arg.Any<List<string>>())
+            .Returns(subscription);
+
+        _stripeEventUtilityService.GetIdsFromMetadata(Arg.Any<Dictionary<string, string>>())
+            .Returns(Tuple.Create<Guid?, Guid?, Guid?>(organizationId, null, null));
+
+        _stripeEventUtilityService.IsSponsoredSubscription(subscription)
+            .Returns(true);
+
+        // Act
+        await _sut.HandleAsync(parsedEvent);
+
+        // Assert
+        await _organizationSponsorshipRenewCommand.Received(1)
+            .UpdateExpirationDateAsync(organizationId, currentPeriodEnd);
+    }
+
+    [Fact]
+    public async Task HandleAsync_WhenSubscriptionIsActive_AndOrganizationHasSecretsManagerTrial_AndRemovingSecretsManagerTrial_RemovesPasswordManagerCoupon()
+    {
+        // Arrange
+        var organizationId = Guid.NewGuid();
+        var subscription = new Subscription
+        {
+            Id = "sub_123",
+            Status = StripeSubscriptionStatus.Active,
+            CurrentPeriodEnd = DateTime.UtcNow.AddDays(10),
+            CustomerId = "cus_123",
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data = new List<SubscriptionItem>
+                {
+                    new() { Plan = new Stripe.Plan { Id = "2023-enterprise-org-seat-annually" } }
+                }
+            },
+            Customer = new Customer
+            {
+                Balance = 0,
+                Discount = new Discount
+                {
+                    Coupon = new Coupon { Id = "sm-standalone" }
+                }
+            },
+            Discount = new Discount
+            {
+                Coupon = new Coupon { Id = "sm-standalone" }
+            },
+            Metadata = new Dictionary<string, string>
+            {
+                { "organizationId", organizationId.ToString() }
+            }
+        };
+
+        var organization = new Organization
+        {
+            Id = organizationId,
+            PlanType = PlanType.EnterpriseAnnually2023
+        };
+
+        var plan = new Enterprise2023Plan(true);
+        _pricingClient.GetPlanOrThrow(organization.PlanType)
+            .Returns(plan);
+
+        var parsedEvent = new Event
+        {
+            Data = new EventData
+            {
+                Object = subscription,
+                PreviousAttributes = JObject.FromObject(new
+                {
+                    items = new
+                    {
+                        data = new[]
+                        {
+                            new { plan = new { id = "secrets-manager-enterprise-seat-annually" } }
+                        }
+                    },
+                    Items = new StripeList<SubscriptionItem>
+                    {
+                        Data = new List<SubscriptionItem>
+                        {
+                            new SubscriptionItem
+                            {
+                                Plan = new Stripe.Plan { Id = "secrets-manager-enterprise-seat-annually" }
+                            }
+                        }
+                    }
+                })
+            }
+        };
+
+        _stripeEventService.GetSubscription(Arg.Any<Event>(), Arg.Any<bool>(), Arg.Any<List<string>>())
+            .Returns(subscription);
+
+        _stripeEventUtilityService.GetIdsFromMetadata(Arg.Any<Dictionary<string, string>>())
+            .Returns(Tuple.Create<Guid?, Guid?, Guid?>(organizationId, null, null));
+
+        _organizationRepository.GetByIdAsync(organizationId)
+            .Returns(organization);
+
+        // Act
+        await _sut.HandleAsync(parsedEvent);
+
+        // Assert
+        await _stripeFacade.Received(1).DeleteCustomerDiscount(subscription.CustomerId);
+        await _stripeFacade.Received(1).DeleteSubscriptionDiscount(subscription.Id);
+    }
+}

From 1c6bac9dd56482abe995b486e72665c88df620d2 Mon Sep 17 00:00:00 2001
From: Github Actions <actions@github.com>
Date: Mon, 7 Apr 2025 10:59:53 +0000
Subject: [PATCH 178/184] Bumped version to 2025.4.1

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 858abb2bc8..e4712937ca 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.4.0</Version>
+    <Version>2025.4.1</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

From 7c76eddee5f8aff54e1a73b3cf9b4f6273941462 Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann <mail@quexten.com>
Date: Mon, 7 Apr 2025 14:35:27 +0200
Subject: [PATCH 179/184] [PM-19801] Clear device keys on deactivate (#5592)

* Clear device keys on deactivate

* Fix migration

* Add newline

* Remove inactive device migration
---
 src/Core/Services/Implementations/DeviceService.cs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/Core/Services/Implementations/DeviceService.cs b/src/Core/Services/Implementations/DeviceService.cs
index 99523d8e5e..165fab0237 100644
--- a/src/Core/Services/Implementations/DeviceService.cs
+++ b/src/Core/Services/Implementations/DeviceService.cs
@@ -77,6 +77,9 @@ public class DeviceService : IDeviceService
 
         device.Active = false;
         device.RevisionDate = DateTime.UtcNow;
+        device.EncryptedPrivateKey = null;
+        device.EncryptedPublicKey = null;
+        device.EncryptedUserKey = null;
         await _deviceRepository.UpsertAsync(device);
 
         await _pushRegistrationService.DeleteRegistrationAsync(device.Id.ToString());

From 3c56866a764357face8d8c0e7d7bf533b6065156 Mon Sep 17 00:00:00 2001
From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com>
Date: Mon, 7 Apr 2025 10:05:49 -0400
Subject: [PATCH 180/184] Expand tax_ids to avoid thrown tax exception (#5617)

---
 .../Services/Implementations/OrganizationBillingService.cs      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
index a4d22cfa3e..ae9ed15e72 100644
--- a/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
+++ b/src/Core/Billing/Services/Implementations/OrganizationBillingService.cs
@@ -42,7 +42,7 @@ public class OrganizationBillingService(
 
         var customer = string.IsNullOrEmpty(organization.GatewayCustomerId) && customerSetup != null
             ? await CreateCustomerAsync(organization, customerSetup)
-            : await subscriberService.GetCustomerOrThrow(organization, new CustomerGetOptions { Expand = ["tax"] });
+            : await subscriberService.GetCustomerOrThrow(organization, new CustomerGetOptions { Expand = ["tax", "tax_ids"] });
 
         var subscription = await CreateSubscriptionAsync(organization.Id, customer, subscriptionSetup);
 

From 0d7363c6af2e8df38cc766a5e097648c3b1606dc Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Mon, 7 Apr 2025 09:14:10 -0500
Subject: [PATCH 181/184] [PM-16811] - SCIM Invite Users Optimizations (#5398)

* WIP changes for Invite User optimization from Scim

* feature flag string

* Added plan validation to PasswordManagerInviteUserValidation. Cleaned up a few things.

* Added Secrets Manager Validations and Tests.

* Added bulk procedure for saving users, collections and groups from inviting. Added test to validate Ef and Sproc

* Created SendOrganizationInvitesCommand and moved some tests from OrgServiceTests. Fixed some tests in org service in relation to moving out SendOrgInviteCommand code.

Added side effects to InviteOrganizationUsersCommand

* First test of new command.

* Added test to verify valid request with a user calls db method and sends the invite

* Added more tests for the updates

* Added integration test around enabling feature and sending invite via scim. Did a bit of refactoring on the SM validation. Fixed couple bugs found.

* Switching over to a local factory.

* created response model and split interface out.

* switched to initialization block

* Moved to private method. Made ScimInvite inherit the single invite base model. Moved create methods to constructors. A few more CR changes included.

* Moved `FromOrganization` mapper method to a constructor

* Updated to use new pricing client. Supressed null dereference errors.

* Fixing bad merge.

* Rename of OrgDto

* undoing this

* Moved into class

* turned into a switch statement

* Separated into separate files.

* Renamed dto and added ctor

* Dto rename. Moved from static methods to ctors

* Removed unused request model

* changes from main

* missed value

* Fixed some compilation errors.

* Fixed some changes.

* Removed comment

* fixed compiler warning.

* Refactored to use new ValidationResult pattern. added mapping method.

* Added throwing of Failure as the previous implementation would have.

* Cleaned up return.

* fixing test.

* Made HasSecretsManagerStandalone return if org doesn't have sm. Added overload for lighter weight model and moved common code to private method.

* Fixed tests.

* Made public method private. added some comments.

* Refactor validation parameter to improve clarity and consistency. Added XML doc

* fixed test

* Removed test only constructor from InviteOrganization

* Separated old and new code explicitly. Moved old code checks down into new code as well. Added error and mapper to Failure<T>

* Variable/Field/Property renames

* Renamed InviteUsersValidation to InviteUsersValidator

* Rename for InvitingUserOrganizationValidation to InvitingUserOrganizationValidator

* PasswordManagerInviteUserValidation to PasswordManagerInviteUserValidator

* Moved XML comment. Added check to see if additional seats are needed.

* Fixing name.

* Updated names.

* Corrected double negation.

* Added groups and collection and users checks.

* Fixed comment. Fixed multiple enumeration. Changed variable name.

* Cleaned up DTO models. Moved some validation steps around. A few quick fixes to address CR concerns. Still need to move a few things yet.

* Fixed naming in subscription update models.

* put back in the request for now.

* Quick rename

* Added provider email addresses as well.

* Removed valid wrapper to pass in to validation methods.

* fix tests

* Code Review changes.

* Removed unused classes

* Using GetPlanOrThrow instead.

* Switches to extension method

* Made Revert and Adjust Sm methods consistent. Corrected string comparer. Added comment for revert sm.

* Fixing compiler complaint.

* Adding XML docs

* Calculated seat addition for SM.

* Fixing compiler complaints.

* Renames for organization.

* Fixing comparison issue.

* Adding error and aligning message.

* fixing name of method.

* Made extension method.

* Rearranged some things. Fixed the tests.

* Added test around validating the revert.

* Added test to validate the provider email is sent if org is managed by a provider.

* Created new errors and removed references in business code to ErrorMessages property. This aligns Invite User code to use Errors instead of ErrorMessages

* Delayed the hasSecretsManagerStandalone call as long as possible.

* Corrected model name. Corrected SM seat calculation. Added test for it.

* Corrected logic and added more tests.
---
 .../src/Scim/Models/ScimUserRequestModel.cs   |  33 +-
 .../src/Scim/Users/PostUserCommand.cs         | 122 +++-
 .../Controllers/v2/UsersControllerTests.cs    |  20 +-
 .../Scim.Test/Users/PostUserCommandTests.cs   |   9 +-
 src/Core/AdminConsole/Errors/Error.cs         |   5 +
 .../Errors/InvalidResultTypeError.cs          |   6 +
 .../Models/Business/InviteOrganization.cs     |  35 +
 .../InviteUsers/Errors/ErrorMapper.cs         |  37 ++
 .../Errors/FailedToInviteUsersError.cs        |   9 +
 .../Errors/NoUsersToInviteError.cs            |   9 +
 .../Errors/UserAlreadyExistsError.cs          |   9 +
 .../IInviteOrganizationUsersCommand.cs        |  22 +
 .../ISendOrganizationInvitesCommand.cs        |  16 +
 .../InviteOrganizationUsersCommand.cs         | 282 ++++++++
 .../Models/CreateOrganizationUser.cs          |  15 +
 .../CreateOrganizationUserExtensions.cs       |  30 +
 .../InviteOrganizationUserErrorMessages.cs    |   7 +
 .../Models/InviteOrganizationUsersRequest.cs  |  22 +
 .../Models/InviteOrganizationUsersResponse.cs |  42 ++
 ...nviteOrganizationUsersValidationRequest.cs |  40 ++
 .../Models/OrganizationUserInvite.cs          |  77 +++
 .../InviteUsers/Models/SendInvitesRequest.cs  |  33 +
 .../SendOrganizationInvitesCommand.cs         |  80 +++
 .../CollectionAccessSelectionExtensions.cs    |  12 +
 .../CannotAutoScaleOnSelfHostError.cs         |   8 +
 .../GlobalSettings/EnvironmentRequest.cs      |  18 +
 .../InviteUsersEnvironmentValidator.cs        |  14 +
 .../InviteOrganizationUserValidator.cs        | 108 +++
 .../Validation/Organization/Errors.cs         |  16 +
 .../InviteUsersOrganizationValidator.cs       |  32 +
 .../Validation/PasswordManager/Errors.cs      |  30 +
 .../InviteUsersPasswordManagerValidator.cs    | 117 ++++
 .../PasswordManagerSubscriptionUpdate.cs      |  89 +++
 .../InviteUsers/Validation/Payments/Errors.cs |  10 +
 .../Payments/InviteUserPaymentValidation.cs   |  25 +
 .../Payments/PaymentsSubscription.cs          |  19 +
 .../InviteUsers/Validation/Provider/Errors.cs |  13 +
 .../Provider/InviteOrganizationProvider.cs    |  19 +
 ...vitingUserOrganizationProviderValidator.cs |  28 +
 .../IOrganizationUserRepository.cs            |   3 +
 .../Implementations/OrganizationService.cs    |  95 +--
 .../Shared/Validation/ValidationResult.cs     |  31 +-
 .../Billing/Extensions/BillingExtensions.cs   |   8 +
 src/Core/Constants.cs                         |   1 +
 src/Core/Models/Commands/CommandResult.cs     |  31 +-
 ...OrganizationServiceCollectionExtensions.cs |  13 +
 ...UpdateSecretsManagerSubscriptionCommand.cs |   1 +
 ...UpdateSecretsManagerSubscriptionCommand.cs |   2 +-
 src/Core/Services/IPaymentService.cs          |  24 +-
 .../Implementations/StripePaymentService.cs   |  20 +-
 src/Core/Utilities/EmailValidation.cs         |  44 ++
 .../Utilities/StrictEmailAddressAttribute.cs  |  37 +-
 .../OrganizationUserRepository.cs             |  29 +
 .../OrganizationUserRepository.cs             |  25 +
 ...onUser_CreateManyWithCollectionsGroups.sql |  97 +++
 .../InviteOrganizationUsersRequestTests.cs    |  67 ++
 ...serOrganizationValidationRequestHelpers.cs |  51 ++
 .../InviteOrganizationUserCommandTests.cs     | 613 ++++++++++++++++++
 .../SendOrganizationInvitesCommandTests.cs    | 108 +++
 .../InviteOrganizationUsersValidatorTests.cs  | 161 +++++
 .../InviteUserOrganizationValidationTests.cs  |  58 ++
 .../InviteUserPaymentValidationTests.cs       |  56 ++
 ...PasswordManagerInviteUserValidatorTests.cs |  93 +++
 .../Services/OrganizationServiceTests.cs      | 244 ++-----
 .../OrganizationUserRepositoryTests.cs        | 172 +++++
 ...Users_CreateManyUsersCollectionsGroups.sql |  97 +++
 66 files changed, 3337 insertions(+), 362 deletions(-)
 create mode 100644 src/Core/AdminConsole/Errors/InvalidResultTypeError.cs
 create mode 100644 src/Core/AdminConsole/Models/Business/InviteOrganization.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/ErrorMapper.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/FailedToInviteUsersError.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/NoUsersToInviteError.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/UserAlreadyExistsError.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/IInviteOrganizationUsersCommand.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/ISendOrganizationInvitesCommand.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/InviteOrganizationUsersCommand.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/CreateOrganizationUser.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/CreateOrganizationUserExtensions.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUserErrorMessages.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersRequest.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersResponse.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersValidationRequest.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/OrganizationUserInvite.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/SendInvitesRequest.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/SendOrganizationInvitesCommand.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/CollectionAccessSelectionExtensions.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/GlobalSettings/CannotAutoScaleOnSelfHostError.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/GlobalSettings/EnvironmentRequest.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/GlobalSettings/InviteUsersEnvironmentValidator.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteOrganizationUserValidator.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Organization/Errors.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Organization/InviteUsersOrganizationValidator.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/Errors.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/InviteUsersPasswordManagerValidator.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/PasswordManagerSubscriptionUpdate.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/Errors.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/InviteUserPaymentValidation.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/PaymentsSubscription.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Provider/Errors.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Provider/InviteOrganizationProvider.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Provider/InvitingUserOrganizationProviderValidator.cs
 create mode 100644 src/Core/Utilities/EmailValidation.cs
 create mode 100644 src/Sql/dbo/Stored Procedures/OrganizationUser_CreateManyWithCollectionsGroups.sql
 create mode 100644 test/Core.Test/AdminConsole/Models/InviteOrganizationUsersRequestTests.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Helpers/InviteUserOrganizationValidationRequestHelpers.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/InviteOrganizationUserCommandTests.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/SendOrganizationInvitesCommandTests.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteOrganizationUsersValidatorTests.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteUserOrganizationValidationTests.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteUserPaymentValidationTests.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManagerInviteUserValidatorTests.cs
 create mode 100644 util/Migrator/DbScripts/2025-02-17_00_OrgUsers_CreateManyUsersCollectionsGroups.sql

diff --git a/bitwarden_license/src/Scim/Models/ScimUserRequestModel.cs b/bitwarden_license/src/Scim/Models/ScimUserRequestModel.cs
index 990ac27ec2..295db790e3 100644
--- a/bitwarden_license/src/Scim/Models/ScimUserRequestModel.cs
+++ b/bitwarden_license/src/Scim/Models/ScimUserRequestModel.cs
@@ -1,8 +1,11 @@
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.Enums;
-using Bit.Core.Models.Business;
+using Bit.Core.Exceptions;
 using Bit.Core.Models.Data;
 using Bit.Core.Utilities;
+using OrganizationUserInvite = Bit.Core.Models.Business.OrganizationUserInvite;
 
 namespace Bit.Scim.Models;
 
@@ -10,7 +13,8 @@ public class ScimUserRequestModel : BaseScimUserModel
 {
     public ScimUserRequestModel()
         : base(false)
-    { }
+    {
+    }
 
     public OrganizationUserInvite ToOrganizationUserInvite(ScimProviderType scimProvider)
     {
@@ -25,6 +29,31 @@ public class ScimUserRequestModel : BaseScimUserModel
         };
     }
 
+    public InviteOrganizationUsersRequest ToRequest(
+        ScimProviderType scimProvider,
+        InviteOrganization inviteOrganization,
+        DateTimeOffset performedAt)
+    {
+        var email = EmailForInvite(scimProvider);
+
+        if (string.IsNullOrWhiteSpace(email) || !Active)
+        {
+            throw new BadRequestException();
+        }
+
+        return new InviteOrganizationUsersRequest(
+            invites:
+            [
+                new Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models.OrganizationUserInvite(
+                        email: email,
+                        externalId: ExternalIdForInvite()
+                    )
+            ],
+            inviteOrganization: inviteOrganization,
+            performedBy: Guid.Empty, // SCIM does not have a user id
+            performedAt: performedAt);
+    }
+
     private string EmailForInvite(ScimProviderType scimProvider)
     {
         var email = PrimaryEmail?.ToLowerInvariant();
diff --git a/bitwarden_license/src/Scim/Users/PostUserCommand.cs b/bitwarden_license/src/Scim/Users/PostUserCommand.cs
index 26ddd20512..46116a46ae 100644
--- a/bitwarden_license/src/Scim/Users/PostUserCommand.cs
+++ b/bitwarden_license/src/Scim/Users/PostUserCommand.cs
@@ -1,39 +1,99 @@
-using Bit.Core.Enums;
+#nullable enable
+
+using Bit.Core;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.Billing.Pricing;
+using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Commands;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Scim.Context;
 using Bit.Scim.Models;
 using Bit.Scim.Users.Interfaces;
+using static Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors.ErrorMapper;
 
 namespace Bit.Scim.Users;
 
-public class PostUserCommand : IPostUserCommand
+public class PostUserCommand(
+    IOrganizationRepository organizationRepository,
+    IOrganizationUserRepository organizationUserRepository,
+    IOrganizationService organizationService,
+    IPaymentService paymentService,
+    IScimContext scimContext,
+    IFeatureService featureService,
+    IInviteOrganizationUsersCommand inviteOrganizationUsersCommand,
+    TimeProvider timeProvider,
+    IPricingClient pricingClient)
+    : IPostUserCommand
 {
-    private readonly IOrganizationRepository _organizationRepository;
-    private readonly IOrganizationUserRepository _organizationUserRepository;
-    private readonly IOrganizationService _organizationService;
-    private readonly IPaymentService _paymentService;
-    private readonly IScimContext _scimContext;
-
-    public PostUserCommand(
-        IOrganizationRepository organizationRepository,
-        IOrganizationUserRepository organizationUserRepository,
-        IOrganizationService organizationService,
-        IPaymentService paymentService,
-        IScimContext scimContext)
+    public async Task<OrganizationUserUserDetails?> PostUserAsync(Guid organizationId, ScimUserRequestModel model)
     {
-        _organizationRepository = organizationRepository;
-        _organizationUserRepository = organizationUserRepository;
-        _organizationService = organizationService;
-        _paymentService = paymentService;
-        _scimContext = scimContext;
+        if (featureService.IsEnabled(FeatureFlagKeys.ScimInviteUserOptimization) is false)
+        {
+            return await InviteScimOrganizationUserAsync(model, organizationId, scimContext.RequestScimProvider);
+        }
+
+        return await InviteScimOrganizationUserAsync_vNext(model, organizationId, scimContext.RequestScimProvider);
     }
 
-    public async Task<OrganizationUserUserDetails> PostUserAsync(Guid organizationId, ScimUserRequestModel model)
+    private async Task<OrganizationUserUserDetails?> InviteScimOrganizationUserAsync_vNext(
+        ScimUserRequestModel model,
+        Guid organizationId,
+        ScimProviderType scimProvider)
+    {
+        var organization = await organizationRepository.GetByIdAsync(organizationId);
+
+        if (organization is null)
+        {
+            throw new NotFoundException();
+        }
+
+        var plan = await pricingClient.GetPlanOrThrow(organization.PlanType);
+
+        var request = model.ToRequest(
+            scimProvider: scimProvider,
+            inviteOrganization: new InviteOrganization(organization, plan),
+            performedAt: timeProvider.GetUtcNow());
+
+        var orgUsers = await organizationUserRepository
+            .GetManyDetailsByOrganizationAsync(request.InviteOrganization.OrganizationId);
+
+        if (orgUsers.Any(existingUser =>
+                request.Invites.First().Email.Equals(existingUser.Email, StringComparison.OrdinalIgnoreCase) ||
+                request.Invites.First().ExternalId.Equals(existingUser.ExternalId, StringComparison.OrdinalIgnoreCase)))
+        {
+            throw new ConflictException("User already exists.");
+        }
+
+        var result = await inviteOrganizationUsersCommand.InviteScimOrganizationUserAsync(request);
+
+        var invitedOrganizationUserId = result switch
+        {
+            Success<ScimInviteOrganizationUsersResponse> success => success.Value.InvitedUser.Id,
+            Failure<ScimInviteOrganizationUsersResponse> failure when failure.Errors
+                    .Any(x => x.Message == NoUsersToInviteError.Code) => (Guid?)null,
+            Failure<ScimInviteOrganizationUsersResponse> failure when failure.Errors.Length != 0 => throw MapToBitException(failure.Errors),
+            _ => throw new InvalidOperationException()
+        };
+
+        var organizationUser = invitedOrganizationUserId.HasValue
+            ? await organizationUserRepository.GetDetailsByIdAsync(invitedOrganizationUserId.Value)
+            : null;
+
+        return organizationUser;
+    }
+
+    private async Task<OrganizationUserUserDetails?> InviteScimOrganizationUserAsync(
+        ScimUserRequestModel model,
+        Guid organizationId,
+        ScimProviderType scimProvider)
     {
-        var scimProvider = _scimContext.RequestScimProvider;
         var invite = model.ToOrganizationUserInvite(scimProvider);
 
         var email = invite.Emails.Single();
@@ -44,7 +104,7 @@ public class PostUserCommand : IPostUserCommand
             throw new BadRequestException();
         }
 
-        var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId);
+        var orgUsers = await organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId);
         var orgUserByEmail = orgUsers.FirstOrDefault(ou => ou.Email?.ToLowerInvariant() == email);
         if (orgUserByEmail != null)
         {
@@ -57,13 +117,21 @@ public class PostUserCommand : IPostUserCommand
             throw new ConflictException();
         }
 
-        var organization = await _organizationRepository.GetByIdAsync(organizationId);
-        var hasStandaloneSecretsManager = await _paymentService.HasSecretsManagerStandalone(organization);
+        var organization = await organizationRepository.GetByIdAsync(organizationId);
+
+        if (organization == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var hasStandaloneSecretsManager = await paymentService.HasSecretsManagerStandalone(organization);
         invite.AccessSecretsManager = hasStandaloneSecretsManager;
 
-        var invitedOrgUser = await _organizationService.InviteUserAsync(organizationId, invitingUserId: null, EventSystemUser.SCIM,
-            invite, externalId);
-        var orgUser = await _organizationUserRepository.GetDetailsByIdAsync(invitedOrgUser.Id);
+        var invitedOrgUser = await organizationService.InviteUserAsync(organizationId, invitingUserId: null,
+            EventSystemUser.SCIM,
+            invite,
+            externalId);
+        var orgUser = await organizationUserRepository.GetDetailsByIdAsync(invitedOrgUser.Id);
 
         return orgUser;
     }
diff --git a/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/UsersControllerTests.cs b/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/UsersControllerTests.cs
index 4c4fda952a..1f86d99b63 100644
--- a/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/UsersControllerTests.cs
+++ b/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/UsersControllerTests.cs
@@ -1,9 +1,12 @@
 using System.Text.Json;
+using Bit.Core;
 using Bit.Core.Enums;
+using Bit.Core.Services;
 using Bit.Scim.IntegrationTest.Factories;
 using Bit.Scim.Models;
 using Bit.Scim.Utilities;
 using Bit.Test.Common.Helpers;
+using NSubstitute;
 using Xunit;
 
 namespace Bit.Scim.IntegrationTest.Controllers.v2;
@@ -276,9 +279,18 @@ public class UsersControllerTests : IClassFixture<ScimApplicationFactory>, IAsyn
         AssertHelper.AssertPropertyEqual(expectedResponse, responseModel);
     }
 
-    [Fact]
-    public async Task Post_Success()
+    [Theory]
+    [InlineData(true)]
+    [InlineData(false)]
+    public async Task Post_Success(bool isScimInviteUserOptimizationEnabled)
     {
+        var localFactory = new ScimApplicationFactory();
+        localFactory.SubstituteService((IFeatureService featureService)
+            => featureService.IsEnabled(FeatureFlagKeys.ScimInviteUserOptimization)
+                .Returns(isScimInviteUserOptimizationEnabled));
+
+        localFactory.ReinitializeDbForTests(localFactory.GetDatabaseContext());
+
         var email = "user5@example.com";
         var displayName = "Test User 5";
         var externalId = "UE";
@@ -306,7 +318,7 @@ public class UsersControllerTests : IClassFixture<ScimApplicationFactory>, IAsyn
             Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
         };
 
-        var context = await _factory.UsersPostAsync(ScimApplicationFactory.TestOrganizationId1, inputModel);
+        var context = await localFactory.UsersPostAsync(ScimApplicationFactory.TestOrganizationId1, inputModel);
 
         Assert.Equal(StatusCodes.Status201Created, context.Response.StatusCode);
 
@@ -316,7 +328,7 @@ public class UsersControllerTests : IClassFixture<ScimApplicationFactory>, IAsyn
         var responseModel = JsonSerializer.Deserialize<ScimUserResponseModel>(context.Response.Body, new JsonSerializerOptions { PropertyNamingPolicy = JsonNamingPolicy.CamelCase });
         AssertHelper.AssertPropertyEqual(expectedResponse, responseModel, "Id");
 
-        var databaseContext = _factory.GetDatabaseContext();
+        var databaseContext = localFactory.GetDatabaseContext();
         Assert.Equal(_initialUserCount + 1, databaseContext.OrganizationUsers.Count());
     }
 
diff --git a/bitwarden_license/test/Scim.Test/Users/PostUserCommandTests.cs b/bitwarden_license/test/Scim.Test/Users/PostUserCommandTests.cs
index 71ad6361bd..ac23e7ecc1 100644
--- a/bitwarden_license/test/Scim.Test/Users/PostUserCommandTests.cs
+++ b/bitwarden_license/test/Scim.Test/Users/PostUserCommandTests.cs
@@ -27,7 +27,7 @@ public class PostUserCommandTests
             ExternalId = externalId,
             Emails = emails,
             Active = true,
-            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
+            Schemas = [ScimConstants.Scim2SchemaUser]
         };
 
         sutProvider.GetDependency<IOrganizationUserRepository>()
@@ -39,13 +39,16 @@ public class PostUserCommandTests
         sutProvider.GetDependency<IPaymentService>().HasSecretsManagerStandalone(organization).Returns(true);
 
         sutProvider.GetDependency<IOrganizationService>()
-            .InviteUserAsync(organizationId, invitingUserId: null, EventSystemUser.SCIM,
+            .InviteUserAsync(organizationId,
+                invitingUserId: null,
+                EventSystemUser.SCIM,
                 Arg.Is<OrganizationUserInvite>(i =>
                     i.Emails.Single().Equals(scimUserRequestModel.PrimaryEmail.ToLowerInvariant()) &&
                     i.Type == OrganizationUserType.User &&
                     !i.Collections.Any() &&
                     !i.Groups.Any() &&
-                    i.AccessSecretsManager), externalId)
+                    i.AccessSecretsManager),
+                externalId)
             .Returns(newUser);
 
         var user = await sutProvider.Sut.PostUserAsync(organizationId, scimUserRequestModel);
diff --git a/src/Core/AdminConsole/Errors/Error.cs b/src/Core/AdminConsole/Errors/Error.cs
index 6c8eed41a4..7ad057d6ed 100644
--- a/src/Core/AdminConsole/Errors/Error.cs
+++ b/src/Core/AdminConsole/Errors/Error.cs
@@ -1,3 +1,8 @@
 namespace Bit.Core.AdminConsole.Errors;
 
 public record Error<T>(string Message, T ErroredValue);
+
+public static class ErrorMappers
+{
+    public static Error<B> ToError<A, B>(this Error<A> errorA, B erroredValue) => new(errorA.Message, erroredValue);
+}
diff --git a/src/Core/AdminConsole/Errors/InvalidResultTypeError.cs b/src/Core/AdminConsole/Errors/InvalidResultTypeError.cs
new file mode 100644
index 0000000000..67b5b634fb
--- /dev/null
+++ b/src/Core/AdminConsole/Errors/InvalidResultTypeError.cs
@@ -0,0 +1,6 @@
+namespace Bit.Core.AdminConsole.Errors;
+
+public record InvalidResultTypeError<T>(T Value) : Error<T>(Code, Value)
+{
+    public const string Code = "Invalid result type.";
+};
diff --git a/src/Core/AdminConsole/Models/Business/InviteOrganization.cs b/src/Core/AdminConsole/Models/Business/InviteOrganization.cs
new file mode 100644
index 0000000000..175ee07a9f
--- /dev/null
+++ b/src/Core/AdminConsole/Models/Business/InviteOrganization.cs
@@ -0,0 +1,35 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Models.StaticStore;
+
+namespace Bit.Core.AdminConsole.Models.Business;
+
+public record InviteOrganization
+{
+    public Guid OrganizationId { get; init; }
+    public int? Seats { get; init; }
+    public int? MaxAutoScaleSeats { get; init; }
+    public int? SmSeats { get; init; }
+    public int? SmMaxAutoScaleSeats { get; init; }
+    public Plan Plan { get; init; }
+    public string GatewayCustomerId { get; init; }
+    public string GatewaySubscriptionId { get; init; }
+    public bool UseSecretsManager { get; init; }
+
+    public InviteOrganization()
+    {
+
+    }
+
+    public InviteOrganization(Organization organization, Plan plan)
+    {
+        OrganizationId = organization.Id;
+        Seats = organization.Seats;
+        MaxAutoScaleSeats = organization.MaxAutoscaleSeats;
+        SmSeats = organization.SmSeats;
+        SmMaxAutoScaleSeats = organization.MaxAutoscaleSmSeats;
+        Plan = plan;
+        GatewayCustomerId = organization.GatewayCustomerId;
+        GatewaySubscriptionId = organization.GatewaySubscriptionId;
+        UseSecretsManager = organization.UseSecretsManager;
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/ErrorMapper.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/ErrorMapper.cs
new file mode 100644
index 0000000000..c66d366de5
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/ErrorMapper.cs
@@ -0,0 +1,37 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.Exceptions;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
+
+public static class ErrorMapper
+{
+
+    /// <summary>
+    /// Maps the ErrorT to a Bit.Exception class.
+    /// </summary>
+    /// <param name="error"></param>
+    /// <typeparam name="T"></typeparam>
+    /// <returns></returns>
+    public static Exception MapToBitException<T>(Error<T> error) =>
+        error switch
+        {
+            UserAlreadyExistsError alreadyExistsError => new ConflictException(alreadyExistsError.Message),
+            _ => new BadRequestException(error.Message)
+        };
+
+    /// <summary>
+    /// This maps the ErrorT object to the Bit.Exception class.
+    ///
+    /// This should be replaced by an IActionResult mapper when possible.
+    /// </summary>
+    /// <param name="errors"></param>
+    /// <typeparam name="T"></typeparam>
+    /// <returns></returns>
+    public static Exception MapToBitException<T>(ICollection<Error<T>> errors) =>
+        errors switch
+        {
+            not null when errors.Count == 1 => MapToBitException(errors.First()),
+            not null when errors.Count > 1 => new BadRequestException(string.Join(' ', errors.Select(e => e.Message))),
+            _ => new BadRequestException()
+        };
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/FailedToInviteUsersError.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/FailedToInviteUsersError.cs
new file mode 100644
index 0000000000..810ef744c9
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/FailedToInviteUsersError.cs
@@ -0,0 +1,9 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
+
+public record FailedToInviteUsersError(InviteOrganizationUsersResponse Response) : Error<InviteOrganizationUsersResponse>(Code, Response)
+{
+    public const string Code = "Failed to invite users";
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/NoUsersToInviteError.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/NoUsersToInviteError.cs
new file mode 100644
index 0000000000..52697572e6
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/NoUsersToInviteError.cs
@@ -0,0 +1,9 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
+
+public record NoUsersToInviteError(InviteOrganizationUsersResponse Response) : Error<InviteOrganizationUsersResponse>(Code, Response)
+{
+    public const string Code = "No users to invite";
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/UserAlreadyExistsError.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/UserAlreadyExistsError.cs
new file mode 100644
index 0000000000..475ad4a886
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/UserAlreadyExistsError.cs
@@ -0,0 +1,9 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
+
+public record UserAlreadyExistsError(ScimInviteOrganizationUsersResponse Response) : Error<ScimInviteOrganizationUsersResponse>(Code, Response)
+{
+    public const string Code = "User already exists";
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/IInviteOrganizationUsersCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/IInviteOrganizationUsersCommand.cs
new file mode 100644
index 0000000000..3e4c7652a5
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/IInviteOrganizationUsersCommand.cs
@@ -0,0 +1,22 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.Models.Commands;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+
+/// <summary>
+/// Defines the contract for inviting organization users via SCIM (System for Cross-domain Identity Management).
+/// Provides functionality for handling single email invitation requests within an organization context.
+/// </summary>
+public interface IInviteOrganizationUsersCommand
+{
+    /// <summary>
+    /// Sends an invitation to add an organization user via SCIM (System for Cross-domain Identity Management) system.
+    /// This can be a Success or a Failure. Failure will contain the Error along with a representation of the errored value.
+    /// Success will be the successful return object.
+    /// </summary>
+    /// <param name="request">
+    /// Contains the details for inviting a single organization user via email.
+    /// </param>
+    /// <returns>Response from InviteScimOrganiation<see cref="ScimInviteOrganizationUsersResponse"/></returns>
+    Task<CommandResult<ScimInviteOrganizationUsersResponse>> InviteScimOrganizationUserAsync(InviteOrganizationUsersRequest request);
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/ISendOrganizationInvitesCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/ISendOrganizationInvitesCommand.cs
new file mode 100644
index 0000000000..090317640f
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/ISendOrganizationInvitesCommand.cs
@@ -0,0 +1,16 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+
+/// <summary>
+/// This is for sending the invite to an organization user.
+/// </summary>
+public interface ISendOrganizationInvitesCommand
+{
+    /// <summary>
+    /// This sends emails out to organization users for a given organization.
+    /// </summary>
+    /// <param name="request"><see cref="SendInvitesRequest"/></param>
+    /// <returns></returns>
+    Task SendInvitesAsync(SendInvitesRequest request);
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/InviteOrganizationUsersCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/InviteOrganizationUsersCommand.cs
new file mode 100644
index 0000000000..4eacb9386a
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/InviteOrganizationUsersCommand.cs
@@ -0,0 +1,282 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.Interfaces;
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.Shared.Validation;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Models.Business;
+using Bit.Core.Models.Commands;
+using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Tools.Enums;
+using Bit.Core.Tools.Models.Business;
+using Bit.Core.Tools.Services;
+using Microsoft.Extensions.Logging;
+using OrganizationUserInvite = Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models.OrganizationUserInvite;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+
+public class InviteOrganizationUsersCommand(IEventService eventService,
+    IOrganizationUserRepository organizationUserRepository,
+    IInviteUsersValidator inviteUsersValidator,
+    IPaymentService paymentService,
+    IOrganizationRepository organizationRepository,
+    IReferenceEventService referenceEventService,
+    ICurrentContext currentContext,
+    IApplicationCacheService applicationCacheService,
+    IMailService mailService,
+    ILogger<InviteOrganizationUsersCommand> logger,
+    IUpdateSecretsManagerSubscriptionCommand updateSecretsManagerSubscriptionCommand,
+    ISendOrganizationInvitesCommand sendOrganizationInvitesCommand,
+    IProviderOrganizationRepository providerOrganizationRepository,
+    IProviderUserRepository providerUserRepository
+    ) : IInviteOrganizationUsersCommand
+{
+
+    public const string IssueNotifyingOwnersOfSeatLimitReached = "Error encountered notifying organization owners of seat limit reached.";
+
+    public async Task<CommandResult<ScimInviteOrganizationUsersResponse>> InviteScimOrganizationUserAsync(InviteOrganizationUsersRequest request)
+    {
+        var result = await InviteOrganizationUsersAsync(request);
+
+        switch (result)
+        {
+            case Failure<InviteOrganizationUsersResponse> failure:
+                return new Failure<ScimInviteOrganizationUsersResponse>(
+                    failure.Errors.Select(error => new Error<ScimInviteOrganizationUsersResponse>(error.Message,
+                        new ScimInviteOrganizationUsersResponse
+                        {
+                            InvitedUser = error.ErroredValue.InvitedUsers.FirstOrDefault()
+                        })));
+
+            case Success<InviteOrganizationUsersResponse> success when success.Value.InvitedUsers.Any():
+                var user = success.Value.InvitedUsers.First();
+
+                await eventService.LogOrganizationUserEventAsync<IOrganizationUser>(
+                    organizationUser: user,
+                    type: EventType.OrganizationUser_Invited,
+                    systemUser: EventSystemUser.SCIM,
+                    date: request.PerformedAt.UtcDateTime);
+
+                return new Success<ScimInviteOrganizationUsersResponse>(new ScimInviteOrganizationUsersResponse
+                {
+                    InvitedUser = user
+                });
+
+            default:
+                return new Failure<ScimInviteOrganizationUsersResponse>(
+                    new InvalidResultTypeError<ScimInviteOrganizationUsersResponse>(
+                        new ScimInviteOrganizationUsersResponse()));
+        }
+    }
+
+    private async Task<CommandResult<InviteOrganizationUsersResponse>> InviteOrganizationUsersAsync(InviteOrganizationUsersRequest request)
+    {
+        var invitesToSend = (await FilterExistingUsersAsync(request)).ToArray();
+
+        if (invitesToSend.Length == 0)
+        {
+            return new Failure<InviteOrganizationUsersResponse>(new NoUsersToInviteError(
+                new InviteOrganizationUsersResponse(request.InviteOrganization.OrganizationId)));
+        }
+
+        var validationResult = await inviteUsersValidator.ValidateAsync(new InviteOrganizationUsersValidationRequest
+        {
+            Invites = invitesToSend.ToArray(),
+            InviteOrganization = request.InviteOrganization,
+            PerformedBy = request.PerformedBy,
+            PerformedAt = request.PerformedAt,
+            OccupiedPmSeats = await organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(request.InviteOrganization.OrganizationId),
+            OccupiedSmSeats = await organizationUserRepository.GetOccupiedSmSeatCountByOrganizationIdAsync(request.InviteOrganization.OrganizationId)
+        });
+
+        if (validationResult is Invalid<InviteOrganizationUsersValidationRequest> invalid)
+        {
+            return invalid.MapToFailure(r => new InviteOrganizationUsersResponse(r));
+        }
+
+        var validatedRequest = validationResult as Valid<InviteOrganizationUsersValidationRequest>;
+
+        var organizationUserToInviteEntities = invitesToSend
+            .Select(x => x.MapToDataModel(request.PerformedAt, validatedRequest!.Value.InviteOrganization))
+            .ToArray();
+
+        var organization = await organizationRepository.GetByIdAsync(validatedRequest!.Value.InviteOrganization.OrganizationId);
+
+        try
+        {
+            await organizationUserRepository.CreateManyAsync(organizationUserToInviteEntities);
+
+            await AdjustPasswordManagerSeatsAsync(validatedRequest, organization);
+
+            await AdjustSecretsManagerSeatsAsync(validatedRequest);
+
+            await SendAdditionalEmailsAsync(validatedRequest, organization);
+
+            await SendInvitesAsync(organizationUserToInviteEntities, organization);
+
+            await PublishReferenceEventAsync(validatedRequest, organization);
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, FailedToInviteUsersError.Code);
+
+            await organizationUserRepository.DeleteManyAsync(organizationUserToInviteEntities.Select(x => x.OrganizationUser.Id));
+
+            // Do this first so that SmSeats never exceed PM seats (due to current billing requirements)
+            await RevertSecretsManagerChangesAsync(validatedRequest, organization, validatedRequest.Value.InviteOrganization.SmSeats);
+
+            await RevertPasswordManagerChangesAsync(validatedRequest, organization);
+
+            return new Failure<InviteOrganizationUsersResponse>(
+                new FailedToInviteUsersError(
+                    new InviteOrganizationUsersResponse(validatedRequest.Value)));
+        }
+
+        return new Success<InviteOrganizationUsersResponse>(
+            new InviteOrganizationUsersResponse(
+                invitedOrganizationUsers: organizationUserToInviteEntities.Select(x => x.OrganizationUser).ToArray(),
+                organizationId: organization!.Id));
+    }
+
+    private async Task<IEnumerable<OrganizationUserInvite>> FilterExistingUsersAsync(InviteOrganizationUsersRequest request)
+    {
+        var existingEmails = new HashSet<string>(await organizationUserRepository.SelectKnownEmailsAsync(
+                request.InviteOrganization.OrganizationId, request.Invites.Select(i => i.Email), false),
+            StringComparer.OrdinalIgnoreCase);
+
+        return request.Invites
+            .Where(invite => !existingEmails.Contains(invite.Email))
+            .ToArray();
+    }
+
+    private async Task RevertPasswordManagerChangesAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult, Organization organization)
+    {
+        if (validatedResult.Value.PasswordManagerSubscriptionUpdate.SeatsRequiredToAdd > 0)
+        {
+            // When reverting seats, we have to tell payments service that the seats are going back down by what we attempted to add.
+            // However, this might lead to a problem if we don't actually update stripe but throw any ways.
+            // stripe could not be updated, and then we would decrement the number of seats in stripe accidentally.
+            var seatsToRemove = validatedResult.Value.PasswordManagerSubscriptionUpdate.SeatsRequiredToAdd;
+            await paymentService.AdjustSeatsAsync(organization, validatedResult.Value.InviteOrganization.Plan, -seatsToRemove);
+
+            organization.Seats = (short?)validatedResult.Value.PasswordManagerSubscriptionUpdate.Seats;
+
+            await organizationRepository.ReplaceAsync(organization);
+            await applicationCacheService.UpsertOrganizationAbilityAsync(organization);
+        }
+    }
+
+    private async Task RevertSecretsManagerChangesAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult, Organization organization, int? initialSmSeats)
+    {
+        if (validatedResult.Value.SecretsManagerSubscriptionUpdate?.SmSeatsChanged is true)
+        {
+            var smSubscriptionUpdateRevert = new SecretsManagerSubscriptionUpdate(
+                organization: organization,
+                plan: validatedResult.Value.InviteOrganization.Plan,
+                autoscaling: false)
+            {
+                SmSeats = initialSmSeats
+            };
+
+            await updateSecretsManagerSubscriptionCommand.UpdateSubscriptionAsync(smSubscriptionUpdateRevert);
+        }
+    }
+
+    private async Task PublishReferenceEventAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult,
+        Organization organization) =>
+        await referenceEventService.RaiseEventAsync(
+            new ReferenceEvent(ReferenceEventType.InvitedUsers, organization, currentContext)
+            {
+                Users = validatedResult.Value.Invites.Length
+            });
+
+    private async Task SendInvitesAsync(IEnumerable<CreateOrganizationUser> users, Organization organization) =>
+        await sendOrganizationInvitesCommand.SendInvitesAsync(
+            new SendInvitesRequest(
+                users.Select(x => x.OrganizationUser),
+                organization));
+
+    private async Task SendAdditionalEmailsAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult, Organization organization)
+    {
+        await SendPasswordManagerMaxSeatLimitEmailsAsync(validatedResult, organization);
+    }
+
+    private async Task SendPasswordManagerMaxSeatLimitEmailsAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult, Organization organization)
+    {
+        if (!validatedResult.Value.PasswordManagerSubscriptionUpdate.MaxSeatsReached)
+        {
+            return;
+        }
+
+        try
+        {
+            var ownerEmails = await GetOwnerEmailAddressesAsync(validatedResult.Value.InviteOrganization);
+
+            await mailService.SendOrganizationMaxSeatLimitReachedEmailAsync(organization,
+                validatedResult.Value.PasswordManagerSubscriptionUpdate.MaxAutoScaleSeats!.Value, ownerEmails);
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, IssueNotifyingOwnersOfSeatLimitReached);
+        }
+    }
+
+    private async Task<IEnumerable<string>> GetOwnerEmailAddressesAsync(InviteOrganization organization)
+    {
+        var providerOrganization = await providerOrganizationRepository
+            .GetByOrganizationId(organization.OrganizationId);
+
+        if (providerOrganization == null)
+        {
+            return (await organizationUserRepository
+                    .GetManyByMinimumRoleAsync(organization.OrganizationId, OrganizationUserType.Owner))
+                .Select(x => x.Email)
+                .Distinct();
+        }
+
+        return (await providerUserRepository
+                .GetManyDetailsByProviderAsync(providerOrganization.ProviderId, ProviderUserStatusType.Confirmed))
+            .Select(u => u.Email).Distinct();
+    }
+
+    private async Task AdjustSecretsManagerSeatsAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult)
+    {
+        if (validatedResult.Value.SecretsManagerSubscriptionUpdate?.SmSeatsChanged is true)
+        {
+            await updateSecretsManagerSubscriptionCommand.UpdateSubscriptionAsync(validatedResult.Value.SecretsManagerSubscriptionUpdate);
+        }
+
+    }
+
+    private async Task AdjustPasswordManagerSeatsAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult, Organization organization)
+    {
+        if (validatedResult.Value.PasswordManagerSubscriptionUpdate.SeatsRequiredToAdd <= 0)
+        {
+            return;
+        }
+
+        await paymentService.AdjustSeatsAsync(organization, validatedResult.Value.InviteOrganization.Plan, validatedResult.Value.PasswordManagerSubscriptionUpdate.SeatsRequiredToAdd);
+
+        organization.Seats = (short?)validatedResult.Value.PasswordManagerSubscriptionUpdate.UpdatedSeatTotal;
+
+        await organizationRepository.ReplaceAsync(organization); // could optimize this with only a property update
+        await applicationCacheService.UpsertOrganizationAbilityAsync(organization);
+
+        await referenceEventService.RaiseEventAsync(
+            new ReferenceEvent(ReferenceEventType.AdjustSeats, organization, currentContext)
+            {
+                PlanName = validatedResult.Value.InviteOrganization.Plan.Name,
+                PlanType = validatedResult.Value.InviteOrganization.Plan.Type,
+                Seats = validatedResult.Value.PasswordManagerSubscriptionUpdate.UpdatedSeatTotal,
+                PreviousSeats = validatedResult.Value.PasswordManagerSubscriptionUpdate.Seats
+            });
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/CreateOrganizationUser.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/CreateOrganizationUser.cs
new file mode 100644
index 0000000000..a55db3958a
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/CreateOrganizationUser.cs
@@ -0,0 +1,15 @@
+using Bit.Core.Entities;
+using Bit.Core.Models.Data;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+/// <summary>
+/// Object for associating the <see cref="OrganizationUser"/> with their assigned collections
+/// <see cref="CollectionAccessSelection"/> and Group Ids.
+/// </summary>
+public class CreateOrganizationUser
+{
+    public OrganizationUser OrganizationUser { get; set; }
+    public CollectionAccessSelection[] Collections { get; set; } = [];
+    public Guid[] Groups { get; set; } = [];
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/CreateOrganizationUserExtensions.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/CreateOrganizationUserExtensions.cs
new file mode 100644
index 0000000000..23c38a51cb
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/CreateOrganizationUserExtensions.cs
@@ -0,0 +1,30 @@
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+public static class CreateOrganizationUserExtensions
+{
+    public static CreateOrganizationUser MapToDataModel(this OrganizationUserInvite organizationUserInvite,
+        DateTimeOffset performedAt,
+        InviteOrganization organization) =>
+        new()
+        {
+            OrganizationUser = new OrganizationUser
+            {
+                Id = CoreHelpers.GenerateComb(),
+                OrganizationId = organization.OrganizationId,
+                Email = organizationUserInvite.Email.ToLowerInvariant(),
+                Type = organizationUserInvite.Type,
+                Status = OrganizationUserStatusType.Invited,
+                AccessSecretsManager = organizationUserInvite.AccessSecretsManager,
+                ExternalId = string.IsNullOrWhiteSpace(organizationUserInvite.ExternalId) ? null : organizationUserInvite.ExternalId,
+                CreationDate = performedAt.UtcDateTime,
+                RevisionDate = performedAt.UtcDateTime
+            },
+            Collections = organizationUserInvite.AssignedCollections,
+            Groups = organizationUserInvite.Groups
+        };
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUserErrorMessages.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUserErrorMessages.cs
new file mode 100644
index 0000000000..bc75e244fc
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUserErrorMessages.cs
@@ -0,0 +1,7 @@
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+public static class InviteOrganizationUserErrorMessages
+{
+    public const string InvalidEmailErrorMessage = "The email address is not valid.";
+    public const string InvalidCollectionConfigurationErrorMessage = "The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.";
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersRequest.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersRequest.cs
new file mode 100644
index 0000000000..84b350c551
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersRequest.cs
@@ -0,0 +1,22 @@
+using Bit.Core.AdminConsole.Models.Business;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+public class InviteOrganizationUsersRequest
+{
+    public OrganizationUserInvite[] Invites { get; } = [];
+    public InviteOrganization InviteOrganization { get; }
+    public Guid PerformedBy { get; }
+    public DateTimeOffset PerformedAt { get; }
+
+    public InviteOrganizationUsersRequest(OrganizationUserInvite[] invites,
+        InviteOrganization inviteOrganization,
+        Guid performedBy,
+        DateTimeOffset performedAt)
+    {
+        Invites = invites;
+        InviteOrganization = inviteOrganization;
+        PerformedBy = performedBy;
+        PerformedAt = performedAt;
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersResponse.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersResponse.cs
new file mode 100644
index 0000000000..ac7d864dd4
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersResponse.cs
@@ -0,0 +1,42 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+public class InviteOrganizationUsersResponse(Guid organizationId)
+{
+    public IEnumerable<OrganizationUser> InvitedUsers { get; } = [];
+    public Guid OrganizationId { get; } = organizationId;
+
+    public InviteOrganizationUsersResponse(InviteOrganizationUsersValidationRequest usersValidationRequest)
+        : this(usersValidationRequest.InviteOrganization.OrganizationId)
+    {
+        InvitedUsers = usersValidationRequest.Invites.Select(x => new OrganizationUser { Email = x.Email });
+    }
+
+    public InviteOrganizationUsersResponse(IEnumerable<OrganizationUser> invitedOrganizationUsers, Guid organizationId)
+        : this(organizationId)
+    {
+        InvitedUsers = invitedOrganizationUsers;
+    }
+}
+
+public class ScimInviteOrganizationUsersResponse
+{
+    public OrganizationUser InvitedUser { get; init; }
+
+    public ScimInviteOrganizationUsersResponse()
+    {
+
+    }
+
+    public ScimInviteOrganizationUsersResponse(InviteOrganizationUsersRequest request)
+    {
+        var userToInvite = request.Invites.First();
+
+        InvitedUser = new OrganizationUser
+        {
+            Email = userToInvite.Email,
+            ExternalId = userToInvite.ExternalId
+        };
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersValidationRequest.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersValidationRequest.cs
new file mode 100644
index 0000000000..f45c705cab
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersValidationRequest.cs
@@ -0,0 +1,40 @@
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.PasswordManager;
+using Bit.Core.Models.Business;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+public class InviteOrganizationUsersValidationRequest
+{
+    public InviteOrganizationUsersValidationRequest()
+    {
+    }
+
+    public InviteOrganizationUsersValidationRequest(InviteOrganizationUsersValidationRequest request)
+    {
+        Invites = request.Invites;
+        InviteOrganization = request.InviteOrganization;
+        PerformedBy = request.PerformedBy;
+        PerformedAt = request.PerformedAt;
+        OccupiedPmSeats = request.OccupiedPmSeats;
+        OccupiedSmSeats = request.OccupiedSmSeats;
+    }
+
+    public InviteOrganizationUsersValidationRequest(InviteOrganizationUsersValidationRequest request,
+        PasswordManagerSubscriptionUpdate subscriptionUpdate,
+        SecretsManagerSubscriptionUpdate smSubscriptionUpdate)
+        : this(request)
+    {
+        PasswordManagerSubscriptionUpdate = subscriptionUpdate;
+        SecretsManagerSubscriptionUpdate = smSubscriptionUpdate;
+    }
+
+    public OrganizationUserInvite[] Invites { get; init; } = [];
+    public InviteOrganization InviteOrganization { get; init; }
+    public Guid PerformedBy { get; init; }
+    public DateTimeOffset PerformedAt { get; init; }
+    public int OccupiedPmSeats { get; init; }
+    public int OccupiedSmSeats { get; init; }
+    public PasswordManagerSubscriptionUpdate PasswordManagerSubscriptionUpdate { get; set; }
+    public SecretsManagerSubscriptionUpdate SecretsManagerSubscriptionUpdate { get; set; }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/OrganizationUserInvite.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/OrganizationUserInvite.cs
new file mode 100644
index 0000000000..0b83680aa5
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/OrganizationUserInvite.cs
@@ -0,0 +1,77 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Data;
+using Bit.Core.Utilities;
+using static Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models.InviteOrganizationUserErrorMessages;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+public class OrganizationUserInvite
+{
+    public string Email { get; private init; }
+    public CollectionAccessSelection[] AssignedCollections { get; private init; }
+    public OrganizationUserType Type { get; private init; }
+    public Permissions Permissions { get; private init; }
+    public string ExternalId { get; private init; }
+    public bool AccessSecretsManager { get; private init; }
+    public Guid[] Groups { get; private init; }
+
+    public OrganizationUserInvite(string email, string externalId) :
+        this(
+            email: email,
+            assignedCollections: [],
+            groups: [],
+            type: OrganizationUserType.User,
+            permissions: new Permissions(),
+            externalId: externalId,
+            false)
+    {
+    }
+
+    public OrganizationUserInvite(OrganizationUserInvite invite, bool accessSecretsManager) :
+        this(invite.Email,
+            invite.AssignedCollections,
+            invite.Groups,
+            invite.Type,
+            invite.Permissions,
+            invite.ExternalId,
+            accessSecretsManager)
+    {
+
+    }
+
+    public OrganizationUserInvite(string email,
+        IEnumerable<CollectionAccessSelection> assignedCollections,
+        IEnumerable<Guid> groups,
+        OrganizationUserType type,
+        Permissions permissions,
+        string externalId,
+        bool accessSecretsManager)
+    {
+        ValidateEmailAddress(email);
+
+        var collections = assignedCollections?.ToArray() ?? [];
+
+        if (collections.Any(x => x.IsValidCollectionAccessConfiguration()))
+        {
+            throw new BadRequestException(InvalidCollectionConfigurationErrorMessage);
+        }
+
+        Email = email;
+        AssignedCollections = collections;
+        Groups = groups.ToArray();
+        Type = type;
+        Permissions = permissions ?? new Permissions();
+        ExternalId = externalId;
+        AccessSecretsManager = accessSecretsManager;
+    }
+
+    private static void ValidateEmailAddress(string email)
+    {
+        if (!email.IsValidEmail())
+        {
+            throw new BadRequestException($"{email} {InvalidEmailErrorMessage}");
+        }
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/SendInvitesRequest.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/SendInvitesRequest.cs
new file mode 100644
index 0000000000..2be6430512
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/SendInvitesRequest.cs
@@ -0,0 +1,33 @@
+#nullable enable
+
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Entities;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+/// <summary>
+/// Represents a request to send invitations to a group of organization users.
+/// </summary>
+public class SendInvitesRequest
+{
+    public SendInvitesRequest(IEnumerable<OrganizationUser> users, Organization organization) =>
+        (Users, Organization) = (users.ToArray(), organization);
+
+    public SendInvitesRequest(IEnumerable<OrganizationUser> users, Organization organization, bool initOrganization) =>
+        (Users, Organization, InitOrganization) = (users.ToArray(), organization, initOrganization);
+
+    /// <summary>
+    /// Organization Users to send emails to.
+    /// </summary>
+    public OrganizationUser[] Users { get; set; } = [];
+
+    /// <summary>
+    /// The organization to invite the users to.
+    /// </summary>
+    public Organization Organization { get; init; }
+
+    /// <summary>
+    /// This is for when the organization is being created and this is the owners initial invite
+    /// </summary>
+    public bool InitOrganization { get; init; }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/SendOrganizationInvitesCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/SendOrganizationInvitesCommand.cs
new file mode 100644
index 0000000000..ba85ce1d8a
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/SendOrganizationInvitesCommand.cs
@@ -0,0 +1,80 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Auth.Models.Business;
+using Bit.Core.Auth.Models.Business.Tokenables;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Entities;
+using Bit.Core.Models.Mail;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Tokens;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+
+public class SendOrganizationInvitesCommand(
+    IUserRepository userRepository,
+    ISsoConfigRepository ssoConfigurationRepository,
+    IPolicyRepository policyRepository,
+    IOrgUserInviteTokenableFactory orgUserInviteTokenableFactory,
+    IDataProtectorTokenFactory<OrgUserInviteTokenable> dataProtectorTokenFactory,
+    IMailService mailService) : ISendOrganizationInvitesCommand
+{
+    public async Task SendInvitesAsync(SendInvitesRequest request)
+    {
+        var orgInvitesInfo = await BuildOrganizationInvitesInfoAsync(request.Users, request.Organization, request.InitOrganization);
+
+        await mailService.SendOrganizationInviteEmailsAsync(orgInvitesInfo);
+    }
+
+    private async Task<OrganizationInvitesInfo> BuildOrganizationInvitesInfoAsync(IEnumerable<OrganizationUser> orgUsers,
+        Organization organization, bool initOrganization = false)
+    {
+        // Materialize the sequence into a list to avoid multiple enumeration warnings
+        var orgUsersList = orgUsers.ToList();
+
+        // Email links must include information about the org and user for us to make routing decisions client side
+        // Given an org user, determine if existing BW user exists
+        var orgUserEmails = orgUsersList.Select(ou => ou.Email).ToList();
+        var existingUsers = await userRepository.GetManyByEmailsAsync(orgUserEmails);
+
+        // hash existing users emails list for O(1) lookups
+        var existingUserEmailsHashSet = new HashSet<string>(existingUsers.Select(u => u.Email));
+
+        // Create a dictionary of org user guids and bools for whether or not they have an existing BW user
+        var orgUserHasExistingUserDict = orgUsersList.ToDictionary(
+            ou => ou.Id,
+            ou => existingUserEmailsHashSet.Contains(ou.Email)
+        );
+
+        // Determine if org has SSO enabled and if user is required to login with SSO
+        // Note: we only want to call the DB after checking if the org can use SSO per plan and if they have any policies enabled.
+        var orgSsoEnabled = organization.UseSso && (await ssoConfigurationRepository.GetByOrganizationIdAsync(organization.Id))?.Enabled == true;
+        // Even though the require SSO policy can be turned on regardless of SSO being enabled, for this logic, we only
+        // need to check the policy if the org has SSO enabled.
+        var orgSsoLoginRequiredPolicyEnabled = orgSsoEnabled &&
+                                               organization.UsePolicies &&
+                                               (await policyRepository.GetByOrganizationIdTypeAsync(organization.Id, PolicyType.RequireSso))?.Enabled == true;
+
+        // Generate the list of org users and expiring tokens
+        // create helper function to create expiring tokens
+        (OrganizationUser, ExpiringToken) MakeOrgUserExpiringTokenPair(OrganizationUser orgUser)
+        {
+            var orgUserInviteTokenable = orgUserInviteTokenableFactory.CreateToken(orgUser);
+            var protectedToken = dataProtectorTokenFactory.Protect(orgUserInviteTokenable);
+            return (orgUser, new ExpiringToken(protectedToken, orgUserInviteTokenable.ExpirationDate));
+        }
+
+        var orgUsersWithExpTokens = orgUsers.Select(MakeOrgUserExpiringTokenPair);
+
+        return new OrganizationInvitesInfo(
+            organization,
+            orgSsoEnabled,
+            orgSsoLoginRequiredPolicyEnabled,
+            orgUsersWithExpTokens,
+            orgUserHasExistingUserDict,
+            initOrganization
+        );
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/CollectionAccessSelectionExtensions.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/CollectionAccessSelectionExtensions.cs
new file mode 100644
index 0000000000..7500ade672
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/CollectionAccessSelectionExtensions.cs
@@ -0,0 +1,12 @@
+using Bit.Core.Models.Data;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+
+public static class CollectionAccessSelectionExtensions
+{
+    /// <summary>
+    /// This validates the permissions on the given assigned collection
+    /// </summary>
+    public static bool IsValidCollectionAccessConfiguration(this CollectionAccessSelection collectionAccessSelection) =>
+        collectionAccessSelection.Manage && (collectionAccessSelection.ReadOnly || collectionAccessSelection.HidePasswords);
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/GlobalSettings/CannotAutoScaleOnSelfHostError.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/GlobalSettings/CannotAutoScaleOnSelfHostError.cs
new file mode 100644
index 0000000000..0624ffe027
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/GlobalSettings/CannotAutoScaleOnSelfHostError.cs
@@ -0,0 +1,8 @@
+using Bit.Core.AdminConsole.Errors;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.GlobalSettings;
+
+public record CannotAutoScaleOnSelfHostError(EnvironmentRequest Invalid) : Error<EnvironmentRequest>(Code, Invalid)
+{
+    public const string Code = "Cannot auto scale self-host.";
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/GlobalSettings/EnvironmentRequest.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/GlobalSettings/EnvironmentRequest.cs
new file mode 100644
index 0000000000..9c1ff43d17
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/GlobalSettings/EnvironmentRequest.cs
@@ -0,0 +1,18 @@
+#nullable enable
+
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.PasswordManager;
+using Bit.Core.Settings;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.GlobalSettings;
+
+public class EnvironmentRequest
+{
+    public bool IsSelfHosted { get; init; }
+    public PasswordManagerSubscriptionUpdate PasswordManagerSubscriptionUpdate { get; init; }
+
+    public EnvironmentRequest(IGlobalSettings globalSettings, PasswordManagerSubscriptionUpdate passwordManagerSubscriptionUpdate)
+    {
+        IsSelfHosted = globalSettings.SelfHosted;
+        PasswordManagerSubscriptionUpdate = passwordManagerSubscriptionUpdate;
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/GlobalSettings/InviteUsersEnvironmentValidator.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/GlobalSettings/InviteUsersEnvironmentValidator.cs
new file mode 100644
index 0000000000..fd0441753a
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/GlobalSettings/InviteUsersEnvironmentValidator.cs
@@ -0,0 +1,14 @@
+using Bit.Core.AdminConsole.Shared.Validation;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.GlobalSettings;
+
+public interface IInviteUsersEnvironmentValidator : IValidator<EnvironmentRequest>;
+
+public class InviteUsersEnvironmentValidator : IInviteUsersEnvironmentValidator
+{
+    public Task<ValidationResult<EnvironmentRequest>> ValidateAsync(EnvironmentRequest value) =>
+        Task.FromResult<ValidationResult<EnvironmentRequest>>(
+            value.IsSelfHosted && value.PasswordManagerSubscriptionUpdate.SeatsRequiredToAdd > 0 ?
+                new Invalid<EnvironmentRequest>(new CannotAutoScaleOnSelfHostError(value)) :
+                new Valid<EnvironmentRequest>(value));
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteOrganizationUserValidator.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteOrganizationUserValidator.cs
new file mode 100644
index 0000000000..79a3487d19
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteOrganizationUserValidator.cs
@@ -0,0 +1,108 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.PasswordManager;
+using Bit.Core.AdminConsole.Shared.Validation;
+using Bit.Core.Models.Business;
+using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using OrganizationUserInvite = Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models.OrganizationUserInvite;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+
+public interface IInviteUsersValidator : IValidator<InviteOrganizationUsersValidationRequest>;
+
+public class InviteOrganizationUsersValidator(
+    IOrganizationRepository organizationRepository,
+    IInviteUsersPasswordManagerValidator inviteUsersPasswordManagerValidator,
+    IUpdateSecretsManagerSubscriptionCommand secretsManagerSubscriptionCommand,
+    IPaymentService paymentService) : IInviteUsersValidator
+{
+    public async Task<ValidationResult<InviteOrganizationUsersValidationRequest>> ValidateAsync(
+        InviteOrganizationUsersValidationRequest request)
+    {
+        var subscriptionUpdate = new PasswordManagerSubscriptionUpdate(request);
+
+        var passwordManagerValidationResult =
+            await inviteUsersPasswordManagerValidator.ValidateAsync(subscriptionUpdate);
+
+        if (passwordManagerValidationResult is Invalid<PasswordManagerSubscriptionUpdate> invalidSubscriptionUpdate)
+        {
+            return invalidSubscriptionUpdate.Map(request);
+        }
+
+        // If the organization has the Secrets Manager Standalone Discount, all users are added to secrets manager.
+        // This is an expensive call, so we're doing it now to delay the check as long as possible.
+        if (await paymentService.HasSecretsManagerStandalone(request.InviteOrganization))
+        {
+            request = new InviteOrganizationUsersValidationRequest(request)
+            {
+                Invites = request.Invites
+                    .Select(x => new OrganizationUserInvite(x, accessSecretsManager: true))
+                    .ToArray()
+            };
+        }
+
+        if (request.InviteOrganization.UseSecretsManager && request.Invites.Any(x => x.AccessSecretsManager))
+        {
+            return await ValidateSecretsManagerSubscriptionUpdateAsync(request, subscriptionUpdate);
+        }
+
+        return new Valid<InviteOrganizationUsersValidationRequest>(new InviteOrganizationUsersValidationRequest(
+            request,
+            subscriptionUpdate,
+            null));
+    }
+
+    private async Task<ValidationResult<InviteOrganizationUsersValidationRequest>> ValidateSecretsManagerSubscriptionUpdateAsync(
+            InviteOrganizationUsersValidationRequest request,
+            PasswordManagerSubscriptionUpdate subscriptionUpdate)
+    {
+        try
+        {
+
+            var smSubscriptionUpdate = new SecretsManagerSubscriptionUpdate(
+                organization: await organizationRepository.GetByIdAsync(request.InviteOrganization.OrganizationId),
+                plan: request.InviteOrganization.Plan,
+                autoscaling: true);
+
+            var seatsToAdd = GetSecretManagerSeatAdjustment(request);
+
+            if (seatsToAdd > 0)
+            {
+                smSubscriptionUpdate.AdjustSeats(seatsToAdd);
+
+                await secretsManagerSubscriptionCommand.ValidateUpdateAsync(smSubscriptionUpdate);
+            }
+
+            return new Valid<InviteOrganizationUsersValidationRequest>(new InviteOrganizationUsersValidationRequest(
+                request,
+                subscriptionUpdate,
+                smSubscriptionUpdate));
+        }
+        catch (Exception ex)
+        {
+            return new Invalid<InviteOrganizationUsersValidationRequest>(
+                new Error<InviteOrganizationUsersValidationRequest>(ex.Message, request));
+        }
+    }
+
+    /// <summary>
+    /// This calculates the number of SM seats to add to the organization seat total.
+    ///
+    /// If they have a current seat limit (it can be null), we want to figure out how many are available (seats -
+    /// occupied seats). Then, we'll subtract the available seats from the number of users we're trying to invite.
+    ///
+    /// If it's negative, we have available seats and do not need to increase, so we go with 0.
+    /// </summary>
+    /// <param name="request"></param>
+    /// <returns></returns>
+    private static int GetSecretManagerSeatAdjustment(InviteOrganizationUsersValidationRequest request) =>
+        request.InviteOrganization.SmSeats.HasValue
+            ? Math.Max(
+                request.Invites.Count(x => x.AccessSecretsManager) -
+                (request.InviteOrganization.SmSeats.Value -
+                 request.OccupiedSmSeats),
+                0)
+            : 0;
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Organization/Errors.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Organization/Errors.cs
new file mode 100644
index 0000000000..5d072ca17d
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Organization/Errors.cs
@@ -0,0 +1,16 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.Models.Business;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Organization;
+
+public record OrganizationNoPaymentMethodFoundError(InviteOrganization InvalidRequest)
+    : Error<InviteOrganization>(Code, InvalidRequest)
+{
+    public const string Code = "No payment method found.";
+}
+
+public record OrganizationNoSubscriptionFoundError(InviteOrganization InvalidRequest)
+    : Error<InviteOrganization>(Code, InvalidRequest)
+{
+    public const string Code = "No subscription found.";
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Organization/InviteUsersOrganizationValidator.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Organization/InviteUsersOrganizationValidator.cs
new file mode 100644
index 0000000000..9e2ca8d9a6
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Organization/InviteUsersOrganizationValidator.cs
@@ -0,0 +1,32 @@
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.Shared.Validation;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Organization;
+
+public interface IInviteUsersOrganizationValidator : IValidator<InviteOrganization>;
+
+public class InviteUsersOrganizationValidator : IInviteUsersOrganizationValidator
+{
+    public Task<ValidationResult<InviteOrganization>> ValidateAsync(InviteOrganization inviteOrganization)
+    {
+        if (inviteOrganization.Seats is null)
+        {
+            return Task.FromResult<ValidationResult<InviteOrganization>>(
+                new Valid<InviteOrganization>(inviteOrganization));
+        }
+
+        if (string.IsNullOrWhiteSpace(inviteOrganization.GatewayCustomerId))
+        {
+            return Task.FromResult<ValidationResult<InviteOrganization>>(
+                new Invalid<InviteOrganization>(new OrganizationNoPaymentMethodFoundError(inviteOrganization)));
+        }
+
+        if (string.IsNullOrWhiteSpace(inviteOrganization.GatewaySubscriptionId))
+        {
+            return Task.FromResult<ValidationResult<InviteOrganization>>(
+                new Invalid<InviteOrganization>(new OrganizationNoSubscriptionFoundError(inviteOrganization)));
+        }
+
+        return Task.FromResult<ValidationResult<InviteOrganization>>(new Valid<InviteOrganization>(inviteOrganization));
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/Errors.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/Errors.cs
new file mode 100644
index 0000000000..6ff7181456
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/Errors.cs
@@ -0,0 +1,30 @@
+using Bit.Core.AdminConsole.Errors;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.PasswordManager;
+
+public record PasswordManagerSeatLimitHasBeenReachedError(PasswordManagerSubscriptionUpdate InvalidRequest)
+    : Error<PasswordManagerSubscriptionUpdate>(Code, InvalidRequest)
+{
+    public const string Code = "Seat limit has been reached.";
+}
+
+public record PasswordManagerPlanDoesNotAllowAdditionalSeatsError(PasswordManagerSubscriptionUpdate InvalidRequest)
+    : Error<PasswordManagerSubscriptionUpdate>(Code, InvalidRequest)
+{
+    public const string Code = "Plan does not allow additional seats.";
+}
+
+public record PasswordManagerPlanOnlyAllowsMaxAdditionalSeatsError(PasswordManagerSubscriptionUpdate InvalidRequest)
+    : Error<PasswordManagerSubscriptionUpdate>(GetErrorMessage(InvalidRequest), InvalidRequest)
+{
+    private static string GetErrorMessage(PasswordManagerSubscriptionUpdate invalidRequest) =>
+        string.Format(Code, invalidRequest.PasswordManagerPlan.MaxAdditionalSeats);
+
+    public const string Code = "Organization plan allows a maximum of {0} additional seats.";
+}
+
+public record PasswordManagerMustHaveSeatsError(PasswordManagerSubscriptionUpdate InvalidRequest)
+    : Error<PasswordManagerSubscriptionUpdate>(Code, InvalidRequest)
+{
+    public const string Code = "You do not have any Password Manager seats!";
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/InviteUsersPasswordManagerValidator.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/InviteUsersPasswordManagerValidator.cs
new file mode 100644
index 0000000000..1867a2808e
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/InviteUsersPasswordManagerValidator.cs
@@ -0,0 +1,117 @@
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.GlobalSettings;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Models;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Organization;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Provider;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.Shared.Validation;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.PasswordManager;
+
+public interface IInviteUsersPasswordManagerValidator : IValidator<PasswordManagerSubscriptionUpdate>;
+
+public class InviteUsersPasswordManagerValidator(
+    IGlobalSettings globalSettings,
+    IInviteUsersEnvironmentValidator inviteUsersEnvironmentValidator,
+    IInviteUsersOrganizationValidator inviteUsersOrganizationValidator,
+    IProviderRepository providerRepository,
+    IPaymentService paymentService,
+    IOrganizationRepository organizationRepository
+    ) : IInviteUsersPasswordManagerValidator
+{
+    /// <summary>
+    /// This is for validating if the organization can add additional users.
+    /// </summary>
+    /// <param name="subscriptionUpdate"></param>
+    /// <returns></returns>
+    public static ValidationResult<PasswordManagerSubscriptionUpdate> ValidatePasswordManager(PasswordManagerSubscriptionUpdate subscriptionUpdate)
+    {
+        if (subscriptionUpdate.Seats is null)
+        {
+            return new Valid<PasswordManagerSubscriptionUpdate>(subscriptionUpdate);
+        }
+
+        if (subscriptionUpdate.SeatsRequiredToAdd == 0)
+        {
+            return new Valid<PasswordManagerSubscriptionUpdate>(subscriptionUpdate);
+        }
+
+        if (subscriptionUpdate.PasswordManagerPlan.BaseSeats + subscriptionUpdate.SeatsRequiredToAdd <= 0)
+        {
+            return new Invalid<PasswordManagerSubscriptionUpdate>(new PasswordManagerMustHaveSeatsError(subscriptionUpdate));
+        }
+
+        if (subscriptionUpdate.MaxSeatsReached)
+        {
+            return new Invalid<PasswordManagerSubscriptionUpdate>(
+                new PasswordManagerSeatLimitHasBeenReachedError(subscriptionUpdate));
+        }
+
+        if (subscriptionUpdate.PasswordManagerPlan.HasAdditionalSeatsOption is false)
+        {
+            return new Invalid<PasswordManagerSubscriptionUpdate>(
+                new PasswordManagerPlanDoesNotAllowAdditionalSeatsError(subscriptionUpdate));
+        }
+
+        // Apparently MaxAdditionalSeats is never set. Can probably be removed.
+        if (subscriptionUpdate.UpdatedSeatTotal - subscriptionUpdate.PasswordManagerPlan.BaseSeats > subscriptionUpdate.PasswordManagerPlan.MaxAdditionalSeats)
+        {
+            return new Invalid<PasswordManagerSubscriptionUpdate>(
+                new PasswordManagerPlanOnlyAllowsMaxAdditionalSeatsError(subscriptionUpdate));
+        }
+
+        return new Valid<PasswordManagerSubscriptionUpdate>(subscriptionUpdate);
+    }
+
+    public async Task<ValidationResult<PasswordManagerSubscriptionUpdate>> ValidateAsync(PasswordManagerSubscriptionUpdate request)
+    {
+        switch (ValidatePasswordManager(request))
+        {
+            case Valid<PasswordManagerSubscriptionUpdate> valid
+                when valid.Value.SeatsRequiredToAdd is 0:
+                return new Valid<PasswordManagerSubscriptionUpdate>(request);
+
+            case Invalid<PasswordManagerSubscriptionUpdate> invalid:
+                return invalid;
+        }
+
+        if (await inviteUsersEnvironmentValidator.ValidateAsync(new EnvironmentRequest(globalSettings, request)) is Invalid<EnvironmentRequest> invalidEnvironment)
+        {
+            return invalidEnvironment.Map(request);
+        }
+
+        var organizationValidationResult = await inviteUsersOrganizationValidator.ValidateAsync(request.InviteOrganization);
+
+        if (organizationValidationResult is Invalid<InviteOrganization> organizationValidation)
+        {
+            return organizationValidation.Map(request);
+        }
+
+        var provider = await providerRepository.GetByOrganizationIdAsync(request.InviteOrganization.OrganizationId);
+        if (provider is not null)
+        {
+            var providerValidationResult = InvitingUserOrganizationProviderValidator.Validate(new InviteOrganizationProvider(provider));
+
+            if (providerValidationResult is Invalid<InviteOrganizationProvider> invalidProviderValidation)
+            {
+                return invalidProviderValidation.Map(request);
+            }
+        }
+
+        var paymentSubscription = await paymentService.GetSubscriptionAsync(
+            await organizationRepository.GetByIdAsync(request.InviteOrganization.OrganizationId));
+
+        var paymentValidationResult = InviteUserPaymentValidation.Validate(
+            new PaymentsSubscription(paymentSubscription, request.InviteOrganization));
+
+        if (paymentValidationResult is Invalid<PaymentsSubscription> invalidPaymentValidation)
+        {
+            return invalidPaymentValidation.Map(request);
+        }
+
+        return new Valid<PasswordManagerSubscriptionUpdate>(request);
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/PasswordManagerSubscriptionUpdate.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/PasswordManagerSubscriptionUpdate.cs
new file mode 100644
index 0000000000..f6126fd8f5
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/PasswordManagerSubscriptionUpdate.cs
@@ -0,0 +1,89 @@
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.Models.StaticStore;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.PasswordManager;
+
+public class PasswordManagerSubscriptionUpdate
+{
+    /// <summary>
+    /// Seats the organization has
+    /// </summary>
+    public int? Seats { get; }
+
+    /// <summary>
+    /// Max number of seats that the organization can have
+    /// </summary>
+    public int? MaxAutoScaleSeats { get; }
+
+    /// <summary>
+    /// Seats currently occupied by current users
+    /// </summary>
+    public int OccupiedSeats { get; }
+
+    /// <summary>
+    /// Users to add to the organization seats
+    /// </summary>
+    public int NewUsersToAdd { get; }
+
+    /// <summary>
+    /// Number of seats available for users
+    /// </summary>
+    public int? AvailableSeats => Seats - OccupiedSeats;
+
+    /// <summary>
+    /// Number of seats to scale the organization by.
+    ///
+    /// If Organization has no seat limit (Seats is null), then there are no new seats to add.
+    /// </summary>
+    public int SeatsRequiredToAdd => AvailableSeats.HasValue ? Math.Max(NewUsersToAdd - AvailableSeats.Value, 0) : 0;
+
+    /// <summary>
+    /// New total of seats for the organization
+    /// </summary>
+    public int? UpdatedSeatTotal => Seats + SeatsRequiredToAdd;
+
+    /// <summary>
+    /// If the new seat total is equal to the organization's auto-scale seat count
+    /// </summary>
+    public bool MaxSeatsReached => UpdatedSeatTotal.HasValue && MaxAutoScaleSeats.HasValue && UpdatedSeatTotal.Value >= MaxAutoScaleSeats.Value;
+
+    public Plan.PasswordManagerPlanFeatures PasswordManagerPlan { get; }
+
+    public InviteOrganization InviteOrganization { get; }
+
+    private PasswordManagerSubscriptionUpdate(int? organizationSeats,
+        int? organizationAutoScaleSeatLimit,
+        int currentSeats,
+        int newUsersToAdd,
+        Plan.PasswordManagerPlanFeatures plan,
+        InviteOrganization inviteOrganization)
+    {
+        Seats = organizationSeats;
+        MaxAutoScaleSeats = organizationAutoScaleSeatLimit;
+        OccupiedSeats = currentSeats;
+        NewUsersToAdd = newUsersToAdd;
+        PasswordManagerPlan = plan;
+        InviteOrganization = inviteOrganization;
+    }
+
+    public PasswordManagerSubscriptionUpdate(InviteOrganization inviteOrganization, int occupiedSeats, int newUsersToAdd) :
+        this(
+            organizationSeats: inviteOrganization.Seats,
+            organizationAutoScaleSeatLimit: inviteOrganization.MaxAutoScaleSeats,
+            currentSeats: occupiedSeats,
+            newUsersToAdd: newUsersToAdd,
+            plan: inviteOrganization.Plan.PasswordManager,
+            inviteOrganization: inviteOrganization)
+    { }
+
+    public PasswordManagerSubscriptionUpdate(InviteOrganizationUsersValidationRequest usersValidationRequest) :
+        this(
+            organizationSeats: usersValidationRequest.InviteOrganization.Seats,
+            organizationAutoScaleSeatLimit: usersValidationRequest.InviteOrganization.MaxAutoScaleSeats,
+            currentSeats: usersValidationRequest.OccupiedPmSeats,
+            newUsersToAdd: usersValidationRequest.Invites.Length,
+            plan: usersValidationRequest.InviteOrganization.Plan.PasswordManager,
+            inviteOrganization: usersValidationRequest.InviteOrganization)
+    { }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/Errors.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/Errors.cs
new file mode 100644
index 0000000000..c74d1048ad
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/Errors.cs
@@ -0,0 +1,10 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Models;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Payments;
+
+public record PaymentCancelledSubscriptionError(PaymentsSubscription InvalidRequest)
+    : Error<PaymentsSubscription>(Code, InvalidRequest)
+{
+    public const string Code = "You do not have an active subscription. Reinstate your subscription to make changes.";
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/InviteUserPaymentValidation.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/InviteUserPaymentValidation.cs
new file mode 100644
index 0000000000..cc17a673f9
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/InviteUserPaymentValidation.cs
@@ -0,0 +1,25 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Models;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Payments;
+using Bit.Core.AdminConsole.Shared.Validation;
+using Bit.Core.Billing.Constants;
+using Bit.Core.Billing.Enums;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+
+public static class InviteUserPaymentValidation
+{
+    public static ValidationResult<PaymentsSubscription> Validate(PaymentsSubscription subscription)
+    {
+        if (subscription.ProductTierType is ProductTierType.Free)
+        {
+            return new Valid<PaymentsSubscription>(subscription);
+        }
+
+        if (subscription.SubscriptionStatus == StripeConstants.SubscriptionStatus.Canceled)
+        {
+            return new Invalid<PaymentsSubscription>(new PaymentCancelledSubscriptionError(subscription));
+        }
+
+        return new Valid<PaymentsSubscription>(subscription);
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/PaymentsSubscription.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/PaymentsSubscription.cs
new file mode 100644
index 0000000000..dea35c4ddd
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/PaymentsSubscription.cs
@@ -0,0 +1,19 @@
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Models.Business;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Models;
+
+public class PaymentsSubscription
+{
+    public ProductTierType ProductTierType { get; init; }
+    public string SubscriptionStatus { get; init; }
+
+    public PaymentsSubscription() { }
+
+    public PaymentsSubscription(SubscriptionInfo subscriptionInfo, InviteOrganization inviteOrganization)
+    {
+        SubscriptionStatus = subscriptionInfo?.Subscription?.Status ?? string.Empty;
+        ProductTierType = inviteOrganization.Plan.ProductTier;
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Provider/Errors.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Provider/Errors.cs
new file mode 100644
index 0000000000..104ce5cc7e
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Provider/Errors.cs
@@ -0,0 +1,13 @@
+using Bit.Core.AdminConsole.Errors;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Provider;
+
+public record ProviderBillableSeatLimitError(InviteOrganizationProvider InvalidRequest) : Error<InviteOrganizationProvider>(Code, InvalidRequest)
+{
+    public const string Code = "Seat limit has been reached. Please contact your provider to add more seats.";
+}
+
+public record ProviderResellerSeatLimitError(InviteOrganizationProvider InvalidRequest) : Error<InviteOrganizationProvider>(Code, InvalidRequest)
+{
+    public const string Code = "Seat limit has been reached. Contact your provider to purchase additional seats.";
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Provider/InviteOrganizationProvider.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Provider/InviteOrganizationProvider.cs
new file mode 100644
index 0000000000..b52218307d
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Provider/InviteOrganizationProvider.cs
@@ -0,0 +1,19 @@
+using Bit.Core.AdminConsole.Enums.Provider;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Provider;
+
+public class InviteOrganizationProvider
+{
+    public Guid ProviderId { get; init; }
+    public ProviderType Type { get; init; }
+    public ProviderStatusType Status { get; init; }
+    public bool Enabled { get; init; }
+
+    public InviteOrganizationProvider(Entities.Provider.Provider provider)
+    {
+        ProviderId = provider.Id;
+        Type = provider.Type;
+        Status = provider.Status;
+        Enabled = provider.Enabled;
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Provider/InvitingUserOrganizationProviderValidator.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Provider/InvitingUserOrganizationProviderValidator.cs
new file mode 100644
index 0000000000..f84b25f76f
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Provider/InvitingUserOrganizationProviderValidator.cs
@@ -0,0 +1,28 @@
+using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.AdminConsole.Shared.Validation;
+using Bit.Core.Billing.Extensions;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Provider;
+
+public static class InvitingUserOrganizationProviderValidator
+{
+    public static ValidationResult<InviteOrganizationProvider> Validate(InviteOrganizationProvider inviteOrganizationProvider)
+    {
+        if (inviteOrganizationProvider is not { Enabled: true })
+        {
+            return new Valid<InviteOrganizationProvider>(inviteOrganizationProvider);
+        }
+
+        if (inviteOrganizationProvider.IsBillable())
+        {
+            return new Invalid<InviteOrganizationProvider>(new ProviderBillableSeatLimitError(inviteOrganizationProvider));
+        }
+
+        if (inviteOrganizationProvider.Type == ProviderType.Reseller)
+        {
+            return new Invalid<InviteOrganizationProvider>(new ProviderResellerSeatLimitError(inviteOrganizationProvider));
+        }
+
+        return new Valid<InviteOrganizationProvider>(inviteOrganizationProvider);
+    }
+}
diff --git a/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs b/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
index 8825f9722a..108641b5e6 100644
--- a/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
@@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.KeyManagement.UserKey;
@@ -68,4 +69,6 @@ public interface IOrganizationUserRepository : IRepository<OrganizationUser, Gui
     /// <param name="role">The role to search for</param>
     /// <returns>A list of OrganizationUsersUserDetails with the specified role</returns>
     Task<IEnumerable<OrganizationUserUserDetails>> GetManyDetailsByRoleAsync(Guid organizationId, OrganizationUserType role);
+
+    Task CreateManyAsync(IEnumerable<CreateOrganizationUser> organizationUserCollection);
 }
diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 78f880b15c..c9027b8030 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -6,13 +6,13 @@ using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Models.Business;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Enums;
-using Bit.Core.Auth.Models.Business;
-using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 using Bit.Core.Billing.Constants;
@@ -26,18 +26,17 @@ using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.Data;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
-using Bit.Core.Models.Mail;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
-using Bit.Core.Tokens;
 using Bit.Core.Tools.Enums;
 using Bit.Core.Tools.Models.Business;
 using Bit.Core.Tools.Services;
 using Bit.Core.Utilities;
 using Microsoft.Extensions.Logging;
 using Stripe;
+using OrganizationUserInvite = Bit.Core.Models.Business.OrganizationUserInvite;
 
 namespace Bit.Core.Services;
 
@@ -58,7 +57,6 @@ public class OrganizationService : IOrganizationService
     private readonly IPaymentService _paymentService;
     private readonly IPolicyRepository _policyRepository;
     private readonly IPolicyService _policyService;
-    private readonly ISsoConfigRepository _ssoConfigRepository;
     private readonly ISsoUserRepository _ssoUserRepository;
     private readonly IReferenceEventService _referenceEventService;
     private readonly IGlobalSettings _globalSettings;
@@ -70,13 +68,12 @@ public class OrganizationService : IOrganizationService
     private readonly ICountNewSmSeatsRequiredQuery _countNewSmSeatsRequiredQuery;
     private readonly IUpdateSecretsManagerSubscriptionCommand _updateSecretsManagerSubscriptionCommand;
     private readonly IProviderRepository _providerRepository;
-    private readonly IOrgUserInviteTokenableFactory _orgUserInviteTokenableFactory;
-    private readonly IDataProtectorTokenFactory<OrgUserInviteTokenable> _orgUserInviteTokenDataFactory;
     private readonly IFeatureService _featureService;
     private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
     private readonly IHasConfirmedOwnersExceptQuery _hasConfirmedOwnersExceptQuery;
     private readonly IPricingClient _pricingClient;
     private readonly IPolicyRequirementQuery _policyRequirementQuery;
+    private readonly ISendOrganizationInvitesCommand _sendOrganizationInvitesCommand;
 
     public OrganizationService(
         IOrganizationRepository organizationRepository,
@@ -94,7 +91,6 @@ public class OrganizationService : IOrganizationService
         IPaymentService paymentService,
         IPolicyRepository policyRepository,
         IPolicyService policyService,
-        ISsoConfigRepository ssoConfigRepository,
         ISsoUserRepository ssoUserRepository,
         IReferenceEventService referenceEventService,
         IGlobalSettings globalSettings,
@@ -104,15 +100,14 @@ public class OrganizationService : IOrganizationService
         IProviderOrganizationRepository providerOrganizationRepository,
         IProviderUserRepository providerUserRepository,
         ICountNewSmSeatsRequiredQuery countNewSmSeatsRequiredQuery,
-        IOrgUserInviteTokenableFactory orgUserInviteTokenableFactory,
-        IDataProtectorTokenFactory<OrgUserInviteTokenable> orgUserInviteTokenDataFactory,
         IUpdateSecretsManagerSubscriptionCommand updateSecretsManagerSubscriptionCommand,
         IProviderRepository providerRepository,
         IFeatureService featureService,
         ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
         IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery,
         IPricingClient pricingClient,
-        IPolicyRequirementQuery policyRequirementQuery)
+        IPolicyRequirementQuery policyRequirementQuery,
+        ISendOrganizationInvitesCommand sendOrganizationInvitesCommand)
     {
         _organizationRepository = organizationRepository;
         _organizationUserRepository = organizationUserRepository;
@@ -129,7 +124,6 @@ public class OrganizationService : IOrganizationService
         _paymentService = paymentService;
         _policyRepository = policyRepository;
         _policyService = policyService;
-        _ssoConfigRepository = ssoConfigRepository;
         _ssoUserRepository = ssoUserRepository;
         _referenceEventService = referenceEventService;
         _globalSettings = globalSettings;
@@ -141,13 +135,12 @@ public class OrganizationService : IOrganizationService
         _countNewSmSeatsRequiredQuery = countNewSmSeatsRequiredQuery;
         _updateSecretsManagerSubscriptionCommand = updateSecretsManagerSubscriptionCommand;
         _providerRepository = providerRepository;
-        _orgUserInviteTokenableFactory = orgUserInviteTokenableFactory;
-        _orgUserInviteTokenDataFactory = orgUserInviteTokenDataFactory;
         _featureService = featureService;
         _twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
         _hasConfirmedOwnersExceptQuery = hasConfirmedOwnersExceptQuery;
         _pricingClient = pricingClient;
         _policyRequirementQuery = policyRequirementQuery;
+        _sendOrganizationInvitesCommand = sendOrganizationInvitesCommand;
     }
 
     public async Task ReplacePaymentMethodAsync(Guid organizationId, string paymentToken,
@@ -1055,74 +1048,14 @@ public class OrganizationService : IOrganizationService
         await SendInviteAsync(orgUser, org, initOrganization);
     }
 
-    private async Task SendInvitesAsync(IEnumerable<OrganizationUser> orgUsers, Organization organization)
-    {
-        var orgInvitesInfo = await BuildOrganizationInvitesInfoAsync(orgUsers, organization);
+    private async Task SendInvitesAsync(IEnumerable<OrganizationUser> orgUsers, Organization organization) =>
+        await _sendOrganizationInvitesCommand.SendInvitesAsync(new SendInvitesRequest(orgUsers, organization));
 
-        await _mailService.SendOrganizationInviteEmailsAsync(orgInvitesInfo);
-    }
-
-    private async Task SendInviteAsync(OrganizationUser orgUser, Organization organization, bool initOrganization)
-    {
-        // convert single org user into array of 1 org user
-        var orgUsers = new[] { orgUser };
-
-        var orgInvitesInfo = await BuildOrganizationInvitesInfoAsync(orgUsers, organization, initOrganization);
-
-        await _mailService.SendOrganizationInviteEmailsAsync(orgInvitesInfo);
-    }
-
-    private async Task<OrganizationInvitesInfo> BuildOrganizationInvitesInfoAsync(
-        IEnumerable<OrganizationUser> orgUsers,
-        Organization organization,
-        bool initOrganization = false)
-    {
-        // Materialize the sequence into a list to avoid multiple enumeration warnings
-        var orgUsersList = orgUsers.ToList();
-
-        // Email links must include information about the org and user for us to make routing decisions client side
-        // Given an org user, determine if existing BW user exists
-        var orgUserEmails = orgUsersList.Select(ou => ou.Email).ToList();
-        var existingUsers = await _userRepository.GetManyByEmailsAsync(orgUserEmails);
-
-        // hash existing users emails list for O(1) lookups
-        var existingUserEmailsHashSet = new HashSet<string>(existingUsers.Select(u => u.Email));
-
-        // Create a dictionary of org user guids and bools for whether or not they have an existing BW user
-        var orgUserHasExistingUserDict = orgUsersList.ToDictionary(
-            ou => ou.Id,
-            ou => existingUserEmailsHashSet.Contains(ou.Email)
-        );
-
-        // Determine if org has SSO enabled and if user is required to login with SSO
-        // Note: we only want to call the DB after checking if the org can use SSO per plan and if they have any policies enabled.
-        var orgSsoEnabled = organization.UseSso && (await _ssoConfigRepository.GetByOrganizationIdAsync(organization.Id))?.Enabled == true;
-        // Even though the require SSO policy can be turned on regardless of SSO being enabled, for this logic, we only
-        // need to check the policy if the org has SSO enabled.
-        var orgSsoLoginRequiredPolicyEnabled = orgSsoEnabled &&
-                                               organization.UsePolicies &&
-                                               (await _policyRepository.GetByOrganizationIdTypeAsync(organization.Id, PolicyType.RequireSso))?.Enabled == true;
-
-        // Generate the list of org users and expiring tokens
-        // create helper function to create expiring tokens
-        (OrganizationUser, ExpiringToken) MakeOrgUserExpiringTokenPair(OrganizationUser orgUser)
-        {
-            var orgUserInviteTokenable = _orgUserInviteTokenableFactory.CreateToken(orgUser);
-            var protectedToken = _orgUserInviteTokenDataFactory.Protect(orgUserInviteTokenable);
-            return (orgUser, new ExpiringToken(protectedToken, orgUserInviteTokenable.ExpirationDate));
-        }
-
-        var orgUsersWithExpTokens = orgUsers.Select(MakeOrgUserExpiringTokenPair);
-
-        return new OrganizationInvitesInfo(
-            organization,
-            orgSsoEnabled,
-            orgSsoLoginRequiredPolicyEnabled,
-            orgUsersWithExpTokens,
-            orgUserHasExistingUserDict,
-            initOrganization
-        );
-    }
+    private async Task SendInviteAsync(OrganizationUser orgUser, Organization organization, bool initOrganization) =>
+        await _sendOrganizationInvitesCommand.SendInvitesAsync(new SendInvitesRequest(
+            users: [orgUser],
+            organization: organization,
+            initOrganization: initOrganization));
 
     internal async Task<(bool canScale, string failureReason)> CanScaleAsync(
         Organization organization,
diff --git a/src/Core/AdminConsole/Shared/Validation/ValidationResult.cs b/src/Core/AdminConsole/Shared/Validation/ValidationResult.cs
index e25103e701..ba78601637 100644
--- a/src/Core/AdminConsole/Shared/Validation/ValidationResult.cs
+++ b/src/Core/AdminConsole/Shared/Validation/ValidationResult.cs
@@ -6,10 +6,39 @@ public abstract record ValidationResult<T>;
 
 public record Valid<T> : ValidationResult<T>
 {
+    public Valid() { }
+
+    public Valid(T Value)
+    {
+        this.Value = Value;
+    }
+
     public T Value { get; init; }
 }
 
 public record Invalid<T> : ValidationResult<T>
 {
-    public IEnumerable<Error<T>> Errors { get; init; }
+    public IEnumerable<Error<T>> Errors { get; init; } = [];
+
+    public string ErrorMessageString => string.Join(" ", Errors.Select(e => e.Message));
+
+    public Invalid() { }
+
+    public Invalid(Error<T> error) : this([error]) { }
+
+    public Invalid(IEnumerable<Error<T>> errors)
+    {
+        Errors = errors;
+    }
+}
+
+public static class ValidationResultMappers
+{
+    public static ValidationResult<B> Map<A, B>(this ValidationResult<A> validationResult, B invalidValue) =>
+        validationResult switch
+        {
+            Valid<A> => new Valid<B>(invalidValue),
+            Invalid<A> invalid => new Invalid<B>(invalid.Errors.Select(x => x.ToError(invalidValue))),
+            _ => throw new ArgumentOutOfRangeException(nameof(validationResult), "Unhandled validation result type")
+        };
 }
diff --git a/src/Core/Billing/Extensions/BillingExtensions.cs b/src/Core/Billing/Extensions/BillingExtensions.cs
index f6e65861cd..4fb97e1db7 100644
--- a/src/Core/Billing/Extensions/BillingExtensions.cs
+++ b/src/Core/Billing/Extensions/BillingExtensions.cs
@@ -1,6 +1,7 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Provider;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -28,6 +29,13 @@ public static class BillingExtensions
             Status: ProviderStatusType.Billable
         };
 
+    public static bool IsBillable(this InviteOrganizationProvider inviteOrganizationProvider) =>
+        inviteOrganizationProvider is
+        {
+            Type: ProviderType.Msp or ProviderType.MultiOrganizationEnterprise,
+            Status: ProviderStatusType.Billable
+        };
+
     public static bool SupportsConsolidatedBilling(this ProviderType providerType)
         => providerType is ProviderType.Msp or ProviderType.MultiOrganizationEnterprise;
 
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 310b917bf7..57d695c105 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -109,6 +109,7 @@ public static class FeatureFlagKeys
     public const string PushSyncOrgKeysOnRevokeRestore = "pm-17168-push-sync-org-keys-on-revoke-restore";
     public const string PolicyRequirements = "pm-14439-policy-requirements";
     public const string SsoExternalIdVisibility = "pm-18630-sso-external-id-visibility";
+    public const string ScimInviteUserOptimization = "pm-16811-optimize-invite-user-flow-to-fail-fast";
 
     /* Auth Team */
     public const string PM9112DeviceApprovalPersistence = "pm-9112-device-approval-persistence";
diff --git a/src/Core/Models/Commands/CommandResult.cs b/src/Core/Models/Commands/CommandResult.cs
index a8ec772fc1..4a9477067e 100644
--- a/src/Core/Models/Commands/CommandResult.cs
+++ b/src/Core/Models/Commands/CommandResult.cs
@@ -1,6 +1,7 @@
 #nullable enable
 
 using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.Shared.Validation;
 
 namespace Bit.Core.Models.Commands;
 
@@ -40,10 +41,23 @@ public class Success<T>(T value) : CommandResult<T>
 public class Failure<T>(IEnumerable<string> errorMessages) : CommandResult<T>
 {
     public List<string> ErrorMessages { get; } = errorMessages.ToList();
+    public Error<T>[] Errors { get; set; } = [];
 
     public string ErrorMessage => string.Join(" ", ErrorMessages);
 
-    public Failure(string error) : this([error]) { }
+    public Failure(string error) : this([error])
+    {
+    }
+
+    public Failure(IEnumerable<Error<T>> errors) : this(errors.Select(e => e.Message))
+    {
+        Errors = errors.ToArray();
+    }
+
+    public Failure(Error<T> error) : this([error.Message])
+    {
+        Errors = [error];
+    }
 }
 
 public class Partial<T> : CommandResult<T>
@@ -57,3 +71,18 @@ public class Partial<T> : CommandResult<T>
         Failures = failedItems.ToArray();
     }
 }
+
+public static class CommandResultExtensions
+{
+    /// <summary>
+    /// This is to help map between the InvalidT ValidationResult and the FailureT CommandResult types.
+    ///
+    /// </summary>
+    /// <param name="invalidResult">This is the invalid type from validating the object.</param>
+    /// <param name="mappingFunction">This function will map between the two types for the inner ErrorT</param>
+    /// <typeparam name="A">Invalid object's type</typeparam>
+    /// <typeparam name="B">Failure object's type</typeparam>
+    /// <returns></returns>
+    public static CommandResult<B> MapToFailure<A, B>(this Invalid<A> invalidResult, Func<A, B> mappingFunction) =>
+        new Failure<B>(invalidResult.Errors.Select(errorA => errorA.ToError(mappingFunction(errorA.ErroredValue))));
+}
diff --git a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
index 59cfdace65..c76345972a 100644
--- a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
+++ b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
@@ -13,6 +13,11 @@ using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.GlobalSettings;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Organization;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.PasswordManager;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
 using Bit.Core.Models.Business.Tokenables;
 using Bit.Core.OrganizationFeatures.OrganizationCollections;
@@ -174,6 +179,14 @@ public static class OrganizationServiceCollectionExtensions
         services.AddScoped<IAuthorizationHandler, OrganizationUserUserMiniDetailsAuthorizationHandler>();
         services.AddScoped<IAuthorizationHandler, OrganizationUserUserDetailsAuthorizationHandler>();
         services.AddScoped<IHasConfirmedOwnersExceptQuery, HasConfirmedOwnersExceptQuery>();
+
+        services.AddScoped<IInviteOrganizationUsersCommand, InviteOrganizationUsersCommand>();
+        services.AddScoped<ISendOrganizationInvitesCommand, SendOrganizationInvitesCommand>();
+
+        services.AddScoped<IInviteUsersValidator, InviteOrganizationUsersValidator>();
+        services.AddScoped<IInviteUsersOrganizationValidator, InviteUsersOrganizationValidator>();
+        services.AddScoped<IInviteUsersPasswordManagerValidator, InviteUsersPasswordManagerValidator>();
+        services.AddScoped<IInviteUsersEnvironmentValidator, InviteUsersEnvironmentValidator>();
     }
 
     // TODO: move to OrganizationSubscriptionServiceCollectionExtensions when OrganizationUser methods are moved out of
diff --git a/src/Core/OrganizationFeatures/OrganizationSubscriptions/Interface/IUpdateSecretsManagerSubscriptionCommand.cs b/src/Core/OrganizationFeatures/OrganizationSubscriptions/Interface/IUpdateSecretsManagerSubscriptionCommand.cs
index 5c6758fd17..947f66a821 100644
--- a/src/Core/OrganizationFeatures/OrganizationSubscriptions/Interface/IUpdateSecretsManagerSubscriptionCommand.cs
+++ b/src/Core/OrganizationFeatures/OrganizationSubscriptions/Interface/IUpdateSecretsManagerSubscriptionCommand.cs
@@ -5,4 +5,5 @@ namespace Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
 public interface IUpdateSecretsManagerSubscriptionCommand
 {
     Task UpdateSubscriptionAsync(SecretsManagerSubscriptionUpdate update);
+    Task ValidateUpdateAsync(SecretsManagerSubscriptionUpdate update);
 }
diff --git a/src/Core/OrganizationFeatures/OrganizationSubscriptions/UpdateSecretsManagerSubscriptionCommand.cs b/src/Core/OrganizationFeatures/OrganizationSubscriptions/UpdateSecretsManagerSubscriptionCommand.cs
index 78ab35c38c..91f6516501 100644
--- a/src/Core/OrganizationFeatures/OrganizationSubscriptions/UpdateSecretsManagerSubscriptionCommand.cs
+++ b/src/Core/OrganizationFeatures/OrganizationSubscriptions/UpdateSecretsManagerSubscriptionCommand.cs
@@ -124,7 +124,7 @@ public class UpdateSecretsManagerSubscriptionCommand : IUpdateSecretsManagerSubs
 
     }
 
-    private async Task ValidateUpdateAsync(SecretsManagerSubscriptionUpdate update)
+    public async Task ValidateUpdateAsync(SecretsManagerSubscriptionUpdate update)
     {
         if (_globalSettings.SelfHosted)
         {
diff --git a/src/Core/Services/IPaymentService.cs b/src/Core/Services/IPaymentService.cs
index bd7efdbad4..ded9f4cfd3 100644
--- a/src/Core/Services/IPaymentService.cs
+++ b/src/Core/Services/IPaymentService.cs
@@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Models.Business;
 using Bit.Core.Billing.Models;
 using Bit.Core.Billing.Models.Api.Requests.Accounts;
 using Bit.Core.Billing.Models.Api.Requests.Organizations;
@@ -38,9 +39,28 @@ public interface IPaymentService
     Task<SubscriptionInfo> GetSubscriptionAsync(ISubscriber subscriber);
     Task<TaxInfo> GetTaxInfoAsync(ISubscriber subscriber);
     Task SaveTaxInfoAsync(ISubscriber subscriber, TaxInfo taxInfo);
-    Task<string> AddSecretsManagerToSubscription(Organization org, Plan plan, int additionalSmSeats,
-        int additionalServiceAccount);
+    Task<string> AddSecretsManagerToSubscription(Organization org, Plan plan, int additionalSmSeats, int additionalServiceAccount);
+    /// <summary>
+    /// Secrets Manager Standalone is a discount in Stripe that is used to give an organization access to Secrets Manager.
+    /// Usually, this also implies that when they invite a user to their organization, they are doing so for both Password
+    /// Manager and Secrets Manger.
+    ///
+    /// This will not call out to Stripe if they don't have a GatewayId or if they don't have Secrets Manager.
+    /// </summary>
+    /// <param name="organization">Organization Entity</param>
+    /// <returns>If the organization has Secrets Manager and has the Standalone Stripe Discount</returns>
     Task<bool> HasSecretsManagerStandalone(Organization organization);
+
+    /// <summary>
+    /// Secrets Manager Standalone is a discount in Stripe that is used to give an organization access to Secrets Manager.
+    /// Usually, this also implies that when they invite a user to their organization, they are doing so for both Password
+    /// Manager and Secrets Manger.
+    ///
+    /// This will not call out to Stripe if they don't have a GatewayId or if they don't have Secrets Manager.
+    /// </summary>
+    /// <param name="organization">Organization Representation used for Inviting Organization Users</param>
+    /// <returns>If the organization has Secrets Manager and has the Standalone Stripe Discount</returns>
+    Task<bool> HasSecretsManagerStandalone(InviteOrganization organization);
     Task<PreviewInvoiceResponseModel> PreviewInvoiceAsync(PreviewIndividualInvoiceRequestBody parameters, string gatewayCustomerId, string gatewaySubscriptionId);
     Task<PreviewInvoiceResponseModel> PreviewInvoiceAsync(PreviewOrganizationInvoiceRequestBody parameters, string gatewayCustomerId, string gatewaySubscriptionId);
 
diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index d8889bca26..d82a4d60a7 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Models.Business;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Extensions;
 using Bit.Core.Billing.Models;
@@ -1110,14 +1111,27 @@ public class StripePaymentService : IPaymentService
             new SecretsManagerSubscribeUpdate(org, plan, additionalSmSeats, additionalServiceAccount),
             true);
 
-    public async Task<bool> HasSecretsManagerStandalone(Organization organization)
+    public async Task<bool> HasSecretsManagerStandalone(Organization organization) =>
+        await HasSecretsManagerStandaloneAsync(gatewayCustomerId: organization.GatewayCustomerId,
+            organizationHasSecretsManager: organization.UseSecretsManager);
+
+    public async Task<bool> HasSecretsManagerStandalone(InviteOrganization organization) =>
+        await HasSecretsManagerStandaloneAsync(gatewayCustomerId: organization.GatewayCustomerId,
+            organizationHasSecretsManager: organization.UseSecretsManager);
+
+    private async Task<bool> HasSecretsManagerStandaloneAsync(string gatewayCustomerId, bool organizationHasSecretsManager)
     {
-        if (string.IsNullOrEmpty(organization.GatewayCustomerId))
+        if (string.IsNullOrEmpty(gatewayCustomerId))
         {
             return false;
         }
 
-        var customer = await _stripeAdapter.CustomerGetAsync(organization.GatewayCustomerId);
+        if (organizationHasSecretsManager is false)
+        {
+            return false;
+        }
+
+        var customer = await _stripeAdapter.CustomerGetAsync(gatewayCustomerId);
 
         return customer?.Discount?.Coupon?.Id == SecretsManagerStandaloneDiscountId;
     }
diff --git a/src/Core/Utilities/EmailValidation.cs b/src/Core/Utilities/EmailValidation.cs
new file mode 100644
index 0000000000..f6832945af
--- /dev/null
+++ b/src/Core/Utilities/EmailValidation.cs
@@ -0,0 +1,44 @@
+using System.Text.RegularExpressions;
+using MimeKit;
+
+namespace Bit.Core.Utilities;
+
+public static class EmailValidation
+{
+    public static bool IsValidEmail(this string emailAddress)
+    {
+        if (string.IsNullOrWhiteSpace(emailAddress))
+        {
+            return false;
+        }
+
+        try
+        {
+            var parsedEmailAddress = MailboxAddress.Parse(emailAddress).Address;
+            if (parsedEmailAddress != emailAddress)
+            {
+                return false;
+            }
+        }
+        catch (ParseException)
+        {
+            return false;
+        }
+
+        // The regex below is intended to catch edge cases that are not handled by the general parsing check above.
+        // This enforces the following rules:
+        // * Requires ASCII only in the local-part (code points 0-127)
+        // * Requires an @ symbol
+        // * Allows any char in second-level domain name, including unicode and symbols
+        // * Requires at least one period (.) separating SLD from TLD
+        // * Must end in a letter (including unicode)
+        // See the unit tests for examples of what is allowed.
+        var emailFormat = @"^[\x00-\x7F]+@.+\.\p{L}+$";
+        if (!Regex.IsMatch(emailAddress, emailFormat))
+        {
+            return false;
+        }
+
+        return true;
+    }
+}
diff --git a/src/Core/Utilities/StrictEmailAddressAttribute.cs b/src/Core/Utilities/StrictEmailAddressAttribute.cs
index eeb95093d0..fce732ec9e 100644
--- a/src/Core/Utilities/StrictEmailAddressAttribute.cs
+++ b/src/Core/Utilities/StrictEmailAddressAttribute.cs
@@ -1,6 +1,4 @@
 using System.ComponentModel.DataAnnotations;
-using System.Text.RegularExpressions;
-using MimeKit;
 
 namespace Bit.Core.Utilities;
 
@@ -12,39 +10,8 @@ public class StrictEmailAddressAttribute : ValidationAttribute
 
     public override bool IsValid(object value)
     {
-        var emailAddress = value?.ToString();
-        if (emailAddress == null)
-        {
-            return false;
-        }
+        var emailAddress = value?.ToString() ?? string.Empty;
 
-        try
-        {
-            var parsedEmailAddress = MailboxAddress.Parse(emailAddress).Address;
-            if (parsedEmailAddress != emailAddress)
-            {
-                return false;
-            }
-        }
-        catch (ParseException)
-        {
-            return false;
-        }
-
-        // The regex below is intended to catch edge cases that are not handled by the general parsing check above.
-        // This enforces the following rules:
-        // * Requires ASCII only in the local-part (code points 0-127)
-        // * Requires an @ symbol
-        // * Allows any char in second-level domain name, including unicode and symbols
-        // * Requires at least one period (.) separating SLD from TLD
-        // * Must end in a letter (including unicode)
-        // See the unit tests for examples of what is allowed.
-        var emailFormat = @"^[\x00-\x7F]+@.+\.\p{L}+$";
-        if (!Regex.IsMatch(emailAddress, emailFormat))
-        {
-            return false;
-        }
-
-        return new EmailAddressAttribute().IsValid(emailAddress);
+        return emailAddress.IsValidEmail() && new EmailAddressAttribute().IsValid(emailAddress);
     }
 }
diff --git a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
index 07b55aa44a..8968d1d243 100644
--- a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
+++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
@@ -2,6 +2,7 @@
 using System.Text.Json;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.KeyManagement.UserKey;
@@ -580,4 +581,32 @@ public class OrganizationUserRepository : Repository<OrganizationUser, Guid>, IO
             return results.ToList();
         }
     }
+
+    public async Task CreateManyAsync(IEnumerable<CreateOrganizationUser> organizationUserCollection)
+    {
+        await using var connection = new SqlConnection(_marsConnectionString);
+
+        await connection.ExecuteAsync(
+            $"[{Schema}].[OrganizationUser_CreateManyWithCollectionsAndGroups]",
+            new
+            {
+                OrganizationUserData = JsonSerializer.Serialize(organizationUserCollection.Select(x => x.OrganizationUser)),
+                CollectionData = JsonSerializer.Serialize(organizationUserCollection
+                    .SelectMany(x => x.Collections, (user, collection) => new CollectionUser
+                    {
+                        CollectionId = collection.Id,
+                        OrganizationUserId = user.OrganizationUser.Id,
+                        ReadOnly = collection.ReadOnly,
+                        HidePasswords = collection.HidePasswords,
+                        Manage = collection.Manage
+                    })),
+                GroupData = JsonSerializer.Serialize(organizationUserCollection
+                    .SelectMany(x => x.Groups, (user, group) => new GroupUser
+                    {
+                        GroupId = group,
+                        OrganizationUserId = user.OrganizationUser.Id
+                    }))
+            },
+            commandType: CommandType.StoredProcedure);
+    }
 }
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
index 28e2f1a9e4..10d92357fe 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
@@ -1,5 +1,6 @@
 using AutoMapper;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.Enums;
 using Bit.Core.KeyManagement.UserKey;
 using Bit.Core.Models.Data;
@@ -757,4 +758,28 @@ public class OrganizationUserRepository : Repository<Core.Entities.OrganizationU
             return await query.ToListAsync();
         }
     }
+
+    public async Task CreateManyAsync(IEnumerable<CreateOrganizationUser> organizationUserCollection)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+
+        await using var dbContext = GetDatabaseContext(scope);
+
+        dbContext.OrganizationUsers.AddRange(Mapper.Map<List<OrganizationUser>>(organizationUserCollection.Select(x => x.OrganizationUser)));
+        dbContext.CollectionUsers.AddRange(organizationUserCollection.SelectMany(x => x.Collections, (user, collection) => new CollectionUser
+        {
+            CollectionId = collection.Id,
+            HidePasswords = collection.HidePasswords,
+            OrganizationUserId = user.OrganizationUser.Id,
+            Manage = collection.Manage,
+            ReadOnly = collection.ReadOnly
+        }));
+        dbContext.GroupUsers.AddRange(organizationUserCollection.SelectMany(x => x.Groups, (user, group) => new GroupUser
+        {
+            GroupId = group,
+            OrganizationUserId = user.OrganizationUser.Id
+        }));
+
+        await dbContext.SaveChangesAsync();
+    }
 }
diff --git a/src/Sql/dbo/Stored Procedures/OrganizationUser_CreateManyWithCollectionsGroups.sql b/src/Sql/dbo/Stored Procedures/OrganizationUser_CreateManyWithCollectionsGroups.sql
new file mode 100644
index 0000000000..78ff2933f6
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/OrganizationUser_CreateManyWithCollectionsGroups.sql	
@@ -0,0 +1,97 @@
+CREATE PROCEDURE [dbo].[OrganizationUser_CreateManyWithCollectionsAndGroups]
+    @organizationUserData NVARCHAR(MAX),
+    @collectionData NVARCHAR(MAX),
+    @groupData NVARCHAR(MAX)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[OrganizationUser]
+    (
+        [Id],
+        [OrganizationId],
+        [UserId],
+        [Email],
+        [Key],
+        [Status],
+        [Type],
+        [ExternalId],
+        [CreationDate],
+        [RevisionDate],
+        [Permissions],
+        [ResetPasswordKey],
+        [AccessSecretsManager]
+    )
+    SELECT
+        OUI.[Id],
+        OUI.[OrganizationId],
+        OUI.[UserId],
+        OUI.[Email],
+        OUI.[Key],
+        OUI.[Status],
+        OUI.[Type],
+        OUI.[ExternalId],
+        OUI.[CreationDate],
+        OUI.[RevisionDate],
+        OUI.[Permissions],
+        OUI.[ResetPasswordKey],
+        OUI.[AccessSecretsManager]
+    FROM
+        OPENJSON(@organizationUserData)
+                 WITH (
+                     [Id] UNIQUEIDENTIFIER '$.Id',
+                     [OrganizationId] UNIQUEIDENTIFIER '$.OrganizationId',
+                     [UserId] UNIQUEIDENTIFIER '$.UserId',
+                     [Email] NVARCHAR(256) '$.Email',
+                     [Key] VARCHAR(MAX) '$.Key',
+                     [Status] SMALLINT '$.Status',
+                     [Type] TINYINT '$.Type',
+                     [ExternalId] NVARCHAR(300) '$.ExternalId',
+                     [CreationDate] DATETIME2(7) '$.CreationDate',
+                     [RevisionDate] DATETIME2(7) '$.RevisionDate',
+                     [Permissions] NVARCHAR (MAX) '$.Permissions',
+                     [ResetPasswordKey] VARCHAR (MAX) '$.ResetPasswordKey',
+                     [AccessSecretsManager] BIT '$.AccessSecretsManager'
+                     ) OUI
+
+    INSERT INTO [dbo].[GroupUser]
+    (
+        [OrganizationUserId],
+        [GroupId]
+    )
+    SELECT
+        OUG.OrganizationUserId,
+        OUG.GroupId
+    FROM
+        OPENJSON(@groupData)
+            WITH(
+                [OrganizationUserId] UNIQUEIDENTIFIER '$.OrganizationUserId',
+                [GroupId] UNIQUEIDENTIFIER '$.GroupId'
+            ) OUG
+
+    INSERT INTO [dbo].[CollectionUser]
+    (
+        [CollectionId],
+        [OrganizationUserId],
+        [ReadOnly],
+        [HidePasswords],
+        [Manage]
+    )
+    SELECT
+        OUC.[CollectionId],
+        OUC.[OrganizationUserId],
+        OUC.[ReadOnly],
+        OUC.[HidePasswords],
+        OUC.[Manage]
+    FROM
+        OPENJSON(@collectionData)
+            WITH(
+                [CollectionId] UNIQUEIDENTIFIER '$.CollectionId',
+                [OrganizationUserId] UNIQUEIDENTIFIER '$.OrganizationUserId',
+                [ReadOnly] BIT '$.ReadOnly',
+                [HidePasswords] BIT '$.HidePasswords',
+                [Manage] BIT '$.Manage'
+            ) OUC
+END
+go
+
diff --git a/test/Core.Test/AdminConsole/Models/InviteOrganizationUsersRequestTests.cs b/test/Core.Test/AdminConsole/Models/InviteOrganizationUsersRequestTests.cs
new file mode 100644
index 0000000000..71b2b9766c
--- /dev/null
+++ b/test/Core.Test/AdminConsole/Models/InviteOrganizationUsersRequestTests.cs
@@ -0,0 +1,67 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Data;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+using static Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models.InviteOrganizationUserErrorMessages;
+
+namespace Bit.Core.Test.AdminConsole.Models;
+
+public class InviteOrganizationUsersRequestTests
+{
+    [Theory]
+    [BitAutoData]
+    public void Constructor_WhenPassedInvalidEmail_ThrowsException(string email, OrganizationUserType type, Permissions permissions, string externalId)
+    {
+        var exception = Assert.Throws<BadRequestException>(() =>
+            new OrganizationUserInvite(email, [], [], type, permissions, externalId, false));
+
+        Assert.Contains(InvalidEmailErrorMessage, exception.Message);
+    }
+
+    [Fact]
+    public void Constructor_WhenPassedInvalidCollectionAccessConfiguration_ThrowsException()
+    {
+        const string validEmail = "test@email.com";
+
+        var invalidCollectionConfiguration = new CollectionAccessSelection
+        {
+            Manage = true,
+            HidePasswords = true
+        };
+
+        var exception = Assert.Throws<BadRequestException>(() =>
+            new OrganizationUserInvite(
+                email: validEmail,
+                assignedCollections: [invalidCollectionConfiguration],
+                groups: [],
+                type: default,
+                permissions: new Permissions(),
+                externalId: string.Empty,
+                accessSecretsManager: false));
+
+        Assert.Equal(InvalidCollectionConfigurationErrorMessage, exception.Message);
+    }
+
+    [Fact]
+    public void Constructor_WhenPassedValidArguments_ReturnsInvite()
+    {
+        const string validEmail = "test@email.com";
+        var validCollectionConfiguration = new CollectionAccessSelection { Id = Guid.NewGuid(), Manage = true };
+
+        var invite = new OrganizationUserInvite(
+            email: validEmail,
+            assignedCollections: [validCollectionConfiguration],
+            groups: [],
+            type: default,
+            permissions: null,
+            externalId: null,
+            accessSecretsManager: false);
+
+        Assert.NotNull(invite);
+        Assert.Contains(validEmail, invite.Email);
+        Assert.Contains(validCollectionConfiguration, invite.AssignedCollections);
+    }
+}
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Helpers/InviteUserOrganizationValidationRequestHelpers.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Helpers/InviteUserOrganizationValidationRequestHelpers.cs
new file mode 100644
index 0000000000..f4f7cd5662
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Helpers/InviteUserOrganizationValidationRequestHelpers.cs
@@ -0,0 +1,51 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.PasswordManager;
+using Bit.Core.Models.Business;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Helpers;
+
+public static class InviteUserOrganizationValidationRequestHelpers
+{
+    public static InviteOrganizationUsersValidationRequest GetInviteValidationRequestMock(InviteOrganizationUsersRequest request,
+        InviteOrganization inviteOrganization, Organization organization) =>
+        new()
+        {
+            Invites = request.Invites,
+            InviteOrganization = inviteOrganization,
+            PerformedBy = Guid.Empty,
+            PerformedAt = request.PerformedAt,
+            OccupiedPmSeats = 0,
+            OccupiedSmSeats = 0,
+            PasswordManagerSubscriptionUpdate = new PasswordManagerSubscriptionUpdate(inviteOrganization, 0, 0),
+            SecretsManagerSubscriptionUpdate = new SecretsManagerSubscriptionUpdate(organization, inviteOrganization.Plan, true)
+                .AdjustSeats(request.Invites.Count(x => x.AccessSecretsManager))
+        };
+
+    public static InviteOrganizationUsersValidationRequest WithPasswordManagerUpdate(this InviteOrganizationUsersValidationRequest request, PasswordManagerSubscriptionUpdate passwordManagerSubscriptionUpdate) =>
+        new()
+        {
+            Invites = request.Invites,
+            InviteOrganization = request.InviteOrganization,
+            PerformedBy = request.PerformedBy,
+            PerformedAt = request.PerformedAt,
+            OccupiedPmSeats = request.OccupiedPmSeats,
+            OccupiedSmSeats = request.OccupiedSmSeats,
+            PasswordManagerSubscriptionUpdate = passwordManagerSubscriptionUpdate,
+            SecretsManagerSubscriptionUpdate = request.SecretsManagerSubscriptionUpdate
+        };
+
+    public static InviteOrganizationUsersValidationRequest WithSecretsManagerUpdate(this InviteOrganizationUsersValidationRequest request, SecretsManagerSubscriptionUpdate secretsManagerSubscriptionUpdate) =>
+        new()
+        {
+            Invites = request.Invites,
+            InviteOrganization = request.InviteOrganization,
+            PerformedBy = request.PerformedBy,
+            PerformedAt = request.PerformedAt,
+            OccupiedPmSeats = request.OccupiedPmSeats,
+            OccupiedSmSeats = request.OccupiedSmSeats,
+            PasswordManagerSubscriptionUpdate = request.PasswordManagerSubscriptionUpdate,
+            SecretsManagerSubscriptionUpdate = secretsManagerSubscriptionUpdate
+        };
+}
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/InviteOrganizationUserCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/InviteOrganizationUserCommandTests.cs
new file mode 100644
index 0000000000..ba7605d682
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/InviteOrganizationUserCommandTests.cs
@@ -0,0 +1,613 @@
+using System.Net.Mail;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Entities.Provider;
+using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.Models.Data.Provider;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.PasswordManager;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.Shared.Validation;
+using Bit.Core.Billing.Models.StaticStore.Plans;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Models.Business;
+using Bit.Core.Models.Commands;
+using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Core.Models.StaticStore;
+using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.Extensions.Time.Testing;
+using NSubstitute;
+using NSubstitute.ExceptionExtensions;
+using Xunit;
+using static Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Helpers.InviteUserOrganizationValidationRequestHelpers;
+using OrganizationUserInvite = Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models.OrganizationUserInvite;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+
+[SutProviderCustomize]
+public class InviteOrganizationUserCommandTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task InviteScimOrganizationUserAsync_WhenEmailAlreadyExists_ThenNoInviteIsSentAndNoSeatsAreAdjusted(
+        MailAddress address,
+        Organization organization,
+        OrganizationUser user,
+        FakeTimeProvider timeProvider,
+        string externalId,
+        SutProvider<InviteOrganizationUsersCommand> sutProvider)
+    {
+        // Arrange
+        user.Email = address.Address;
+
+        var inviteOrganization = new InviteOrganization(organization, new FreePlan());
+
+        var request = new InviteOrganizationUsersRequest(
+            invites: [
+                new OrganizationUserInvite(
+                    email: user.Email,
+                    assignedCollections: [],
+                    groups: [],
+                    type: OrganizationUserType.User,
+                    permissions: new Permissions(),
+                    externalId: externalId,
+                    accessSecretsManager: true)
+            ],
+            inviteOrganization: inviteOrganization,
+            performedBy: Guid.Empty,
+            timeProvider.GetUtcNow());
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .SelectKnownEmailsAsync(organization.Id, Arg.Any<IEnumerable<string>>(), false)
+            .Returns([user.Email]);
+
+        sutProvider.GetDependency<IInviteUsersValidator>()
+            .ValidateAsync(Arg.Any<InviteOrganizationUsersValidationRequest>())
+            .Returns(new Valid<InviteOrganizationUsersValidationRequest>(GetInviteValidationRequestMock(request, inviteOrganization, organization)));
+
+        // Act
+        var result = await sutProvider.Sut.InviteScimOrganizationUserAsync(request);
+
+        // Assert
+        Assert.IsType<Failure<ScimInviteOrganizationUsersResponse>>(result);
+        Assert.Equal(NoUsersToInviteError.Code, (result as Failure<ScimInviteOrganizationUsersResponse>).ErrorMessage);
+
+        await sutProvider.GetDependency<IPaymentService>()
+            .DidNotReceiveWithAnyArgs()
+            .AdjustSeatsAsync(Arg.Any<Organization>(), Arg.Any<Plan>(), Arg.Any<int>());
+
+        await sutProvider.GetDependency<ISendOrganizationInvitesCommand>()
+            .DidNotReceiveWithAnyArgs()
+            .SendInvitesAsync(Arg.Any<SendInvitesRequest>());
+
+        await sutProvider.GetDependency<IUpdateSecretsManagerSubscriptionCommand>()
+            .DidNotReceiveWithAnyArgs()
+            .UpdateSubscriptionAsync(Arg.Any<Core.Models.Business.SecretsManagerSubscriptionUpdate>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task InviteScimOrganizationUserAsync_WhenEmailDoesNotExistAndRequestIsValid_ThenUserIsSavedAndInviteIsSent(
+            MailAddress address,
+            Organization organization,
+            OrganizationUser orgUser,
+            FakeTimeProvider timeProvider,
+            string externalId,
+            SutProvider<InviteOrganizationUsersCommand> sutProvider)
+    {
+        // Arrange
+        orgUser.Email = address.Address;
+
+        var inviteOrganization = new InviteOrganization(organization, new FreePlan());
+
+        var request = new InviteOrganizationUsersRequest(
+            invites: [
+                new OrganizationUserInvite(
+                    email: orgUser.Email,
+                    assignedCollections: [],
+                    groups: [],
+                    type: OrganizationUserType.User,
+                    permissions: new Permissions(),
+                    externalId: externalId,
+                    accessSecretsManager: true)
+            ],
+            inviteOrganization: inviteOrganization,
+            performedBy: Guid.Empty,
+            timeProvider.GetUtcNow());
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .SelectKnownEmailsAsync(organization.Id, Arg.Any<IEnumerable<string>>(), false)
+            .Returns([]);
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        sutProvider.GetDependency<IInviteUsersValidator>()
+            .ValidateAsync(Arg.Any<InviteOrganizationUsersValidationRequest>())
+            .Returns(new Valid<InviteOrganizationUsersValidationRequest>(GetInviteValidationRequestMock(request, inviteOrganization, organization)));
+
+        // Act
+        var result = await sutProvider.Sut.InviteScimOrganizationUserAsync(request);
+
+        // Assert
+        Assert.IsType<Success<ScimInviteOrganizationUsersResponse>>(result);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .CreateManyAsync(Arg.Is<IEnumerable<CreateOrganizationUser>>(users =>
+                users.Any(user => user.OrganizationUser.Email == request.Invites.First().Email)));
+
+        await sutProvider.GetDependency<ISendOrganizationInvitesCommand>()
+            .Received(1)
+            .SendInvitesAsync(Arg.Is<SendInvitesRequest>(invite =>
+                invite.Organization == organization &&
+                invite.Users.Count(x => x.Email == orgUser.Email) == 1));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task InviteScimOrganizationUserAsync_WhenEmailIsNewAndRequestIsInvalid_ThenFailureIsReturnedWithValidationFailureReason(
+            MailAddress address,
+            Organization organization,
+            OrganizationUser user,
+            FakeTimeProvider timeProvider,
+            string externalId,
+            SutProvider<InviteOrganizationUsersCommand> sutProvider)
+    {
+        // Arrange
+        const string errorMessage = "Org cannot add user for some given reason";
+
+        user.Email = address.Address;
+
+        var inviteOrganization = new InviteOrganization(organization, new FreePlan());
+
+        var request = new InviteOrganizationUsersRequest(
+            invites: [
+                new OrganizationUserInvite(
+                    email: user.Email,
+                    assignedCollections: [],
+                    groups: [],
+                    type: OrganizationUserType.User,
+                    permissions: new Permissions(),
+                    externalId: externalId,
+                    accessSecretsManager: true)
+            ],
+            inviteOrganization: inviteOrganization,
+            performedBy: Guid.Empty,
+            timeProvider.GetUtcNow());
+
+        var validationRequest = GetInviteValidationRequestMock(request, inviteOrganization, organization);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .SelectKnownEmailsAsync(organization.Id, Arg.Any<IEnumerable<string>>(), false)
+            .Returns([]);
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        sutProvider.GetDependency<IInviteUsersValidator>()
+            .ValidateAsync(Arg.Any<InviteOrganizationUsersValidationRequest>())
+            .Returns(new Invalid<InviteOrganizationUsersValidationRequest>(
+                new Error<InviteOrganizationUsersValidationRequest>(errorMessage, validationRequest)));
+
+        // Act
+        var result = await sutProvider.Sut.InviteScimOrganizationUserAsync(request);
+
+        // Assert
+        Assert.IsType<Failure<ScimInviteOrganizationUsersResponse>>(result);
+        var failure = result as Failure<ScimInviteOrganizationUsersResponse>;
+
+        Assert.Equal(errorMessage, failure!.ErrorMessage);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceive()
+            .CreateManyAsync(Arg.Any<IEnumerable<CreateOrganizationUser>>());
+
+        await sutProvider.GetDependency<ISendOrganizationInvitesCommand>()
+            .DidNotReceive()
+            .SendInvitesAsync(Arg.Any<SendInvitesRequest>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task InviteScimOrganizationUserAsync_WhenValidInviteCausesOrganizationToReachMaxSeats_ThenOrganizationOwnersShouldBeNotified(
+        MailAddress address,
+        Organization organization,
+        OrganizationUser user,
+        FakeTimeProvider timeProvider,
+        string externalId,
+        OrganizationUserUserDetails ownerDetails,
+        SutProvider<InviteOrganizationUsersCommand> sutProvider)
+    {
+        // Arrange
+        user.Email = address.Address;
+        organization.Seats = 1;
+        organization.MaxAutoscaleSeats = 2;
+        ownerDetails.Type = OrganizationUserType.Owner;
+
+        var inviteOrganization = new InviteOrganization(organization, new FreePlan());
+
+        var request = new InviteOrganizationUsersRequest(
+            invites: [
+                new OrganizationUserInvite(
+                    email: user.Email,
+                    assignedCollections: [],
+                    groups: [],
+                    type: OrganizationUserType.User,
+                    permissions: new Permissions(),
+                    externalId: externalId,
+                    accessSecretsManager: true)
+            ],
+            inviteOrganization: inviteOrganization,
+            performedBy: Guid.Empty,
+            timeProvider.GetUtcNow());
+
+        var orgUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+
+        orgUserRepository
+            .SelectKnownEmailsAsync(inviteOrganization.OrganizationId, Arg.Any<IEnumerable<string>>(), false)
+            .Returns([]);
+        orgUserRepository
+            .GetManyByMinimumRoleAsync(inviteOrganization.OrganizationId, OrganizationUserType.Owner)
+            .Returns([ownerDetails]);
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        sutProvider.GetDependency<IInviteUsersValidator>()
+            .ValidateAsync(Arg.Any<InviteOrganizationUsersValidationRequest>())
+            .Returns(new Valid<InviteOrganizationUsersValidationRequest>(GetInviteValidationRequestMock(request, inviteOrganization, organization)
+                .WithPasswordManagerUpdate(new PasswordManagerSubscriptionUpdate(inviteOrganization, organization.Seats.Value, 1))));
+
+        // Act
+        var result = await sutProvider.Sut.InviteScimOrganizationUserAsync(request);
+
+        // Assert
+        Assert.IsType<Success<ScimInviteOrganizationUsersResponse>>(result);
+
+        Assert.NotNull(inviteOrganization.MaxAutoScaleSeats);
+
+        await sutProvider.GetDependency<IMailService>()
+            .Received(1)
+            .SendOrganizationMaxSeatLimitReachedEmailAsync(organization,
+                inviteOrganization.MaxAutoScaleSeats.Value,
+                Arg.Is<IEnumerable<string>>(emails => emails.Any(email => email == ownerDetails.Email)));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task InviteScimOrganizationUserAsync_WhenValidInviteIncreasesSeats_ThenSeatTotalShouldBeUpdated(
+        MailAddress address,
+        Organization organization,
+        OrganizationUser user,
+        FakeTimeProvider timeProvider,
+        string externalId,
+        OrganizationUserUserDetails ownerDetails,
+        SutProvider<InviteOrganizationUsersCommand> sutProvider)
+    {
+        // Arrange
+        user.Email = address.Address;
+        organization.Seats = 1;
+        organization.MaxAutoscaleSeats = 2;
+        ownerDetails.Type = OrganizationUserType.Owner;
+
+        var inviteOrganization = new InviteOrganization(organization, new FreePlan());
+
+        var request = new InviteOrganizationUsersRequest(
+            invites: [
+                new OrganizationUserInvite(
+                    email: user.Email,
+                    assignedCollections: [],
+                    groups: [],
+                    type: OrganizationUserType.User,
+                    permissions: new Permissions(),
+                    externalId: externalId,
+                    accessSecretsManager: true)
+            ],
+            inviteOrganization: inviteOrganization,
+            performedBy: Guid.Empty,
+            timeProvider.GetUtcNow());
+
+        var passwordManagerUpdate = new PasswordManagerSubscriptionUpdate(inviteOrganization, organization.Seats.Value, 1);
+
+        var orgUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+
+        orgUserRepository
+            .SelectKnownEmailsAsync(inviteOrganization.OrganizationId, Arg.Any<IEnumerable<string>>(), false)
+            .Returns([]);
+        orgUserRepository
+            .GetManyByMinimumRoleAsync(inviteOrganization.OrganizationId, OrganizationUserType.Owner)
+            .Returns([ownerDetails]);
+
+        var orgRepository = sutProvider.GetDependency<IOrganizationRepository>();
+
+        orgRepository.GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        sutProvider.GetDependency<IInviteUsersValidator>()
+            .ValidateAsync(Arg.Any<InviteOrganizationUsersValidationRequest>())
+            .Returns(new Valid<InviteOrganizationUsersValidationRequest>(GetInviteValidationRequestMock(request, inviteOrganization, organization)
+                .WithPasswordManagerUpdate(passwordManagerUpdate)));
+
+        // Act
+        var result = await sutProvider.Sut.InviteScimOrganizationUserAsync(request);
+
+        // Assert
+        Assert.IsType<Success<ScimInviteOrganizationUsersResponse>>(result);
+
+        await sutProvider.GetDependency<IPaymentService>()
+            .AdjustSeatsAsync(organization, inviteOrganization.Plan, passwordManagerUpdate.SeatsRequiredToAdd);
+
+        await orgRepository.Received(1).ReplaceAsync(Arg.Is<Organization>(x => x.Seats == passwordManagerUpdate.UpdatedSeatTotal));
+
+        await sutProvider.GetDependency<IApplicationCacheService>()
+            .Received(1)
+            .UpsertOrganizationAbilityAsync(Arg.Is<Organization>(x => x.Seats == passwordManagerUpdate.UpdatedSeatTotal));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task InviteScimOrganizationUserAsync_WhenValidInviteIncreasesSecretsManagerSeats_ThenSecretsManagerShouldBeUpdated(
+    MailAddress address,
+    Organization organization,
+    OrganizationUser user,
+    FakeTimeProvider timeProvider,
+    string externalId,
+    OrganizationUserUserDetails ownerDetails,
+    SutProvider<InviteOrganizationUsersCommand> sutProvider)
+    {
+        // Arrange
+        user.Email = address.Address;
+        organization.Seats = 1;
+        organization.SmSeats = 1;
+        organization.MaxAutoscaleSeats = 2;
+        organization.MaxAutoscaleSmSeats = 2;
+        ownerDetails.Type = OrganizationUserType.Owner;
+
+        var inviteOrganization = new InviteOrganization(organization, new FreePlan());
+
+        var request = new InviteOrganizationUsersRequest(
+            invites: [
+                new OrganizationUserInvite(
+                    email: user.Email,
+                    assignedCollections: [],
+                    groups: [],
+                    type: OrganizationUserType.User,
+                    permissions: new Permissions(),
+                    externalId: externalId,
+                    accessSecretsManager: true)
+            ],
+            inviteOrganization: inviteOrganization,
+            performedBy: Guid.Empty,
+            timeProvider.GetUtcNow());
+
+        var secretsManagerSubscriptionUpdate = new SecretsManagerSubscriptionUpdate(organization, inviteOrganization.Plan, true)
+            .AdjustSeats(request.Invites.Count(x => x.AccessSecretsManager));
+
+        var orgUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+
+        orgUserRepository
+            .SelectKnownEmailsAsync(inviteOrganization.OrganizationId, Arg.Any<IEnumerable<string>>(), false)
+            .Returns([]);
+        orgUserRepository
+            .GetManyByMinimumRoleAsync(inviteOrganization.OrganizationId, OrganizationUserType.Owner)
+            .Returns([ownerDetails]);
+        orgUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id).Returns(1);
+        orgUserRepository.GetOccupiedSmSeatCountByOrganizationIdAsync(organization.Id).Returns(1);
+
+        var orgRepository = sutProvider.GetDependency<IOrganizationRepository>();
+
+        orgRepository.GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        sutProvider.GetDependency<IInviteUsersValidator>()
+            .ValidateAsync(Arg.Any<InviteOrganizationUsersValidationRequest>())
+            .Returns(new Valid<InviteOrganizationUsersValidationRequest>(GetInviteValidationRequestMock(request, inviteOrganization, organization)
+                .WithSecretsManagerUpdate(secretsManagerSubscriptionUpdate)));
+
+        // Act
+        var result = await sutProvider.Sut.InviteScimOrganizationUserAsync(request);
+
+        // Assert;
+        Assert.IsType<Success<ScimInviteOrganizationUsersResponse>>(result);
+
+        await sutProvider.GetDependency<IUpdateSecretsManagerSubscriptionCommand>()
+            .Received(1)
+            .UpdateSubscriptionAsync(secretsManagerSubscriptionUpdate);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task InviteScimOrganizationUserAsync_WhenAnErrorOccursWhileInvitingUsers_ThenAnySeatChangesShouldBeReverted(
+        MailAddress address,
+        Organization organization,
+        OrganizationUser user,
+        FakeTimeProvider timeProvider,
+        string externalId,
+        OrganizationUserUserDetails ownerDetails,
+        SutProvider<InviteOrganizationUsersCommand> sutProvider)
+    {
+        // Arrange
+        user.Email = address.Address;
+        organization.Seats = 1;
+        organization.SmSeats = 1;
+        organization.MaxAutoscaleSeats = 2;
+        organization.MaxAutoscaleSmSeats = 2;
+        ownerDetails.Type = OrganizationUserType.Owner;
+
+        var inviteOrganization = new InviteOrganization(organization, new FreePlan());
+
+        var request = new InviteOrganizationUsersRequest(
+            invites: [
+                new OrganizationUserInvite(
+                    email: user.Email,
+                    assignedCollections: [],
+                    groups: [],
+                    type: OrganizationUserType.User,
+                    permissions: new Permissions(),
+                    externalId: externalId,
+                    accessSecretsManager: true)
+            ],
+            inviteOrganization: inviteOrganization,
+            performedBy: Guid.Empty,
+            timeProvider.GetUtcNow());
+
+        var secretsManagerSubscriptionUpdate = new SecretsManagerSubscriptionUpdate(organization, inviteOrganization.Plan, true)
+            .AdjustSeats(request.Invites.Count(x => x.AccessSecretsManager));
+
+        var passwordManagerSubscriptionUpdate =
+            new PasswordManagerSubscriptionUpdate(inviteOrganization, 1, request.Invites.Length);
+
+        var orgUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+
+        orgUserRepository
+            .SelectKnownEmailsAsync(inviteOrganization.OrganizationId, Arg.Any<IEnumerable<string>>(), false)
+            .Returns([]);
+        orgUserRepository
+            .GetManyByMinimumRoleAsync(inviteOrganization.OrganizationId, OrganizationUserType.Owner)
+            .Returns([ownerDetails]);
+
+        var orgRepository = sutProvider.GetDependency<IOrganizationRepository>();
+
+        orgRepository.GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        sutProvider.GetDependency<IInviteUsersValidator>()
+            .ValidateAsync(Arg.Any<InviteOrganizationUsersValidationRequest>())
+            .Returns(new Valid<InviteOrganizationUsersValidationRequest>(GetInviteValidationRequestMock(request, inviteOrganization, organization)
+                .WithPasswordManagerUpdate(passwordManagerSubscriptionUpdate)
+                .WithSecretsManagerUpdate(secretsManagerSubscriptionUpdate)));
+
+        sutProvider.GetDependency<ISendOrganizationInvitesCommand>()
+            .SendInvitesAsync(Arg.Any<SendInvitesRequest>())
+            .Throws(new Exception("Something went wrong"));
+
+        // Act
+        var result = await sutProvider.Sut.InviteScimOrganizationUserAsync(request);
+
+        // Assert
+        Assert.IsType<Failure<ScimInviteOrganizationUsersResponse>>(result);
+        Assert.Equal(FailedToInviteUsersError.Code, (result as Failure<ScimInviteOrganizationUsersResponse>)!.ErrorMessage);
+
+        // org user revert
+        await orgUserRepository.Received(1).DeleteManyAsync(Arg.Is<IEnumerable<Guid>>(x => x.Count() == 1));
+
+        // SM revert
+        await sutProvider.GetDependency<IUpdateSecretsManagerSubscriptionCommand>()
+            .Received(2)
+            .UpdateSubscriptionAsync(Arg.Any<SecretsManagerSubscriptionUpdate>());
+
+        // PM revert
+        await sutProvider.GetDependency<IPaymentService>()
+            .Received(2)
+            .AdjustSeatsAsync(Arg.Any<Organization>(), Arg.Any<Plan>(), Arg.Any<int>());
+
+        await orgRepository.Received(2).ReplaceAsync(Arg.Any<Organization>());
+
+        await sutProvider.GetDependency<IApplicationCacheService>().Received(2)
+            .UpsertOrganizationAbilityAsync(Arg.Any<Organization>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task InviteScimOrganizationUserAsync_WhenAnOrganizationIsManagedByAProvider_ThenAnEmailShouldBeSentToTheProvider(
+        MailAddress address,
+        Organization organization,
+        OrganizationUser user,
+        FakeTimeProvider timeProvider,
+        string externalId,
+        OrganizationUserUserDetails ownerDetails,
+        ProviderOrganization providerOrganization,
+        SutProvider<InviteOrganizationUsersCommand> sutProvider)
+    {
+        // Arrange
+        user.Email = address.Address;
+        organization.Seats = 1;
+        organization.SmSeats = 1;
+        organization.MaxAutoscaleSeats = 2;
+        organization.MaxAutoscaleSmSeats = 2;
+        ownerDetails.Type = OrganizationUserType.Owner;
+
+        providerOrganization.OrganizationId = organization.Id;
+
+        var inviteOrganization = new InviteOrganization(organization, new FreePlan());
+
+        var request = new InviteOrganizationUsersRequest(
+            invites: [
+                new OrganizationUserInvite(
+                    email: user.Email,
+                    assignedCollections: [],
+                    groups: [],
+                    type: OrganizationUserType.User,
+                    permissions: new Permissions(),
+                    externalId: externalId,
+                    accessSecretsManager: true)
+            ],
+            inviteOrganization: inviteOrganization,
+            performedBy: Guid.Empty,
+            timeProvider.GetUtcNow());
+
+        var secretsManagerSubscriptionUpdate = new SecretsManagerSubscriptionUpdate(organization, inviteOrganization.Plan, true)
+            .AdjustSeats(request.Invites.Count(x => x.AccessSecretsManager));
+
+        var passwordManagerSubscriptionUpdate =
+            new PasswordManagerSubscriptionUpdate(inviteOrganization, 1, request.Invites.Length);
+
+        var orgUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+
+        orgUserRepository
+            .SelectKnownEmailsAsync(inviteOrganization.OrganizationId, Arg.Any<IEnumerable<string>>(), false)
+            .Returns([]);
+        orgUserRepository
+            .GetManyByMinimumRoleAsync(inviteOrganization.OrganizationId, OrganizationUserType.Owner)
+            .Returns([ownerDetails]);
+
+        var orgRepository = sutProvider.GetDependency<IOrganizationRepository>();
+
+        orgRepository.GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        sutProvider.GetDependency<IInviteUsersValidator>()
+            .ValidateAsync(Arg.Any<InviteOrganizationUsersValidationRequest>())
+            .Returns(new Valid<InviteOrganizationUsersValidationRequest>(GetInviteValidationRequestMock(request, inviteOrganization, organization)
+                .WithPasswordManagerUpdate(passwordManagerSubscriptionUpdate)
+                .WithSecretsManagerUpdate(secretsManagerSubscriptionUpdate)));
+
+        sutProvider.GetDependency<IProviderOrganizationRepository>()
+            .GetByOrganizationId(organization.Id)
+            .Returns(providerOrganization);
+
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetManyDetailsByProviderAsync(providerOrganization.ProviderId, ProviderUserStatusType.Confirmed)
+            .Returns(new List<ProviderUserUserDetails>
+            {
+                new()
+                {
+                    Email = "provider@email.com"
+                }
+            });
+
+        // Act
+        var result = await sutProvider.Sut.InviteScimOrganizationUserAsync(request);
+
+        // Assert
+        Assert.IsType<Success<ScimInviteOrganizationUsersResponse>>(result);
+
+        sutProvider.GetDependency<IMailService>().Received(1)
+            .SendOrganizationMaxSeatLimitReachedEmailAsync(organization, 2,
+                Arg.Is<IEnumerable<string>>(emails => emails.Any(email => email == "provider@email.com")));
+    }
+}
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/SendOrganizationInvitesCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/SendOrganizationInvitesCommandTests.cs
new file mode 100644
index 0000000000..23c1a32c03
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/SendOrganizationInvitesCommandTests.cs
@@ -0,0 +1,108 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Business.Tokenables;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Entities;
+using Bit.Core.Models.Mail;
+using Bit.Core.Services;
+using Bit.Core.Test.AutoFixture.OrganizationFixtures;
+using Bit.Core.Tokens;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Bit.Test.Common.Fakes;
+using NSubstitute;
+using NSubstitute.ReturnsExtensions;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+
+[SutProviderCustomize]
+public class SendOrganizationInvitesCommandTests
+{
+    private readonly IDataProtectorTokenFactory<OrgUserInviteTokenable> _orgUserInviteTokenDataFactory = new FakeDataProtectorTokenFactory<OrgUserInviteTokenable>();
+
+    [Theory]
+    [OrganizationInviteCustomize, OrganizationCustomize, BitAutoData]
+    public async Task SendInvitesAsync_SsoOrgWithNeverEnabledRequireSsoPolicy_SendsEmailWithoutRequiringSso(
+        Organization organization,
+        SsoConfig ssoConfig,
+        OrganizationUser invite,
+        SutProvider<SendOrganizationInvitesCommand> sutProvider)
+    {
+        // Setup FakeDataProtectorTokenFactory for creating new tokens - this must come first in order to avoid resetting mocks
+        sutProvider.SetDependency(_orgUserInviteTokenDataFactory, "orgUserInviteTokenDataFactory");
+        sutProvider.Create();
+
+        // Org must be able to use SSO and policies to trigger this test case
+        organization.UseSso = true;
+        organization.UsePolicies = true;
+
+        ssoConfig.Enabled = true;
+        sutProvider.GetDependency<ISsoConfigRepository>().GetByOrganizationIdAsync(organization.Id).Returns(ssoConfig);
+
+        // Return null policy to mimic new org that's never turned on the require sso policy
+        sutProvider.GetDependency<IPolicyRepository>().GetManyByOrganizationIdAsync(organization.Id).ReturnsNull();
+
+        // Mock tokenable factory to return a token that expires in 5 days
+        sutProvider.GetDependency<IOrgUserInviteTokenableFactory>()
+            .CreateToken(Arg.Any<OrganizationUser>())
+            .Returns(
+                info => new OrgUserInviteTokenable(info.Arg<OrganizationUser>())
+                {
+                    ExpirationDate = DateTime.UtcNow.Add(TimeSpan.FromDays(5))
+                });
+
+        // Act
+        await sutProvider.Sut.SendInvitesAsync(new SendInvitesRequest([invite], organization));
+
+        // Assert
+        await sutProvider.GetDependency<IMailService>().Received(1)
+            .SendOrganizationInviteEmailsAsync(Arg.Is<OrganizationInvitesInfo>(info =>
+                info.OrgUserTokenPairs.Count() == 1 &&
+                info.OrgUserTokenPairs.FirstOrDefault(x => x.OrgUser.Email == invite.Email).OrgUser == invite &&
+                info.IsFreeOrg == (organization.PlanType == PlanType.Free) &&
+                info.OrganizationName == organization.Name &&
+                info.OrgSsoLoginRequiredPolicyEnabled == false));
+    }
+
+    [Theory]
+    [OrganizationInviteCustomize, OrganizationCustomize, BitAutoData]
+    public async Task InviteUsers_SsoOrgWithNullSsoConfig_SendsInvite(
+        Organization organization,
+        OrganizationUser invite,
+        SutProvider<SendOrganizationInvitesCommand> sutProvider)
+    {
+        // Setup FakeDataProtectorTokenFactory for creating new tokens - this must come first in order to avoid resetting mocks
+        sutProvider.SetDependency(_orgUserInviteTokenDataFactory, "orgUserInviteTokenDataFactory");
+        sutProvider.Create();
+
+        // Org must be able to use SSO to trigger this proper test case as we currently only call to retrieve
+        // an org's SSO config if the org can use SSO
+        organization.UseSso = true;
+
+        // Return null for sso config
+        sutProvider.GetDependency<ISsoConfigRepository>().GetByOrganizationIdAsync(organization.Id).ReturnsNull();
+
+        // Mock tokenable factory to return a token that expires in 5 days
+        sutProvider.GetDependency<IOrgUserInviteTokenableFactory>()
+            .CreateToken(Arg.Any<OrganizationUser>())
+            .Returns(
+                info => new OrgUserInviteTokenable(info.Arg<OrganizationUser>())
+                {
+                    ExpirationDate = DateTime.UtcNow.Add(TimeSpan.FromDays(5))
+                });
+
+        await sutProvider.Sut.SendInvitesAsync(new SendInvitesRequest([invite], organization));
+
+        await sutProvider.GetDependency<IMailService>().Received(1)
+            .SendOrganizationInviteEmailsAsync(Arg.Is<OrganizationInvitesInfo>(info =>
+                info.OrgUserTokenPairs.Count() == 1 &&
+                info.OrgUserTokenPairs.FirstOrDefault(x => x.OrgUser.Email == invite.Email).OrgUser == invite &&
+                info.IsFreeOrg == (organization.PlanType == PlanType.Free) &&
+                info.OrganizationName == organization.Name));
+    }
+}
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteOrganizationUsersValidatorTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteOrganizationUsersValidatorTests.cs
new file mode 100644
index 0000000000..191ef05603
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteOrganizationUsersValidatorTests.cs
@@ -0,0 +1,161 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+using Bit.Core.AdminConsole.Shared.Validation;
+using Bit.Core.Billing.Models.StaticStore.Plans;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Business;
+using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using NSubstitute.ExceptionExtensions;
+using Xunit;
+using OrganizationUserInvite = Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models.OrganizationUserInvite;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+
+[SutProviderCustomize]
+public class InviteOrganizationUsersValidatorTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WhenOrganizationHasSecretsManagerInvitesAndDoesNotHaveEnoughSeatsAvailable_ThenShouldCorrectlyCalculateSeatsToAdd(
+        Organization organization,
+        SutProvider<InviteOrganizationUsersValidator> sutProvider
+    )
+    {
+        organization.Seats = null;
+        organization.SmSeats = 10;
+        organization.UseSecretsManager = true;
+
+        var request = new InviteOrganizationUsersValidationRequest
+        {
+            Invites =
+            [
+                new OrganizationUserInvite(
+                    email: "test@email.com",
+                    externalId: "test-external-id"),
+                new OrganizationUserInvite(
+                    email: "test2@email.com",
+                    externalId: "test-external-id2"),
+                new OrganizationUserInvite(
+                    email: "test3@email.com",
+                    externalId: "test-external-id3")
+            ],
+            InviteOrganization = new InviteOrganization(organization, new Enterprise2023Plan(true)),
+            OccupiedPmSeats = 0,
+            OccupiedSmSeats = 9
+        };
+
+        sutProvider.GetDependency<IPaymentService>()
+            .HasSecretsManagerStandalone(request.InviteOrganization)
+            .Returns(true);
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        _ = await sutProvider.Sut.ValidateAsync(request);
+
+        sutProvider.GetDependency<IUpdateSecretsManagerSubscriptionCommand>()
+            .Received(1)
+            .ValidateUpdateAsync(Arg.Is<SecretsManagerSubscriptionUpdate>(x =>
+                x.SmSeatsChanged == true && x.SmSeats == 12));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WhenOrganizationHasSecretsManagerInvitesAndHasSeatsAvailable_ThenShouldReturnValid(
+        Organization organization,
+        SutProvider<InviteOrganizationUsersValidator> sutProvider
+    )
+    {
+        organization.Seats = null;
+        organization.SmSeats = 12;
+        organization.UseSecretsManager = true;
+
+        var request = new InviteOrganizationUsersValidationRequest
+        {
+            Invites =
+            [
+                new OrganizationUserInvite(
+                    email: "test@email.com",
+                    externalId: "test-external-id"),
+                new OrganizationUserInvite(
+                    email: "test2@email.com",
+                    externalId: "test-external-id2"),
+                new OrganizationUserInvite(
+                    email: "test3@email.com",
+                    externalId: "test-external-id3")
+            ],
+            InviteOrganization = new InviteOrganization(organization, new Enterprise2023Plan(true)),
+            OccupiedPmSeats = 0,
+            OccupiedSmSeats = 9
+        };
+
+        sutProvider.GetDependency<IPaymentService>()
+            .HasSecretsManagerStandalone(request.InviteOrganization)
+            .Returns(true);
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        Assert.IsType<Valid<InviteOrganizationUsersValidationRequest>>(result);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WhenOrganizationHasSecretsManagerInvitesAndSmSeatUpdateFailsValidation_ThenShouldReturnInvalid(
+        Organization organization,
+        SutProvider<InviteOrganizationUsersValidator> sutProvider
+    )
+    {
+        organization.Seats = null;
+        organization.SmSeats = 5;
+        organization.MaxAutoscaleSmSeats = 5;
+        organization.UseSecretsManager = true;
+
+        var request = new InviteOrganizationUsersValidationRequest
+        {
+            Invites =
+            [
+                new OrganizationUserInvite(
+                    email: "test@email.com",
+                    externalId: "test-external-id"),
+                new OrganizationUserInvite(
+                    email: "test2@email.com",
+                    externalId: "test-external-id2"),
+                new OrganizationUserInvite(
+                    email: "test3@email.com",
+                    externalId: "test-external-id3")
+            ],
+            InviteOrganization = new InviteOrganization(organization, new Enterprise2023Plan(true)),
+            OccupiedPmSeats = 0,
+            OccupiedSmSeats = 4
+        };
+
+        sutProvider.GetDependency<IPaymentService>()
+            .HasSecretsManagerStandalone(request.InviteOrganization)
+            .Returns(true);
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        sutProvider.GetDependency<IUpdateSecretsManagerSubscriptionCommand>()
+            .ValidateUpdateAsync(Arg.Any<SecretsManagerSubscriptionUpdate>())
+            .Throws(new BadRequestException("Some Secrets Manager Failure"));
+
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        Assert.IsType<Invalid<InviteOrganizationUsersValidationRequest>>(result);
+        Assert.Equal("Some Secrets Manager Failure", (result as Invalid<InviteOrganizationUsersValidationRequest>)!.ErrorMessageString);
+    }
+}
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteUserOrganizationValidationTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteUserOrganizationValidationTests.cs
new file mode 100644
index 0000000000..508b9f3cb0
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteUserOrganizationValidationTests.cs
@@ -0,0 +1,58 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Organization;
+using Bit.Core.AdminConsole.Shared.Validation;
+using Bit.Core.Billing.Models.StaticStore.Plans;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+
+[SutProviderCustomize]
+public class InviteUserOrganizationValidationTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task Validate_WhenOrganizationIsFreeTier_ShouldReturnValidResponse(Organization organization, SutProvider<InviteUsersOrganizationValidator> sutProvider)
+    {
+        var inviteOrganization = new InviteOrganization(organization, new FreePlan());
+
+        var result = await sutProvider.Sut.ValidateAsync(inviteOrganization);
+
+        Assert.IsType<Valid<InviteOrganization>>(result);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Validate_WhenOrganizationDoesNotHavePaymentMethod_ShouldReturnInvalidResponseWithPaymentMethodMessage(
+        Organization organization, SutProvider<InviteUsersOrganizationValidator> sutProvider)
+    {
+        organization.GatewayCustomerId = string.Empty;
+        organization.Seats = 3;
+
+        var inviteOrganization = new InviteOrganization(organization, new FreePlan());
+
+        var result = await sutProvider.Sut.ValidateAsync(inviteOrganization);
+
+        Assert.IsType<Invalid<InviteOrganization>>(result);
+        Assert.Equal(OrganizationNoPaymentMethodFoundError.Code, (result as Invalid<InviteOrganization>)!.ErrorMessageString);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Validate_WhenOrganizationDoesNotHaveSubscription_ShouldReturnInvalidResponseWithSubscriptionMessage(
+        Organization organization, SutProvider<InviteUsersOrganizationValidator> sutProvider)
+    {
+        organization.GatewaySubscriptionId = string.Empty;
+        organization.Seats = 3;
+        organization.MaxAutoscaleSeats = 4;
+
+        var inviteOrganization = new InviteOrganization(organization, new FreePlan());
+
+        var result = await sutProvider.Sut.ValidateAsync(inviteOrganization);
+
+        Assert.IsType<Invalid<InviteOrganization>>(result);
+        Assert.Equal(OrganizationNoSubscriptionFoundError.Code, (result as Invalid<InviteOrganization>)!.ErrorMessageString);
+    }
+}
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteUserPaymentValidationTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteUserPaymentValidationTests.cs
new file mode 100644
index 0000000000..bcca89e1d2
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteUserPaymentValidationTests.cs
@@ -0,0 +1,56 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Models;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Payments;
+using Bit.Core.AdminConsole.Shared.Validation;
+using Bit.Core.Billing.Constants;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Models.StaticStore.Plans;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+
+public class InviteUserPaymentValidationTests
+{
+    [Theory]
+    [BitAutoData]
+    public void Validate_WhenPlanIsFree_ReturnsValidResponse(Organization organization)
+    {
+        organization.PlanType = PlanType.Free;
+
+        var result = InviteUserPaymentValidation.Validate(new PaymentsSubscription
+        {
+            SubscriptionStatus = StripeConstants.SubscriptionStatus.Active,
+            ProductTierType = new InviteOrganization(organization, new FreePlan()).Plan.ProductTier
+        });
+
+        Assert.IsType<Valid<PaymentsSubscription>>(result);
+    }
+
+    [Fact]
+    public void Validate_WhenSubscriptionIsCanceled_ReturnsInvalidResponse()
+    {
+        var result = InviteUserPaymentValidation.Validate(new PaymentsSubscription
+        {
+            SubscriptionStatus = StripeConstants.SubscriptionStatus.Canceled,
+            ProductTierType = ProductTierType.Enterprise
+        });
+
+        Assert.IsType<Invalid<PaymentsSubscription>>(result);
+        Assert.Equal(PaymentCancelledSubscriptionError.Code, (result as Invalid<PaymentsSubscription>)!.ErrorMessageString);
+    }
+
+    [Fact]
+    public void Validate_WhenSubscriptionIsActive_ReturnsValidResponse()
+    {
+        var result = InviteUserPaymentValidation.Validate(new PaymentsSubscription
+        {
+            SubscriptionStatus = StripeConstants.SubscriptionStatus.Active,
+            ProductTierType = ProductTierType.Enterprise
+        });
+
+        Assert.IsType<Valid<PaymentsSubscription>>(result);
+    }
+}
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManagerInviteUserValidatorTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManagerInviteUserValidatorTests.cs
new file mode 100644
index 0000000000..c320ada8cb
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManagerInviteUserValidatorTests.cs
@@ -0,0 +1,93 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.PasswordManager;
+using Bit.Core.AdminConsole.Shared.Validation;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Models.StaticStore.Plans;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+
+
+[SutProviderCustomize]
+public class InviteUsersPasswordManagerValidatorTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task Validate_OrganizationDoesNotHaveSeatsLimit_ShouldReturnValidResult(Organization organization,
+        SutProvider<InviteUsersPasswordManagerValidator> sutProvider)
+    {
+        organization.Seats = null;
+
+        var organizationDto = new InviteOrganization(organization, new FreePlan());
+
+        var subscriptionUpdate = new PasswordManagerSubscriptionUpdate(organizationDto, 0, 0);
+
+        var result = await sutProvider.Sut.ValidateAsync(subscriptionUpdate);
+
+        Assert.IsType<Valid<PasswordManagerSubscriptionUpdate>>(result);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Validate_NumberOfSeatsToAddMatchesSeatsAvailable_ShouldReturnValidResult(Organization organization,
+        SutProvider<InviteUsersPasswordManagerValidator> sutProvider)
+    {
+        organization.Seats = 8;
+        organization.PlanType = PlanType.EnterpriseAnnually;
+        var seatsOccupiedByUsers = 4;
+        var additionalSeats = 4;
+
+        var organizationDto = new InviteOrganization(organization, new Enterprise2023Plan(isAnnual: true));
+
+        var subscriptionUpdate = new PasswordManagerSubscriptionUpdate(organizationDto, seatsOccupiedByUsers, additionalSeats);
+
+        var result = await sutProvider.Sut.ValidateAsync(subscriptionUpdate);
+
+        Assert.IsType<Valid<PasswordManagerSubscriptionUpdate>>(result);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Validate_NumberOfSeatsToAddIsGreaterThanMaxSeatsAllowed_ShouldBeInvalidWithSeatLimitMessage(Organization organization,
+        SutProvider<InviteUsersPasswordManagerValidator> sutProvider)
+    {
+        organization.Seats = 4;
+        organization.MaxAutoscaleSeats = 4;
+        organization.PlanType = PlanType.EnterpriseAnnually;
+        var seatsOccupiedByUsers = 4;
+        var additionalSeats = 1;
+
+        var organizationDto = new InviteOrganization(organization, new Enterprise2023Plan(isAnnual: true));
+
+        var subscriptionUpdate = new PasswordManagerSubscriptionUpdate(organizationDto, seatsOccupiedByUsers, additionalSeats);
+
+        var result = await sutProvider.Sut.ValidateAsync(subscriptionUpdate);
+
+        Assert.IsType<Invalid<PasswordManagerSubscriptionUpdate>>(result);
+        Assert.Equal(PasswordManagerSeatLimitHasBeenReachedError.Code, (result as Invalid<PasswordManagerSubscriptionUpdate>)!.ErrorMessageString);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Validate_GivenThePlanDoesNotAllowAdditionalSeats_ShouldBeInvalidMessageOfPlanNotAllowingSeats(Organization organization,
+        SutProvider<InviteUsersPasswordManagerValidator> sutProvider)
+    {
+        organization.Seats = 4;
+        organization.MaxAutoscaleSeats = 9;
+        var seatsOccupiedByUsers = 4;
+        var additionalSeats = 4;
+        organization.PlanType = PlanType.Free;
+
+        var organizationDto = new InviteOrganization(organization, new FreePlan());
+
+        var subscriptionUpdate = new PasswordManagerSubscriptionUpdate(organizationDto, seatsOccupiedByUsers, additionalSeats);
+
+        var result = await sutProvider.Sut.ValidateAsync(subscriptionUpdate);
+
+        Assert.IsType<Invalid<PasswordManagerSubscriptionUpdate>>(result);
+        Assert.Equal(PasswordManagerPlanDoesNotAllowAdditionalSeatsError.Code, (result as Invalid<PasswordManagerSubscriptionUpdate>)!.ErrorMessageString);
+    }
+}
diff --git a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
index 53101900e5..e45643435d 100644
--- a/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
+++ b/test/Core.Test/AdminConsole/Services/OrganizationServiceTests.cs
@@ -2,10 +2,10 @@
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.AdminConsole.Repositories;
-using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Models.Business.Tokenables;
-using Bit.Core.Auth.Repositories;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Pricing;
 using Bit.Core.Context;
@@ -15,7 +15,6 @@ using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.Data;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
-using Bit.Core.Models.Mail;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
@@ -37,6 +36,7 @@ using NSubstitute.ReturnsExtensions;
 using Xunit;
 using Organization = Bit.Core.AdminConsole.Entities.Organization;
 using OrganizationUser = Bit.Core.Entities.OrganizationUser;
+using OrganizationUserInvite = Bit.Core.Models.Business.OrganizationUserInvite;
 
 namespace Bit.Core.Test.Services;
 
@@ -77,15 +77,6 @@ public class OrganizationServiceTests
             .Returns(true);
         sutProvider.GetDependency<ICurrentContext>().ManageUsers(org.Id).Returns(true);
 
-        // Mock tokenable factory to return a token that expires in 5 days
-        sutProvider.GetDependency<IOrgUserInviteTokenableFactory>()
-            .CreateToken(Arg.Any<OrganizationUser>())
-            .Returns(
-                info => new OrgUserInviteTokenable(info.Arg<OrganizationUser>())
-                {
-                    ExpirationDate = DateTime.UtcNow.Add(TimeSpan.FromDays(5))
-                }
-            );
 
         await sutProvider.Sut.ImportAsync(org.Id, null, newUsers, null, false, EventSystemUser.PublicApi);
 
@@ -100,9 +91,11 @@ public class OrganizationServiceTests
         await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1)
             .CreateManyAsync(Arg.Is<IEnumerable<OrganizationUser>>(users => users.Count() == expectedNewUsersCount));
 
-        await sutProvider.GetDependency<IMailService>().Received(1)
-            .SendOrganizationInviteEmailsAsync(
-                Arg.Is<OrganizationInvitesInfo>(info => info.OrgUserTokenPairs.Count() == expectedNewUsersCount && info.IsFreeOrg == (org.PlanType == PlanType.Free) && info.OrganizationName == org.Name));
+        await sutProvider.GetDependency<ISendOrganizationInvitesCommand>().Received(1)
+            .SendInvitesAsync(
+                Arg.Is<SendInvitesRequest>(
+                    info => info.Users.Length == expectedNewUsersCount &&
+                            info.Organization == org));
 
         // Send events
         await sutProvider.GetDependency<IEventService>().Received(1)
@@ -152,16 +145,6 @@ public class OrganizationServiceTests
         var currentContext = sutProvider.GetDependency<ICurrentContext>();
         currentContext.ManageUsers(org.Id).Returns(true);
 
-        // Mock tokenable factory to return a token that expires in 5 days
-        sutProvider.GetDependency<IOrgUserInviteTokenableFactory>()
-            .CreateToken(Arg.Any<OrganizationUser>())
-            .Returns(
-                info => new OrgUserInviteTokenable(info.Arg<OrganizationUser>())
-                {
-                    ExpirationDate = DateTime.UtcNow.Add(TimeSpan.FromDays(5))
-                }
-            );
-
         await sutProvider.Sut.ImportAsync(org.Id, null, newUsers, null, false, EventSystemUser.PublicApi);
 
         await sutProvider.GetDependency<IOrganizationUserRepository>().DidNotReceiveWithAnyArgs()
@@ -179,14 +162,15 @@ public class OrganizationServiceTests
         await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1)
             .CreateManyAsync(Arg.Is<IEnumerable<OrganizationUser>>(users => users.Count() == expectedNewUsersCount));
 
-        await sutProvider.GetDependency<IMailService>().Received(1)
-            .SendOrganizationInviteEmailsAsync(Arg.Is<OrganizationInvitesInfo>(info =>
-                info.OrgUserTokenPairs.Count() == expectedNewUsersCount && info.IsFreeOrg == (org.PlanType == PlanType.Free) && info.OrganizationName == org.Name));
+        await sutProvider.GetDependency<ISendOrganizationInvitesCommand>().Received(1)
+            .SendInvitesAsync(Arg.Is<SendInvitesRequest>(request =>
+                request.Users.Length == expectedNewUsersCount &&
+                request.Organization == org));
 
         // Sent events
         await sutProvider.GetDependency<IEventService>().Received(1)
             .LogOrganizationUserEventsAsync(Arg.Is<IEnumerable<(OrganizationUser, EventType, EventSystemUser, DateTime?)>>(events =>
-            events.Where(e => e.Item2 == EventType.OrganizationUser_Invited).Count() == expectedNewUsersCount));
+            events.Count(e => e.Item2 == EventType.OrganizationUser_Invited) == expectedNewUsersCount));
         await sutProvider.GetDependency<IReferenceEventService>().Received(1)
             .RaiseEventAsync(Arg.Is<ReferenceEvent>(referenceEvent =>
             referenceEvent.Type == ReferenceEventType.InvitedUsers && referenceEvent.Id == org.Id &&
@@ -270,125 +254,15 @@ public class OrganizationServiceTests
         // Must set guids in order for dictionary of guids to not throw aggregate exceptions
         SetupOrgUserRepositoryCreateManyAsyncMock(organizationUserRepository);
 
-        // Mock tokenable factory to return a token that expires in 5 days
-        sutProvider.GetDependency<IOrgUserInviteTokenableFactory>()
-            .CreateToken(Arg.Any<OrganizationUser>())
-            .Returns(
-                info => new OrgUserInviteTokenable(info.Arg<OrganizationUser>())
-                {
-                    ExpirationDate = DateTime.UtcNow.Add(TimeSpan.FromDays(5))
-                }
-                );
-
-
         await sutProvider.Sut.InviteUsersAsync(organization.Id, invitor.UserId, systemUser: null, new (OrganizationUserInvite, string)[] { (invite, null) });
 
-        await sutProvider.GetDependency<IMailService>().Received(1)
-            .SendOrganizationInviteEmailsAsync(Arg.Is<OrganizationInvitesInfo>(info =>
-                info.OrgUserTokenPairs.Count() == invite.Emails.Distinct().Count() &&
-                info.IsFreeOrg == (organization.PlanType == PlanType.Free) &&
-                info.OrganizationName == organization.Name));
+        await sutProvider.GetDependency<ISendOrganizationInvitesCommand>().Received(1)
+            .SendInvitesAsync(Arg.Is<SendInvitesRequest>(request =>
+                request.Users.DistinctBy(x => x.Email).Count() == invite.Emails.Distinct().Count() &&
+                request.Organization == organization));
 
     }
 
-    [Theory]
-    [OrganizationInviteCustomize, OrganizationCustomize, BitAutoData]
-    public async Task InviteUsers_SsoOrgWithNullSsoConfig_Passes(Organization organization, OrganizationUser invitor,
-                [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-        OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
-    {
-        // Setup FakeDataProtectorTokenFactory for creating new tokens - this must come first in order to avoid resetting mocks
-        sutProvider.SetDependency(_orgUserInviteTokenDataFactory, "orgUserInviteTokenDataFactory");
-        sutProvider.Create();
-
-        // Org must be able to use SSO to trigger this proper test case as we currently only call to retrieve
-        // an org's SSO config if the org can use SSO
-        organization.UseSso = true;
-
-        // Return null for sso config
-        sutProvider.GetDependency<ISsoConfigRepository>().GetByOrganizationIdAsync(organization.Id).ReturnsNull();
-
-        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICurrentContext>().OrganizationOwner(organization.Id).Returns(true);
-        sutProvider.GetDependency<ICurrentContext>().ManageUsers(organization.Id).Returns(true);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        organizationUserRepository.GetManyByOrganizationAsync(organization.Id, OrganizationUserType.Owner)
-            .Returns(new[] { owner });
-
-        // Must set guids in order for dictionary of guids to not throw aggregate exceptions
-        SetupOrgUserRepositoryCreateManyAsyncMock(organizationUserRepository);
-
-        // Mock tokenable factory to return a token that expires in 5 days
-        sutProvider.GetDependency<IOrgUserInviteTokenableFactory>()
-            .CreateToken(Arg.Any<OrganizationUser>())
-            .Returns(
-                info => new OrgUserInviteTokenable(info.Arg<OrganizationUser>())
-                {
-                    ExpirationDate = DateTime.UtcNow.Add(TimeSpan.FromDays(5))
-                }
-                );
-
-
-
-        await sutProvider.Sut.InviteUsersAsync(organization.Id, invitor.UserId, systemUser: null, new (OrganizationUserInvite, string)[] { (invite, null) });
-
-        await sutProvider.GetDependency<IMailService>().Received(1)
-            .SendOrganizationInviteEmailsAsync(Arg.Is<OrganizationInvitesInfo>(info =>
-                info.OrgUserTokenPairs.Count() == invite.Emails.Distinct().Count() &&
-                info.IsFreeOrg == (organization.PlanType == PlanType.Free) &&
-                info.OrganizationName == organization.Name));
-    }
-
-    [Theory]
-    [OrganizationInviteCustomize, OrganizationCustomize, BitAutoData]
-    public async Task InviteUsers_SsoOrgWithNeverEnabledRequireSsoPolicy_Passes(Organization organization, SsoConfig ssoConfig, OrganizationUser invitor,
-        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
-OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
-    {
-        // Setup FakeDataProtectorTokenFactory for creating new tokens - this must come first in order to avoid resetting mocks
-        sutProvider.SetDependency(_orgUserInviteTokenDataFactory, "orgUserInviteTokenDataFactory");
-        sutProvider.Create();
-
-        // Org must be able to use SSO and policies to trigger this test case
-        organization.UseSso = true;
-        organization.UsePolicies = true;
-
-        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICurrentContext>().OrganizationOwner(organization.Id).Returns(true);
-        sutProvider.GetDependency<ICurrentContext>().ManageUsers(organization.Id).Returns(true);
-        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
-        organizationUserRepository.GetManyByOrganizationAsync(organization.Id, OrganizationUserType.Owner)
-            .Returns(new[] { owner });
-
-        ssoConfig.Enabled = true;
-        sutProvider.GetDependency<ISsoConfigRepository>().GetByOrganizationIdAsync(organization.Id).Returns(ssoConfig);
-
-
-        // Return null policy to mimic new org that's never turned on the require sso policy
-        sutProvider.GetDependency<IPolicyRepository>().GetManyByOrganizationIdAsync(organization.Id).ReturnsNull();
-
-        // Must set guids in order for dictionary of guids to not throw aggregate exceptions
-        SetupOrgUserRepositoryCreateManyAsyncMock(organizationUserRepository);
-
-        // Mock tokenable factory to return a token that expires in 5 days
-        sutProvider.GetDependency<IOrgUserInviteTokenableFactory>()
-            .CreateToken(Arg.Any<OrganizationUser>())
-            .Returns(
-                info => new OrgUserInviteTokenable(info.Arg<OrganizationUser>())
-                {
-                    ExpirationDate = DateTime.UtcNow.Add(TimeSpan.FromDays(5))
-                }
-                );
-
-        await sutProvider.Sut.InviteUsersAsync(organization.Id, invitor.UserId, systemUser: null, new (OrganizationUserInvite, string)[] { (invite, null) });
-
-        await sutProvider.GetDependency<IMailService>().Received(1)
-            .SendOrganizationInviteEmailsAsync(Arg.Is<OrganizationInvitesInfo>(info =>
-                info.OrgUserTokenPairs.Count() == invite.Emails.Distinct().Count() &&
-                info.IsFreeOrg == (organization.PlanType == PlanType.Free) &&
-                info.OrganizationName == organization.Name));
-    }
-
     [Theory]
     [OrganizationInviteCustomize(
         InviteeUserType = OrganizationUserType.Admin,
@@ -637,14 +511,14 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
         organizationRepository.GetByIdAsync(organization.Id).Returns(organization);
 
         // Mock tokenable factory to return a token that expires in 5 days
-        sutProvider.GetDependency<IOrgUserInviteTokenableFactory>()
-            .CreateToken(Arg.Any<OrganizationUser>())
-            .Returns(
-                info => new OrgUserInviteTokenable(info.Arg<OrganizationUser>())
-                {
-                    ExpirationDate = DateTime.UtcNow.Add(TimeSpan.FromDays(5))
-                }
-            );
+        // sutProvider.GetDependency<IOrgUserInviteTokenableFactory>()
+        //     .CreateToken(Arg.Any<OrganizationUser>())
+        //     .Returns(
+        //         info => new OrgUserInviteTokenable(info.Arg<OrganizationUser>())
+        //         {
+        //             ExpirationDate = DateTime.UtcNow.Add(TimeSpan.FromDays(5))
+        //         }
+        //     );
 
         sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
             .HasConfirmedOwnersExceptAsync(organization.Id, Arg.Any<IEnumerable<Guid>>())
@@ -655,11 +529,10 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
 
         await sutProvider.Sut.InviteUserAsync(organization.Id, invitor.UserId, systemUser: null, invite, externalId);
 
-        await sutProvider.GetDependency<IMailService>().Received(1)
-            .SendOrganizationInviteEmailsAsync(Arg.Is<OrganizationInvitesInfo>(info =>
-                info.OrgUserTokenPairs.Count() == 1 &&
-                info.IsFreeOrg == (organization.PlanType == PlanType.Free) &&
-                info.OrganizationName == organization.Name));
+        await sutProvider.GetDependency<ISendOrganizationInvitesCommand>().Received(1)
+            .SendInvitesAsync(Arg.Is<SendInvitesRequest>(request =>
+                request.Users.Length == 1 &&
+                request.Organization == organization));
 
         await sutProvider.GetDependency<IEventService>().Received(1).LogOrganizationUserEventsAsync(Arg.Any<IEnumerable<(OrganizationUser, EventType, DateTime?)>>());
     }
@@ -712,16 +585,6 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
 
         organizationRepository.GetByIdAsync(organization.Id).Returns(organization);
 
-        // Mock tokenable factory to return a token that expires in 5 days
-        sutProvider.GetDependency<IOrgUserInviteTokenableFactory>()
-            .CreateToken(Arg.Any<OrganizationUser>())
-            .Returns(
-                info => new OrgUserInviteTokenable(info.Arg<OrganizationUser>())
-                {
-                    ExpirationDate = DateTime.UtcNow.Add(TimeSpan.FromDays(5))
-                }
-            );
-
         sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
             .HasConfirmedOwnersExceptAsync(organization.Id, Arg.Any<IEnumerable<Guid>>())
             .Returns(true);
@@ -733,12 +596,11 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
             .InviteUserAsync(organization.Id, invitor.UserId, systemUser: null, invite, externalId));
         Assert.Contains("This user has already been invited", exception.Message);
 
-        // MailService and EventService are still called, but with no OrgUsers
-        await sutProvider.GetDependency<IMailService>().Received(1)
-            .SendOrganizationInviteEmailsAsync(Arg.Is<OrganizationInvitesInfo>(info =>
-                !info.OrgUserTokenPairs.Any() &&
-                info.IsFreeOrg == (organization.PlanType == PlanType.Free) &&
-                info.OrganizationName == organization.Name));
+        // SendOrganizationInvitesCommand and EventService are still called, but with no OrgUsers
+        await sutProvider.GetDependency<ISendOrganizationInvitesCommand>().Received(1)
+            .SendInvitesAsync(Arg.Is<SendInvitesRequest>(info =>
+                info.Organization == organization &&
+                info.Users.Length == 0));
         await sutProvider.GetDependency<IEventService>().Received(1)
             .LogOrganizationUserEventsAsync(Arg.Is<IEnumerable<(OrganizationUser, EventType, DateTime?)>>(events => !events.Any()));
     }
@@ -787,16 +649,6 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
 
         organizationRepository.GetByIdAsync(organization.Id).Returns(organization);
 
-        // Mock tokenable factory to return a token that expires in 5 days
-        sutProvider.GetDependency<IOrgUserInviteTokenableFactory>()
-            .CreateToken(Arg.Any<OrganizationUser>())
-            .Returns(
-                info => new OrgUserInviteTokenable(info.Arg<OrganizationUser>())
-                {
-                    ExpirationDate = DateTime.UtcNow.Add(TimeSpan.FromDays(5))
-                }
-            );
-
         sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
             .HasConfirmedOwnersExceptAsync(organization.Id, Arg.Any<IEnumerable<Guid>>())
             .Returns(true);
@@ -806,11 +658,10 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
 
         await sutProvider.Sut.InviteUsersAsync(organization.Id, invitor.UserId, systemUser: null, invites);
 
-        await sutProvider.GetDependency<IMailService>().Received(1)
-            .SendOrganizationInviteEmailsAsync(Arg.Is<OrganizationInvitesInfo>(info =>
-                info.OrgUserTokenPairs.Count() == invites.SelectMany(i => i.invite.Emails).Count() &&
-                info.IsFreeOrg == (organization.PlanType == PlanType.Free) &&
-                info.OrganizationName == organization.Name));
+        await sutProvider.GetDependency<ISendOrganizationInvitesCommand>().Received(1)
+            .SendInvitesAsync(Arg.Is<SendInvitesRequest>(info =>
+                info.Organization == organization &&
+                info.Users.Length == invites.SelectMany(x => x.invite.Emails).Distinct().Count()));
 
         await sutProvider.GetDependency<IEventService>().Received(1).LogOrganizationUserEventsAsync(Arg.Any<IEnumerable<(OrganizationUser, EventType, DateTime?)>>());
     }
@@ -848,23 +699,12 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
 
         currentContext.ManageUsers(organization.Id).Returns(true);
 
-        // Mock tokenable factory to return a token that expires in 5 days
-        sutProvider.GetDependency<IOrgUserInviteTokenableFactory>()
-            .CreateToken(Arg.Any<OrganizationUser>())
-            .Returns(
-                info => new OrgUserInviteTokenable(info.Arg<OrganizationUser>())
-                {
-                    ExpirationDate = DateTime.UtcNow.Add(TimeSpan.FromDays(5))
-                }
-            );
-
         await sutProvider.Sut.InviteUsersAsync(organization.Id, invitingUserId: null, eventSystemUser, invites);
 
-        await sutProvider.GetDependency<IMailService>().Received(1)
-            .SendOrganizationInviteEmailsAsync(Arg.Is<OrganizationInvitesInfo>(info =>
-                info.OrgUserTokenPairs.Count() == invites.SelectMany(i => i.invite.Emails).Count() &&
-                info.IsFreeOrg == (organization.PlanType == PlanType.Free) &&
-                info.OrganizationName == organization.Name));
+        await sutProvider.GetDependency<ISendOrganizationInvitesCommand>().Received(1)
+            .SendInvitesAsync(Arg.Is<SendInvitesRequest>(info =>
+                info.Users.Length == invites.SelectMany(i => i.invite.Emails).Count() &&
+                info.Organization == organization));
 
         await sutProvider.GetDependency<IEventService>().Received(1).LogOrganizationUserEventsAsync(Arg.Any<IEnumerable<(OrganizationUser, EventType, EventSystemUser, DateTime?)>>());
     }
diff --git a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs
index 092ab95a14..14b6f50415 100644
--- a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs
@@ -1,6 +1,9 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
+using Bit.Core.Models.Data;
 using Bit.Core.Repositories;
 using Bit.Core.Utilities;
 using Xunit;
@@ -424,4 +427,173 @@ public class OrganizationUserRepositoryTests
 
         Assert.Equal(createdOrgUserIds.ToHashSet(), readOrgUserIds.ToHashSet());
     }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task CreateManyAsync_WithCollectionAndGroup_SaveSuccessfully(
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationRepository organizationRepository,
+        ICollectionRepository collectionRepository,
+        IGroupRepository groupRepository)
+    {
+        var requestTime = DateTime.UtcNow;
+
+        var organization = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = "Test Org",
+            BillingEmail = "billing@test.com", // TODO: EF does not enfore this being NOT NULL
+            Plan = "Test", // TODO: EF does not enforce this being NOT NULl,
+            CreationDate = requestTime
+        });
+
+        var collection1 = await collectionRepository.CreateAsync(new Collection
+        {
+            Id = CoreHelpers.GenerateComb(),
+            OrganizationId = organization.Id,
+            Name = "Test Collection",
+            ExternalId = "external-collection-1",
+            CreationDate = requestTime,
+            RevisionDate = requestTime
+        });
+        var collection2 = await collectionRepository.CreateAsync(new Collection
+        {
+            Id = CoreHelpers.GenerateComb(),
+            OrganizationId = organization.Id,
+            Name = "Test Collection",
+            ExternalId = "external-collection-1",
+            CreationDate = requestTime,
+            RevisionDate = requestTime
+        });
+        var collection3 = await collectionRepository.CreateAsync(new Collection
+        {
+            Id = CoreHelpers.GenerateComb(),
+            OrganizationId = organization.Id,
+            Name = "Test Collection",
+            ExternalId = "external-collection-1",
+            CreationDate = requestTime,
+            RevisionDate = requestTime
+        });
+
+        var group1 = await groupRepository.CreateAsync(new Group
+        {
+            Id = CoreHelpers.GenerateComb(),
+            OrganizationId = organization.Id,
+            Name = "Test Group",
+            ExternalId = "external-group-1"
+        });
+        var group2 = await groupRepository.CreateAsync(new Group
+        {
+            Id = CoreHelpers.GenerateComb(),
+            OrganizationId = organization.Id,
+            Name = "Test Group",
+            ExternalId = "external-group-1"
+        });
+        var group3 = await groupRepository.CreateAsync(new Group
+        {
+            Id = CoreHelpers.GenerateComb(),
+            OrganizationId = organization.Id,
+            Name = "Test Group",
+            ExternalId = "external-group-1"
+        });
+
+
+        var orgUserCollection = new List<CreateOrganizationUser>
+        {
+            new()
+            {
+                OrganizationUser = new OrganizationUser
+                {
+                    Id = CoreHelpers.GenerateComb(),
+                    OrganizationId = organization.Id,
+                    Email = "test-user@test.com",
+                    Status = OrganizationUserStatusType.Invited,
+                    Type = OrganizationUserType.Owner,
+                    ExternalId = "externalid-1",
+                    Permissions = CoreHelpers.ClassToJsonData(new Permissions()),
+                    AccessSecretsManager = false
+                },
+                Collections =
+                [
+                    new CollectionAccessSelection
+                    {
+                        Id = collection1.Id,
+                        ReadOnly = true,
+                        HidePasswords = false,
+                        Manage = false
+                    }
+                ],
+                Groups = [group1.Id]
+            },
+            new()
+            {
+                OrganizationUser = new OrganizationUser
+                {
+                    Id = CoreHelpers.GenerateComb(),
+                    OrganizationId = organization.Id,
+                    Email = "test-user@test.com",
+                    Status = OrganizationUserStatusType.Invited,
+                    Type = OrganizationUserType.Owner,
+                    ExternalId = "externalid-1",
+                    Permissions = CoreHelpers.ClassToJsonData(new Permissions()),
+                    AccessSecretsManager = false
+                },
+                Collections =
+                [
+                    new CollectionAccessSelection
+                    {
+                        Id = collection2.Id,
+                        ReadOnly = true,
+                        HidePasswords = false,
+                        Manage = false
+                    }
+                ],
+                Groups = [group2.Id]
+            },
+            new()
+            {
+                OrganizationUser = new OrganizationUser
+                {
+                    Id = CoreHelpers.GenerateComb(),
+                    OrganizationId = organization.Id,
+                    Email = "test-user@test.com",
+                    Status = OrganizationUserStatusType.Invited,
+                    Type = OrganizationUserType.Owner,
+                    ExternalId = "externalid-1",
+                    Permissions = CoreHelpers.ClassToJsonData(new Permissions()),
+                    AccessSecretsManager = false
+                },
+                Collections =
+                [
+                    new CollectionAccessSelection
+                    {
+                        Id = collection3.Id,
+                        ReadOnly = true,
+                        HidePasswords = false,
+                        Manage = false
+                    }
+                ],
+                Groups = [group3.Id]
+            }
+        };
+
+        await organizationUserRepository.CreateManyAsync(orgUserCollection);
+
+        var orgUser1 = await organizationUserRepository.GetDetailsByIdWithCollectionsAsync(orgUserCollection[0].OrganizationUser.Id);
+        var group1Database = await groupRepository.GetManyIdsByUserIdAsync(orgUserCollection[0].OrganizationUser.Id);
+        Assert.Equal(orgUserCollection[0].OrganizationUser.Id, orgUser1.OrganizationUser.Id);
+        Assert.Equal(collection1.Id, orgUser1.Collections.First().Id);
+        Assert.Equal(group1.Id, group1Database.First());
+
+
+        var orgUser2 = await organizationUserRepository.GetDetailsByIdWithCollectionsAsync(orgUserCollection[1].OrganizationUser.Id);
+        var group2Database = await groupRepository.GetManyIdsByUserIdAsync(orgUserCollection[1].OrganizationUser.Id);
+        Assert.Equal(orgUserCollection[1].OrganizationUser.Id, orgUser2.OrganizationUser.Id);
+        Assert.Equal(collection2.Id, orgUser2.Collections.First().Id);
+        Assert.Equal(group2.Id, group2Database.First());
+
+        var orgUser3 = await organizationUserRepository.GetDetailsByIdWithCollectionsAsync(orgUserCollection[2].OrganizationUser.Id);
+        var group3Database = await groupRepository.GetManyIdsByUserIdAsync(orgUserCollection[2].OrganizationUser.Id);
+        Assert.Equal(orgUserCollection[2].OrganizationUser.Id, orgUser3.OrganizationUser.Id);
+        Assert.Equal(collection3.Id, orgUser3.Collections.First().Id);
+        Assert.Equal(group3.Id, group3Database.First());
+    }
 }
diff --git a/util/Migrator/DbScripts/2025-02-17_00_OrgUsers_CreateManyUsersCollectionsGroups.sql b/util/Migrator/DbScripts/2025-02-17_00_OrgUsers_CreateManyUsersCollectionsGroups.sql
new file mode 100644
index 0000000000..ab7ab9cc88
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-02-17_00_OrgUsers_CreateManyUsersCollectionsGroups.sql
@@ -0,0 +1,97 @@
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationUser_CreateManyWithCollectionsAndGroups]
+    @organizationUserData NVARCHAR(MAX),
+    @collectionData NVARCHAR(MAX),
+    @groupData NVARCHAR(MAX)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[OrganizationUser]
+    (
+        [Id],
+        [OrganizationId],
+        [UserId],
+        [Email],
+        [Key],
+        [Status],
+        [Type],
+        [ExternalId],
+        [CreationDate],
+        [RevisionDate],
+        [Permissions],
+        [ResetPasswordKey],
+        [AccessSecretsManager]
+    )
+    SELECT
+        OUI.[Id],
+        OUI.[OrganizationId],
+        OUI.[UserId],
+        OUI.[Email],
+        OUI.[Key],
+        OUI.[Status],
+        OUI.[Type],
+        OUI.[ExternalId],
+        OUI.[CreationDate],
+        OUI.[RevisionDate],
+        OUI.[Permissions],
+        OUI.[ResetPasswordKey],
+        OUI.[AccessSecretsManager]
+    FROM
+        OPENJSON(@organizationUserData)
+                 WITH (
+                     [Id] UNIQUEIDENTIFIER '$.Id',
+                     [OrganizationId] UNIQUEIDENTIFIER '$.OrganizationId',
+                     [UserId] UNIQUEIDENTIFIER '$.UserId',
+                     [Email] NVARCHAR(256) '$.Email',
+                     [Key] VARCHAR(MAX) '$.Key',
+                     [Status] SMALLINT '$.Status',
+                     [Type] TINYINT '$.Type',
+                     [ExternalId] NVARCHAR(300) '$.ExternalId',
+                     [CreationDate] DATETIME2(7) '$.CreationDate',
+                     [RevisionDate] DATETIME2(7) '$.RevisionDate',
+                     [Permissions] NVARCHAR (MAX) '$.Permissions',
+                     [ResetPasswordKey] VARCHAR (MAX) '$.ResetPasswordKey',
+                     [AccessSecretsManager] BIT '$.AccessSecretsManager'
+                     ) OUI
+
+    INSERT INTO [dbo].[GroupUser]
+    (
+        [OrganizationUserId],
+        [GroupId]
+    )
+    SELECT
+        OUG.OrganizationUserId,
+        OUG.GroupId
+    FROM
+        OPENJSON(@groupData)
+            WITH(
+                [OrganizationUserId] UNIQUEIDENTIFIER '$.OrganizationUserId',
+                [GroupId] UNIQUEIDENTIFIER '$.GroupId'
+            ) OUG
+
+    INSERT INTO [dbo].[CollectionUser]
+    (
+        [CollectionId],
+        [OrganizationUserId],
+        [ReadOnly],
+        [HidePasswords],
+        [Manage]
+    )
+    SELECT
+        OUC.[CollectionId],
+        OUC.[OrganizationUserId],
+        OUC.[ReadOnly],
+        OUC.[HidePasswords],
+        OUC.[Manage]
+    FROM
+        OPENJSON(@collectionData)
+            WITH(
+                [CollectionId] UNIQUEIDENTIFIER '$.CollectionId',
+                [OrganizationUserId] UNIQUEIDENTIFIER '$.OrganizationUserId',
+                [ReadOnly] BIT '$.ReadOnly',
+                [HidePasswords] BIT '$.HidePasswords',
+                [Manage] BIT '$.Manage'
+            ) OUC
+END
+go
+

From 7139effa945421b2c41e7a6f9877e31d3264895e Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Mon, 7 Apr 2025 07:20:18 -0700
Subject: [PATCH 182/184] Organization integration database / repository logic
 (#5602)

* Organization integration creation, update, and deletion database logic

* Additional procs and entity tweaks

* Use check

* Couple newlines

* Forgot to script the two org procs
---
 .../Entities/OrganizationIntegration.cs       |   2 +-
 .../OrganizationIntegrationConfiguration.cs   |   2 +-
 ...ionConfigurationEntityTypeConfiguration.cs |   2 +-
 ...ationIntegrationEntityTypeConfiguration.cs |   6 +-
 .../Repositories/OrganizationRepository.cs    |   2 +
 ...izationIntegrationConfiguration_Create.sql |  33 ++
 ...ionIntegrationConfiguration_DeleteById.sql |  12 +
 ...ationIntegrationConfiguration_ReadById.sql |  13 +
 ...izationIntegrationConfiguration_Update.sql |  24 ++
 .../OrganizationIntegration_Create.sql        |  30 ++
 .../OrganizationIntegration_DeleteById.sql    |  12 +
 ...izationIntegration_OrganizationDeleted.sql |  12 +
 .../OrganizationIntegration_ReadById.sql      |  13 +
 .../OrganizationIntegration_Update.sql        |  22 ++
 .../Organization_DeleteById.sql               |  15 +-
 .../OrganizationIntegrationConfiguration.sql  |   2 +-
 ...25-04-03_00_OrganizationIntegrationCUD.sql | 351 ++++++++++++++++++
 17 files changed, 539 insertions(+), 14 deletions(-)
 create mode 100644 src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_Create.sql
 create mode 100644 src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_DeleteById.sql
 create mode 100644 src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_ReadById.sql
 create mode 100644 src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_Update.sql
 create mode 100644 src/Sql/dbo/Stored Procedures/OrganizationIntegration_Create.sql
 create mode 100644 src/Sql/dbo/Stored Procedures/OrganizationIntegration_DeleteById.sql
 create mode 100644 src/Sql/dbo/Stored Procedures/OrganizationIntegration_OrganizationDeleted.sql
 create mode 100644 src/Sql/dbo/Stored Procedures/OrganizationIntegration_ReadById.sql
 create mode 100644 src/Sql/dbo/Stored Procedures/OrganizationIntegration_Update.sql
 create mode 100644 util/Migrator/DbScripts/2025-04-03_00_OrganizationIntegrationCUD.sql

diff --git a/src/Core/AdminConsole/Entities/OrganizationIntegration.cs b/src/Core/AdminConsole/Entities/OrganizationIntegration.cs
index 18f8be8667..86de25ce9a 100644
--- a/src/Core/AdminConsole/Entities/OrganizationIntegration.cs
+++ b/src/Core/AdminConsole/Entities/OrganizationIntegration.cs
@@ -12,7 +12,7 @@ public class OrganizationIntegration : ITableObject<Guid>
     public Guid OrganizationId { get; set; }
     public IntegrationType Type { get; set; }
     public string? Configuration { get; set; }
-    public DateTime CreationDate { get; set; } = DateTime.UtcNow;
+    public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
     public DateTime RevisionDate { get; set; } = DateTime.UtcNow;
     public void SetNewId() => Id = CoreHelpers.GenerateComb();
 }
diff --git a/src/Core/AdminConsole/Entities/OrganizationIntegrationConfiguration.cs b/src/Core/AdminConsole/Entities/OrganizationIntegrationConfiguration.cs
index 7592d0c763..25b669622f 100644
--- a/src/Core/AdminConsole/Entities/OrganizationIntegrationConfiguration.cs
+++ b/src/Core/AdminConsole/Entities/OrganizationIntegrationConfiguration.cs
@@ -13,7 +13,7 @@ public class OrganizationIntegrationConfiguration : ITableObject<Guid>
     public EventType EventType { get; set; }
     public string? Configuration { get; set; }
     public string? Template { get; set; }
-    public DateTime CreationDate { get; set; } = DateTime.UtcNow;
+    public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
     public DateTime RevisionDate { get; set; } = DateTime.UtcNow;
     public void SetNewId() => Id = CoreHelpers.GenerateComb();
 }
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Configurations/OrganizationIntegrationConfigurationEntityTypeConfiguration.cs b/src/Infrastructure.EntityFramework/AdminConsole/Configurations/OrganizationIntegrationConfigurationEntityTypeConfiguration.cs
index 29712f5e38..a5df0845bd 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Configurations/OrganizationIntegrationConfigurationEntityTypeConfiguration.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Configurations/OrganizationIntegrationConfigurationEntityTypeConfiguration.cs
@@ -9,7 +9,7 @@ public class OrganizationIntegrationConfigurationEntityTypeConfiguration : IEnti
     public void Configure(EntityTypeBuilder<OrganizationIntegrationConfiguration> builder)
     {
         builder
-            .Property(p => p.Id)
+            .Property(oic => oic.Id)
             .ValueGeneratedNever();
 
         builder.ToTable(nameof(OrganizationIntegrationConfiguration));
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Configurations/OrganizationIntegrationEntityTypeConfiguration.cs b/src/Infrastructure.EntityFramework/AdminConsole/Configurations/OrganizationIntegrationEntityTypeConfiguration.cs
index c2134c1b7d..3434d735d0 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Configurations/OrganizationIntegrationEntityTypeConfiguration.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Configurations/OrganizationIntegrationEntityTypeConfiguration.cs
@@ -9,15 +9,15 @@ public class OrganizationIntegrationEntityTypeConfiguration : IEntityTypeConfigu
     public void Configure(EntityTypeBuilder<OrganizationIntegration> builder)
     {
         builder
-            .Property(p => p.Id)
+            .Property(oi => oi.Id)
             .ValueGeneratedNever();
 
         builder
-            .HasIndex(p => p.OrganizationId)
+            .HasIndex(oi => oi.OrganizationId)
             .IsClustered(false);
 
         builder
-            .HasIndex(p => new { p.OrganizationId, p.Type })
+            .HasIndex(oi => new { oi.OrganizationId, oi.Type })
             .IsUnique()
             .IsClustered(false);
 
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
index c095b07030..a5f4f0bd9d 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
@@ -199,6 +199,8 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
                 .ExecuteDeleteAsync();
             await dbContext.ProviderOrganizations.Where(po => po.OrganizationId == organization.Id)
                 .ExecuteDeleteAsync();
+            await dbContext.OrganizationIntegrations.Where(oi => oi.OrganizationId == organization.Id)
+                .ExecuteDeleteAsync();
 
             await dbContext.GroupServiceAccountAccessPolicy.Where(ap => ap.GrantedServiceAccount.OrganizationId == organization.Id)
                 .ExecuteDeleteAsync();
diff --git a/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_Create.sql b/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_Create.sql
new file mode 100644
index 0000000000..18160c9ea9
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_Create.sql	
@@ -0,0 +1,33 @@
+CREATE PROCEDURE [dbo].[OrganizationIntegrationConfiguration_Create]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @OrganizationIntegrationId UNIQUEIDENTIFIER,
+    @EventType SMALLINT,
+    @Configuration VARCHAR(MAX),
+    @Template VARCHAR(MAX),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[OrganizationIntegrationConfiguration]
+        (
+        [Id],
+        [OrganizationIntegrationId],
+        [EventType],
+        [Configuration],
+        [Template],
+        [CreationDate],
+        [RevisionDate]
+        )
+    VALUES
+        (
+            @Id,
+            @OrganizationIntegrationId,
+            @EventType,
+            @Configuration,
+            @Template,
+            @CreationDate,
+            @RevisionDate
+        )
+END
diff --git a/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_DeleteById.sql b/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_DeleteById.sql
new file mode 100644
index 0000000000..6e3c9ab83c
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_DeleteById.sql	
@@ -0,0 +1,12 @@
+CREATE PROCEDURE [dbo].[OrganizationIntegrationConfiguration_DeleteById]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    DELETE
+    FROM
+        [dbo].[OrganizationIntegrationConfiguration]
+    WHERE
+        [Id] = @Id
+END
diff --git a/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_ReadById.sql b/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_ReadById.sql
new file mode 100644
index 0000000000..2db9ba3bf8
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_ReadById.sql	
@@ -0,0 +1,13 @@
+CREATE PROCEDURE [dbo].[OrganizationIntegrationConfiguration_ReadById]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        *
+    FROM
+        [dbo].[OrganizationIntegrationConfiguration]
+    WHERE
+        [Id] = @Id
+END
diff --git a/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_Update.sql b/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_Update.sql
new file mode 100644
index 0000000000..b613774d04
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/OrganizationIntegrationConfiguration_Update.sql	
@@ -0,0 +1,24 @@
+CREATE PROCEDURE [dbo].[OrganizationIntegrationConfiguration_Update]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @OrganizationIntegrationId UNIQUEIDENTIFIER,
+    @EventType SMALLINT,
+    @Configuration VARCHAR(MAX),
+    @Template VARCHAR(MAX),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    UPDATE
+        [dbo].[OrganizationIntegrationConfiguration]
+    SET
+        [OrganizationIntegrationId] = @OrganizationIntegrationId,
+        [EventType] = @EventType,
+        [Configuration] = @Configuration,
+        [Template] = @Template,
+        [CreationDate] = @CreationDate,
+        [RevisionDate] = @RevisionDate
+    WHERE
+        [Id] = @Id
+END
diff --git a/src/Sql/dbo/Stored Procedures/OrganizationIntegration_Create.sql b/src/Sql/dbo/Stored Procedures/OrganizationIntegration_Create.sql
new file mode 100644
index 0000000000..fe8ed7559b
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/OrganizationIntegration_Create.sql	
@@ -0,0 +1,30 @@
+CREATE PROCEDURE [dbo].[OrganizationIntegration_Create]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @Type SMALLINT,
+    @Configuration VARCHAR(MAX),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[OrganizationIntegration]
+        (
+        [Id],
+        [OrganizationId],
+        [Type],
+        [Configuration],
+        [CreationDate],
+        [RevisionDate]
+        )
+    VALUES
+        (
+            @Id,
+            @OrganizationId,
+            @Type,
+            @Configuration,
+            @CreationDate,
+            @RevisionDate
+        )
+END
diff --git a/src/Sql/dbo/Stored Procedures/OrganizationIntegration_DeleteById.sql b/src/Sql/dbo/Stored Procedures/OrganizationIntegration_DeleteById.sql
new file mode 100644
index 0000000000..2ade1c074e
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/OrganizationIntegration_DeleteById.sql	
@@ -0,0 +1,12 @@
+CREATE PROCEDURE [dbo].[OrganizationIntegration_DeleteById]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    DELETE
+    FROM
+        [dbo].[OrganizationIntegration]
+    WHERE
+        [Id] = @Id
+END
diff --git a/src/Sql/dbo/Stored Procedures/OrganizationIntegration_OrganizationDeleted.sql b/src/Sql/dbo/Stored Procedures/OrganizationIntegration_OrganizationDeleted.sql
new file mode 100644
index 0000000000..2cdd77edc2
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/OrganizationIntegration_OrganizationDeleted.sql	
@@ -0,0 +1,12 @@
+CREATE PROCEDURE [dbo].[OrganizationIntegration_OrganizationDeleted]
+    @OrganizationId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    DELETE
+    FROM
+        [dbo].[OrganizationIntegration]
+    WHERE
+        [OrganizationId] = @OrganizationId
+END
diff --git a/src/Sql/dbo/Stored Procedures/OrganizationIntegration_ReadById.sql b/src/Sql/dbo/Stored Procedures/OrganizationIntegration_ReadById.sql
new file mode 100644
index 0000000000..352c26bb24
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/OrganizationIntegration_ReadById.sql	
@@ -0,0 +1,13 @@
+CREATE PROCEDURE [dbo].[OrganizationIntegration_ReadById]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        *
+    FROM
+        [dbo].[OrganizationIntegration]
+    WHERE
+        [Id] = @Id
+END
diff --git a/src/Sql/dbo/Stored Procedures/OrganizationIntegration_Update.sql b/src/Sql/dbo/Stored Procedures/OrganizationIntegration_Update.sql
new file mode 100644
index 0000000000..8dd91cc3d7
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/OrganizationIntegration_Update.sql	
@@ -0,0 +1,22 @@
+CREATE PROCEDURE [dbo].[OrganizationIntegration_Update]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @Type SMALLINT,
+    @Configuration VARCHAR(MAX),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    UPDATE
+        [dbo].[OrganizationIntegration]
+    SET
+        [OrganizationId] = @OrganizationId,
+        [Type] = @Type,
+        [Configuration] = @Configuration,
+        [CreationDate] = @CreationDate,
+        [RevisionDate] = @RevisionDate
+    WHERE
+        [Id] = @Id
+END
diff --git a/src/Sql/dbo/Stored Procedures/Organization_DeleteById.sql b/src/Sql/dbo/Stored Procedures/Organization_DeleteById.sql
index e0b7d47469..2daa12209f 100644
--- a/src/Sql/dbo/Stored Procedures/Organization_DeleteById.sql	
+++ b/src/Sql/dbo/Stored Procedures/Organization_DeleteById.sql	
@@ -45,11 +45,11 @@ BEGIN
         [OrganizationId] = @Id
 
     DELETE CU
-    FROM 
+    FROM
         [dbo].[CollectionUser] CU
-    INNER JOIN 
+    INNER JOIN
         [dbo].[OrganizationUser] OU ON [CU].[OrganizationUserId] = [OU].[Id]
-    WHERE 
+    WHERE
         [OU].[OrganizationId] = @Id
 
     DELETE AP
@@ -69,9 +69,9 @@ BEGIN
         [OU].[OrganizationId] = @Id
 
     DELETE
-    FROM 
+    FROM
         [dbo].[OrganizationUser]
-    WHERE 
+    WHERE
         [OrganizationId] = @Id
 
     DELETE
@@ -84,6 +84,7 @@ BEGIN
     EXEC [dbo].[OrganizationConnection_OrganizationDeleted] @Id
     EXEC [dbo].[OrganizationSponsorship_OrganizationDeleted] @Id
     EXEC [dbo].[OrganizationDomain_OrganizationDeleted] @Id
+    EXEC [dbo].[OrganizationIntegration_OrganizationDeleted] @Id
 
     DELETE
     FROM
@@ -128,14 +129,14 @@ BEGIN
         [dbo].[Notification] N ON N.[Id] = NS.[NotificationId]
     WHERE
         N.[OrganizationId] = @Id
-    
+
     -- Delete Notification
     DELETE
     FROM
         [dbo].[Notification]
     WHERE
         [OrganizationId] = @Id
-    
+
     DELETE
     FROM
         [dbo].[Organization]
diff --git a/src/Sql/dbo/Tables/OrganizationIntegrationConfiguration.sql b/src/Sql/dbo/Tables/OrganizationIntegrationConfiguration.sql
index 9dbb2341a7..28283f8015 100644
--- a/src/Sql/dbo/Tables/OrganizationIntegrationConfiguration.sql
+++ b/src/Sql/dbo/Tables/OrganizationIntegrationConfiguration.sql
@@ -8,6 +8,6 @@ CREATE TABLE [dbo].[OrganizationIntegrationConfiguration]
     [CreationDate] DATETIME2 (7) NOT NULL,
     [RevisionDate] DATETIME2 (7) NOT NULL,
     CONSTRAINT [PK_OrganizationIntegrationConfiguration] PRIMARY KEY CLUSTERED ([Id] ASC),
-    CONSTRAINT [FK_OrganizationIntegrationConfiguration_OrganizationIntegration] FOREIGN KEY ([OrganizationIntegrationId]) REFERENCES [dbo].[OrganizationIntegration] ([Id])
+    CONSTRAINT [FK_OrganizationIntegrationConfiguration_OrganizationIntegration] FOREIGN KEY ([OrganizationIntegrationId]) REFERENCES [dbo].[OrganizationIntegration] ([Id]) ON DELETE CASCADE
 );
 GO
diff --git a/util/Migrator/DbScripts/2025-04-03_00_OrganizationIntegrationCUD.sql b/util/Migrator/DbScripts/2025-04-03_00_OrganizationIntegrationCUD.sql
new file mode 100644
index 0000000000..35a8a1442d
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-04-03_00_OrganizationIntegrationCUD.sql
@@ -0,0 +1,351 @@
+-- Configure FK to cascade on delete
+IF EXISTS(SELECT *
+FROM information_schema.table_constraints
+WHERE table_name='OrganizationIntegrationConfiguration'
+    AND constraint_name='FK_OrganizationIntegrationConfiguration_OrganizationIntegration')
+BEGIN
+    ALTER TABLE [dbo].[OrganizationIntegrationConfiguration] DROP FK_OrganizationIntegrationConfiguration_OrganizationIntegration;
+    ALTER TABLE [dbo].[OrganizationIntegrationConfiguration] ADD CONSTRAINT [FK_OrganizationIntegrationConfiguration_OrganizationIntegration] FOREIGN KEY ([OrganizationIntegrationId]) REFERENCES [dbo].[OrganizationIntegration] ([Id]) ON DELETE CASCADE;
+END
+GO
+
+-- New procedures for CRUD on OrganizationIntegration and OrganizationIntegrationConfiguration
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationIntegration_Create]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @Type SMALLINT,
+    @Configuration VARCHAR(MAX),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[OrganizationIntegration]
+        (
+        [Id],
+        [OrganizationId],
+        [Type],
+        [Configuration],
+        [CreationDate],
+        [RevisionDate]
+        )
+    VALUES
+        (
+            @Id,
+            @OrganizationId,
+            @Type,
+            @Configuration,
+            @CreationDate,
+            @RevisionDate
+        )
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationIntegrationConfiguration_Create]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @OrganizationIntegrationId UNIQUEIDENTIFIER,
+    @EventType SMALLINT,
+    @Configuration VARCHAR(MAX),
+    @Template VARCHAR(MAX),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[OrganizationIntegrationConfiguration]
+        (
+        [Id],
+        [OrganizationIntegrationId],
+        [EventType],
+        [Configuration],
+        [Template],
+        [CreationDate],
+        [RevisionDate]
+        )
+    VALUES
+        (
+            @Id,
+            @OrganizationIntegrationId,
+            @EventType,
+            @Configuration,
+            @Template,
+            @CreationDate,
+            @RevisionDate
+        )
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationIntegration_Update]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @Type SMALLINT,
+    @Configuration VARCHAR(MAX),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    UPDATE
+        [dbo].[OrganizationIntegration]
+    SET
+        [OrganizationId] = @OrganizationId,
+        [Type] = @Type,
+        [Configuration] = @Configuration,
+        [CreationDate] = @CreationDate,
+        [RevisionDate] = @RevisionDate
+    WHERE
+        [Id] = @Id
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationIntegrationConfiguration_Update]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @OrganizationIntegrationId UNIQUEIDENTIFIER,
+    @EventType SMALLINT,
+    @Configuration VARCHAR(MAX),
+    @Template VARCHAR(MAX),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    UPDATE
+        [dbo].[OrganizationIntegrationConfiguration]
+    SET
+        [OrganizationIntegrationId] = @OrganizationIntegrationId,
+        [EventType] = @EventType,
+        [Configuration] = @Configuration,
+        [Template] = @Template,
+        [CreationDate] = @CreationDate,
+        [RevisionDate] = @RevisionDate
+    WHERE
+        [Id] = @Id
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationIntegration_DeleteById]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    DELETE
+    FROM
+        [dbo].[OrganizationIntegration]
+    WHERE
+        [Id] = @Id
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationIntegrationConfiguration_DeleteById]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    DELETE
+    FROM
+        [dbo].[OrganizationIntegrationConfiguration]
+    WHERE
+        [Id] = @Id
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationIntegration_ReadById]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        *
+    FROM
+        [dbo].[OrganizationIntegration]
+    WHERE
+        [Id] = @Id
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationIntegrationConfiguration_ReadById]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        *
+    FROM
+        [dbo].[OrganizationIntegrationConfiguration]
+    WHERE
+        [Id] = @Id
+END
+GO
+
+-- Organization cleanup
+CREATE OR ALTER PROCEDURE [dbo].[Organization_DeleteById]
+    @Id UNIQUEIDENTIFIER
+WITH
+    RECOMPILE
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    EXEC [dbo].[User_BumpAccountRevisionDateByOrganizationId] @Id
+
+    DECLARE @BatchSize INT = 100
+    WHILE @BatchSize > 0
+    BEGIN
+        BEGIN TRANSACTION Organization_DeleteById_Ciphers
+
+        DELETE TOP(@BatchSize)
+        FROM
+            [dbo].[Cipher]
+        WHERE
+            [UserId] IS NULL
+            AND [OrganizationId] = @Id
+
+        SET @BatchSize = @@ROWCOUNT
+
+        COMMIT TRANSACTION Organization_DeleteById_Ciphers
+    END
+
+    BEGIN TRANSACTION Organization_DeleteById
+
+    DELETE
+    FROM
+        [dbo].[AuthRequest]
+    WHERE
+        [OrganizationId] = @Id
+
+    DELETE
+    FROM
+        [dbo].[SsoUser]
+    WHERE
+        [OrganizationId] = @Id
+
+    DELETE
+    FROM
+        [dbo].[SsoConfig]
+    WHERE
+        [OrganizationId] = @Id
+
+    DELETE CU
+    FROM
+        [dbo].[CollectionUser] CU
+        INNER JOIN
+        [dbo].[OrganizationUser] OU ON [CU].[OrganizationUserId] = [OU].[Id]
+    WHERE
+        [OU].[OrganizationId] = @Id
+
+    DELETE AP
+    FROM
+        [dbo].[AccessPolicy] AP
+        INNER JOIN
+        [dbo].[OrganizationUser] OU ON [AP].[OrganizationUserId] = [OU].[Id]
+    WHERE
+        [OU].[OrganizationId] = @Id
+
+    DELETE GU
+    FROM
+        [dbo].[GroupUser] GU
+        INNER JOIN
+        [dbo].[OrganizationUser] OU ON [GU].[OrganizationUserId] = [OU].[Id]
+    WHERE
+        [OU].[OrganizationId] = @Id
+
+    DELETE
+    FROM
+        [dbo].[OrganizationUser]
+    WHERE
+        [OrganizationId] = @Id
+
+    DELETE
+    FROM
+         [dbo].[ProviderOrganization]
+    WHERE
+        [OrganizationId] = @Id
+
+    EXEC [dbo].[OrganizationApiKey_OrganizationDeleted] @Id
+    EXEC [dbo].[OrganizationConnection_OrganizationDeleted] @Id
+    EXEC [dbo].[OrganizationSponsorship_OrganizationDeleted] @Id
+    EXEC [dbo].[OrganizationDomain_OrganizationDeleted] @Id
+    EXEC [dbo].[OrganizationIntegration_OrganizationDeleted] @Id
+
+    DELETE
+    FROM
+        [dbo].[Project]
+    WHERE
+        [OrganizationId] = @Id
+
+    DELETE
+    FROM
+        [dbo].[Secret]
+    WHERE
+        [OrganizationId] = @Id
+
+    DELETE AK
+    FROM
+        [dbo].[ApiKey] AK
+        INNER JOIN
+        [dbo].[ServiceAccount] SA ON [AK].[ServiceAccountId] = [SA].[Id]
+    WHERE
+        [SA].[OrganizationId] = @Id
+
+    DELETE AP
+    FROM
+        [dbo].[AccessPolicy] AP
+        INNER JOIN
+        [dbo].[ServiceAccount] SA ON [AP].[GrantedServiceAccountId] = [SA].[Id]
+    WHERE
+        [SA].[OrganizationId] = @Id
+
+    DELETE
+    FROM
+        [dbo].[ServiceAccount]
+    WHERE
+        [OrganizationId] = @Id
+
+    -- Delete Notification Status
+    DELETE
+        NS
+    FROM
+        [dbo].[NotificationStatus] NS
+        INNER JOIN
+        [dbo].[Notification] N ON N.[Id] = NS.[NotificationId]
+    WHERE
+        N.[OrganizationId] = @Id
+
+    -- Delete Notification
+    DELETE
+    FROM
+        [dbo].[Notification]
+    WHERE
+        [OrganizationId] = @Id
+
+    DELETE
+    FROM
+        [dbo].[Organization]
+    WHERE
+        [Id] = @Id
+
+    COMMIT TRANSACTION Organization_DeleteById
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationIntegration_OrganizationDeleted]
+    @OrganizationId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    DELETE
+    FROM
+        [dbo].[OrganizationIntegration]
+    WHERE
+        [OrganizationId] = @OrganizationId
+END
+GO

From 56915ec322538d5a4a244f9e21ee592e8372dbfe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Mon, 7 Apr 2025 15:22:09 +0100
Subject: [PATCH 183/184] [PM-17474] Remove unused feature flag for device
 approval request admin notifications (#5615)

---
 src/Core/Constants.cs                                   | 1 -
 test/Core.Test/Auth/Services/AuthRequestServiceTests.cs | 6 +-----
 2 files changed, 1 insertion(+), 6 deletions(-)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 57d695c105..8889615dfa 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -104,7 +104,6 @@ public static class FeatureFlagKeys
     /* Admin Console Team */
     public const string AccountDeprovisioning = "pm-10308-account-deprovisioning";
     public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";
-    public const string DeviceApprovalRequestAdminNotifications = "pm-15637-device-approval-request-admin-notifications";
     public const string LimitItemDeletion = "pm-15493-restrict-item-deletion-to-can-manage-permission";
     public const string PushSyncOrgKeysOnRevokeRestore = "pm-17168-push-sync-org-keys-on-revoke-restore";
     public const string PolicyRequirements = "pm-14439-policy-requirements";
diff --git a/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs b/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
index eec6747c5f..5da0e78422 100644
--- a/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
+++ b/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
@@ -398,7 +398,7 @@ public class AuthRequestServiceTests
 
 
     [Theory, BitAutoData]
-    public async Task CreateAuthRequestAsync_AdminApproval_WithAdminNotifications_AndNoAdminEmails_ShouldNotSendNotificationEmails(
+    public async Task CreateAuthRequestAsync_AdminApproval_AndNoAdminEmails_ShouldNotSendNotificationEmails(
         SutProvider<AuthRequestService> sutProvider,
         AuthRequestCreateRequestModel createModel,
         User user,
@@ -408,10 +408,6 @@ public class AuthRequestServiceTests
         user.Email = createModel.Email;
         organizationUser1.UserId = user.Id;
 
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.DeviceApprovalRequestAdminNotifications)
-            .Returns(true);
-
         sutProvider.GetDependency<IUserRepository>()
             .GetByEmailAsync(user.Email)
             .Returns(user);

From 01daad59424ef0747c351865b6549f31dd872adf Mon Sep 17 00:00:00 2001
From: bnagawiecki <107435978+bnagawiecki@users.noreply.github.com>
Date: Mon, 7 Apr 2025 10:48:50 -0400
Subject: [PATCH 184/184] add feature flag for new desktop cipher forms (#5621)

---
 src/Core/Constants.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 8889615dfa..9ba30786d1 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -197,6 +197,7 @@ public static class FeatureFlagKeys
     public const string RestrictProviderAccess = "restrict-provider-access";
     public const string SecurityTasks = "security-tasks";
     public const string CipherKeyEncryption = "cipher-key-encryption";
+    public const string DesktopCipherForms = "pm-18520-desktop-cipher-forms";
 
     public static List<string> GetAllKeys()
     {