Merge branch 'main' into PM-16921

# Conflicts: # src/Api/Auth/Controllers/AccountsController.cs # src/Core/Services/Implementations/StripePaymentService.cs
2025-07-06 10:32:49 -05:00 · 2025-04-09 10:57:57 +02:00
parent 06d19a1fd7 8d4c3d83b2
commit 270a83cbfa
394 changed files with 37351 additions and 4504 deletions
--- a/src/Core/AdminConsole/Entities/Organization.cs
+++ b/src/Core/AdminConsole/Entities/Organization.cs
@ -313,5 +313,6 @@ public class Organization : ITableObject<Guid>, IStorableSubscriber, IRevisable,
        UseSecretsManager = license.UseSecretsManager;
        SmSeats = license.SmSeats;
        SmServiceAccounts = license.SmServiceAccounts;
+        UseRiskInsights = license.UseRiskInsights;
    }
 }
--- a/src/Core/AdminConsole/Entities/OrganizationIntegration.cs
+++ b/src/Core/AdminConsole/Entities/OrganizationIntegration.cs
@ -0,0 +1,18 @@
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Utilities;
+
+#nullable enable
+
+namespace Bit.Core.AdminConsole.Entities;
+
+public class OrganizationIntegration : ITableObject<Guid>
+{
+    public Guid Id { get; set; }
+    public Guid OrganizationId { get; set; }
+    public IntegrationType Type { get; set; }
+    public string? Configuration { get; set; }
+    public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
+    public DateTime RevisionDate { get; set; } = DateTime.UtcNow;
+    public void SetNewId() => Id = CoreHelpers.GenerateComb();
+}
--- a/src/Core/AdminConsole/Entities/OrganizationIntegrationConfiguration.cs
+++ b/src/Core/AdminConsole/Entities/OrganizationIntegrationConfiguration.cs
@ -0,0 +1,19 @@
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Utilities;
+
+#nullable enable
+
+namespace Bit.Core.AdminConsole.Entities;
+
+public class OrganizationIntegrationConfiguration : ITableObject<Guid>
+{
+    public Guid Id { get; set; }
+    public Guid OrganizationIntegrationId { get; set; }
+    public EventType EventType { get; set; }
+    public string? Configuration { get; set; }
+    public string? Template { get; set; }
+    public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
+    public DateTime RevisionDate { get; set; } = DateTime.UtcNow;
+    public void SetNewId() => Id = CoreHelpers.GenerateComb();
+}
--- a/src/Core/AdminConsole/Enums/IntegrationType.cs
+++ b/src/Core/AdminConsole/Enums/IntegrationType.cs
@ -0,0 +1,7 @@
+namespace Bit.Core.Enums;
+
+public enum IntegrationType : int
+{
+    Slack = 1,
+    Webhook = 2,
+}
--- a/src/Core/AdminConsole/Errors/Error.cs
+++ b/src/Core/AdminConsole/Errors/Error.cs
@ -0,0 +1,8 @@
+namespace Bit.Core.AdminConsole.Errors;
+
+public record Error<T>(string Message, T ErroredValue);
+
+public static class ErrorMappers
+{
+    public static Error<B> ToError<A, B>(this Error<A> errorA, B erroredValue) => new(errorA.Message, erroredValue);
+}
--- a/src/Core/AdminConsole/Errors/InsufficientPermissionsError.cs
+++ b/src/Core/AdminConsole/Errors/InsufficientPermissionsError.cs
@ -0,0 +1,11 @@
+namespace Bit.Core.AdminConsole.Errors;
+
+public record InsufficientPermissionsError<T>(string Message, T ErroredValue) : Error<T>(Message, ErroredValue)
+{
+    public const string Code = "Insufficient Permissions";
+
+    public InsufficientPermissionsError(T ErroredValue) : this(Code, ErroredValue)
+    {
+
+    }
+}
--- a/src/Core/AdminConsole/Errors/InvalidResultTypeError.cs
+++ b/src/Core/AdminConsole/Errors/InvalidResultTypeError.cs
@ -0,0 +1,6 @@
+namespace Bit.Core.AdminConsole.Errors;
+
+public record InvalidResultTypeError<T>(T Value) : Error<T>(Code, Value)
+{
+    public const string Code = "Invalid result type.";
+};
--- a/src/Core/AdminConsole/Errors/RecordNotFoundError.cs
+++ b/src/Core/AdminConsole/Errors/RecordNotFoundError.cs
@ -0,0 +1,11 @@
+namespace Bit.Core.AdminConsole.Errors;
+
+public record RecordNotFoundError<T>(string Message, T ErroredValue) : Error<T>(Message, ErroredValue)
+{
+    public const string Code = "Record Not Found";
+
+    public RecordNotFoundError(T ErroredValue) : this(Code, ErroredValue)
+    {
+
+    }
+}
--- a/src/Core/AdminConsole/Models/Business/InviteOrganization.cs
+++ b/src/Core/AdminConsole/Models/Business/InviteOrganization.cs
@ -0,0 +1,35 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Models.StaticStore;
+
+namespace Bit.Core.AdminConsole.Models.Business;
+
+public record InviteOrganization
+{
+    public Guid OrganizationId { get; init; }
+    public int? Seats { get; init; }
+    public int? MaxAutoScaleSeats { get; init; }
+    public int? SmSeats { get; init; }
+    public int? SmMaxAutoScaleSeats { get; init; }
+    public Plan Plan { get; init; }
+    public string GatewayCustomerId { get; init; }
+    public string GatewaySubscriptionId { get; init; }
+    public bool UseSecretsManager { get; init; }
+
+    public InviteOrganization()
+    {
+
+    }
+
+    public InviteOrganization(Organization organization, Plan plan)
+    {
+        OrganizationId = organization.Id;
+        Seats = organization.Seats;
+        MaxAutoScaleSeats = organization.MaxAutoscaleSeats;
+        SmSeats = organization.SmSeats;
+        SmMaxAutoScaleSeats = organization.MaxAutoscaleSmSeats;
+        Plan = plan;
+        GatewayCustomerId = organization.GatewayCustomerId;
+        GatewaySubscriptionId = organization.GatewaySubscriptionId;
+        UseSecretsManager = organization.UseSecretsManager;
+    }
+}
--- a/src/Core/AdminConsole/Models/Data/Organizations/OrganizationIntegrationConfigurationDetails.cs
+++ b/src/Core/AdminConsole/Models/Data/Organizations/OrganizationIntegrationConfigurationDetails.cs
@ -0,0 +1,64 @@
+using System.Text.Json.Nodes;
+using Bit.Core.Enums;
+
+#nullable enable
+
+namespace Bit.Core.Models.Data.Organizations;
+
+public class OrganizationIntegrationConfigurationDetails
+{
+    public Guid Id { get; set; }
+    public Guid OrganizationIntegrationId { get; set; }
+    public IntegrationType IntegrationType { get; set; }
+    public EventType EventType { get; set; }
+    public string? Configuration { get; set; }
+    public string? IntegrationConfiguration { get; set; }
+    public string? Template { get; set; }
+
+    public JsonObject MergedConfiguration
+    {
+        get
+        {
+            var integrationJson = IntegrationConfigurationJson;
+
+            foreach (var kvp in ConfigurationJson)
+            {
+                integrationJson[kvp.Key] = kvp.Value?.DeepClone();
+            }
+
+            return integrationJson;
+        }
+    }
+
+    private JsonObject ConfigurationJson
+    {
+        get
+        {
+            try
+            {
+                var configuration = Configuration ?? string.Empty;
+                return JsonNode.Parse(configuration) as JsonObject ?? new JsonObject();
+            }
+            catch
+            {
+                return new JsonObject();
+            }
+        }
+    }
+
+    private JsonObject IntegrationConfigurationJson
+    {
+        get
+        {
+            try
+            {
+                var integration = IntegrationConfiguration ?? string.Empty;
+                return JsonNode.Parse(integration) as JsonObject ?? new JsonObject();
+            }
+            catch
+            {
+                return new JsonObject();
+            }
+        }
+    }
+}
--- a/src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs
+++ b/src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs
@ -148,7 +148,8 @@ public class SelfHostedOrganizationDetails : Organization
            LimitCollectionDeletion = LimitCollectionDeletion,
            LimitItemDeletion = LimitItemDeletion,
            AllowAdminAccessToAllCollectionItems = AllowAdminAccessToAllCollectionItems,
-            Status = Status
+            Status = Status,
+            UseRiskInsights = UseRiskInsights,
        };
    }
 }
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs
@ -154,6 +154,6 @@ public class VerifyOrganizationDomainCommand(

        var organization = await organizationRepository.GetByIdAsync(domain.OrganizationId);

-        await mailService.SendClaimedDomainUserEmailAsync(new ManagedUserDomainClaimedEmails(domainUserEmails, organization));
+        await mailService.SendClaimedDomainUserEmailAsync(new ClaimedUserDomainClaimedEmails(domainUserEmails, organization));
    }
 }
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/ConfirmOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/ConfirmOrganizationUserCommand.cs
@ -0,0 +1,186 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.Services;
+using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
+
+public class ConfirmOrganizationUserCommand : IConfirmOrganizationUserCommand
+{
+    private readonly IOrganizationRepository _organizationRepository;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IUserRepository _userRepository;
+    private readonly IEventService _eventService;
+    private readonly IMailService _mailService;
+    private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
+    private readonly IPushNotificationService _pushNotificationService;
+    private readonly IPushRegistrationService _pushRegistrationService;
+    private readonly IPolicyService _policyService;
+    private readonly IDeviceRepository _deviceRepository;
+
+    public ConfirmOrganizationUserCommand(
+        IOrganizationRepository organizationRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IUserRepository userRepository,
+        IEventService eventService,
+        IMailService mailService,
+        ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
+        IPushNotificationService pushNotificationService,
+        IPushRegistrationService pushRegistrationService,
+        IPolicyService policyService,
+        IDeviceRepository deviceRepository)
+    {
+        _organizationRepository = organizationRepository;
+        _organizationUserRepository = organizationUserRepository;
+        _userRepository = userRepository;
+        _eventService = eventService;
+        _mailService = mailService;
+        _twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
+        _pushNotificationService = pushNotificationService;
+        _pushRegistrationService = pushRegistrationService;
+        _policyService = policyService;
+        _deviceRepository = deviceRepository;
+    }
+
+    public async Task<OrganizationUser> ConfirmUserAsync(Guid organizationId, Guid organizationUserId, string key,
+        Guid confirmingUserId)
+    {
+        var result = await ConfirmUsersAsync(
+            organizationId,
+            new Dictionary<Guid, string>() { { organizationUserId, key } },
+            confirmingUserId);
+
+        if (!result.Any())
+        {
+            throw new BadRequestException("User not valid.");
+        }
+
+        var (orgUser, error) = result[0];
+        if (error != "")
+        {
+            throw new BadRequestException(error);
+        }
+        return orgUser;
+    }
+
+    public async Task<List<Tuple<OrganizationUser, string>>> ConfirmUsersAsync(Guid organizationId, Dictionary<Guid, string> keys,
+        Guid confirmingUserId)
+    {
+        var selectedOrganizationUsers = await _organizationUserRepository.GetManyAsync(keys.Keys);
+        var validSelectedOrganizationUsers = selectedOrganizationUsers
+            .Where(u => u.Status == OrganizationUserStatusType.Accepted && u.OrganizationId == organizationId && u.UserId != null)
+            .ToList();
+
+        if (!validSelectedOrganizationUsers.Any())
+        {
+            return new List<Tuple<OrganizationUser, string>>();
+        }
+
+        var validSelectedUserIds = validSelectedOrganizationUsers.Select(u => u.UserId.Value).ToList();
+
+        var organization = await _organizationRepository.GetByIdAsync(organizationId);
+        var allUsersOrgs = await _organizationUserRepository.GetManyByManyUsersAsync(validSelectedUserIds);
+        var users = await _userRepository.GetManyAsync(validSelectedUserIds);
+        var usersTwoFactorEnabled = await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(validSelectedUserIds);
+
+        var keyedFilteredUsers = validSelectedOrganizationUsers.ToDictionary(u => u.UserId.Value, u => u);
+        var keyedOrganizationUsers = allUsersOrgs.GroupBy(u => u.UserId.Value)
+            .ToDictionary(u => u.Key, u => u.ToList());
+
+        var succeededUsers = new List<OrganizationUser>();
+        var result = new List<Tuple<OrganizationUser, string>>();
+
+        foreach (var user in users)
+        {
+            if (!keyedFilteredUsers.ContainsKey(user.Id))
+            {
+                continue;
+            }
+            var orgUser = keyedFilteredUsers[user.Id];
+            var orgUsers = keyedOrganizationUsers.GetValueOrDefault(user.Id, new List<OrganizationUser>());
+            try
+            {
+                if (organization.PlanType == PlanType.Free && (orgUser.Type == OrganizationUserType.Admin
+                    || orgUser.Type == OrganizationUserType.Owner))
+                {
+                    // Since free organizations only supports a few users there is not much point in avoiding N+1 queries for this.
+                    var adminCount = await _organizationUserRepository.GetCountByFreeOrganizationAdminUserAsync(user.Id);
+                    if (adminCount > 0)
+                    {
+                        throw new BadRequestException("User can only be an admin of one free organization.");
+                    }
+                }
+
+                var twoFactorEnabled = usersTwoFactorEnabled.FirstOrDefault(tuple => tuple.userId == user.Id).twoFactorIsEnabled;
+                await CheckPoliciesAsync(organizationId, user, orgUsers, twoFactorEnabled);
+                orgUser.Status = OrganizationUserStatusType.Confirmed;
+                orgUser.Key = keys[orgUser.Id];
+                orgUser.Email = null;
+
+                await _eventService.LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_Confirmed);
+                await _mailService.SendOrganizationConfirmedEmailAsync(organization.DisplayName(), user.Email, orgUser.AccessSecretsManager);
+                await DeleteAndPushUserRegistrationAsync(organizationId, user.Id);
+                succeededUsers.Add(orgUser);
+                result.Add(Tuple.Create(orgUser, ""));
+            }
+            catch (BadRequestException e)
+            {
+                result.Add(Tuple.Create(orgUser, e.Message));
+            }
+        }
+
+        await _organizationUserRepository.ReplaceManyAsync(succeededUsers);
+
+        return result;
+    }
+
+    private async Task CheckPoliciesAsync(Guid organizationId, User user,
+        ICollection<OrganizationUser> userOrgs, bool twoFactorEnabled)
+    {
+        // Enforce Two Factor Authentication Policy for this organization
+        var orgRequiresTwoFactor = (await _policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.TwoFactorAuthentication))
+            .Any(p => p.OrganizationId == organizationId);
+        if (orgRequiresTwoFactor && !twoFactorEnabled)
+        {
+            throw new BadRequestException("User does not have two-step login enabled.");
+        }
+
+        var hasOtherOrgs = userOrgs.Any(ou => ou.OrganizationId != organizationId);
+        var singleOrgPolicies = await _policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.SingleOrg);
+        var otherSingleOrgPolicies =
+            singleOrgPolicies.Where(p => p.OrganizationId != organizationId);
+        // Enforce Single Organization Policy for this organization
+        if (hasOtherOrgs && singleOrgPolicies.Any(p => p.OrganizationId == organizationId))
+        {
+            throw new BadRequestException("Cannot confirm this member to the organization until they leave or remove all other organizations.");
+        }
+        // Enforce Single Organization Policy of other organizations user is a member of
+        if (otherSingleOrgPolicies.Any())
+        {
+            throw new BadRequestException("Cannot confirm this member to the organization because they are in another organization which forbids it.");
+        }
+    }
+
+    private async Task DeleteAndPushUserRegistrationAsync(Guid organizationId, Guid userId)
+    {
+        var devices = await GetUserDeviceIdsAsync(userId);
+        await _pushRegistrationService.DeleteUserRegistrationOrganizationAsync(devices,
+            organizationId.ToString());
+        await _pushNotificationService.PushSyncOrgKeysAsync(userId);
+    }
+
+    private async Task<IEnumerable<string>> GetUserDeviceIdsAsync(Guid userId)
+    {
+        var devices = await _deviceRepository.GetManyByUserIdAsync(userId);
+        return devices
+            .Where(d => !string.IsNullOrWhiteSpace(d.PushToken))
+            .Select(d => d.Id.ToString());
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedOrganizationUserAccountCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedOrganizationUserAccountCommand.cs
@ -15,11 +15,11 @@ using Bit.Core.Tools.Services;

 namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;

-public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganizationUserAccountCommand
+public class DeleteClaimedOrganizationUserAccountCommand : IDeleteClaimedOrganizationUserAccountCommand
 {
    private readonly IUserService _userService;
    private readonly IEventService _eventService;
-    private readonly IGetOrganizationUsersManagementStatusQuery _getOrganizationUsersManagementStatusQuery;
+    private readonly IGetOrganizationUsersClaimedStatusQuery _getOrganizationUsersClaimedStatusQuery;
    private readonly IOrganizationUserRepository _organizationUserRepository;
    private readonly IUserRepository _userRepository;
    private readonly ICurrentContext _currentContext;
@ -28,10 +28,10 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
    private readonly IPushNotificationService _pushService;
    private readonly IOrganizationRepository _organizationRepository;
    private readonly IProviderUserRepository _providerUserRepository;
-    public DeleteManagedOrganizationUserAccountCommand(
+    public DeleteClaimedOrganizationUserAccountCommand(
        IUserService userService,
        IEventService eventService,
-        IGetOrganizationUsersManagementStatusQuery getOrganizationUsersManagementStatusQuery,
+        IGetOrganizationUsersClaimedStatusQuery getOrganizationUsersClaimedStatusQuery,
        IOrganizationUserRepository organizationUserRepository,
        IUserRepository userRepository,
        ICurrentContext currentContext,
@ -43,7 +43,7 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
    {
        _userService = userService;
        _eventService = eventService;
-        _getOrganizationUsersManagementStatusQuery = getOrganizationUsersManagementStatusQuery;
+        _getOrganizationUsersClaimedStatusQuery = getOrganizationUsersClaimedStatusQuery;
        _organizationUserRepository = organizationUserRepository;
        _userRepository = userRepository;
        _currentContext = currentContext;
@ -62,10 +62,10 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
            throw new NotFoundException("Member not found.");
        }

-        var managementStatus = await _getOrganizationUsersManagementStatusQuery.GetUsersOrganizationManagementStatusAsync(organizationId, new[] { organizationUserId });
+        var claimedStatus = await _getOrganizationUsersClaimedStatusQuery.GetUsersOrganizationClaimedStatusAsync(organizationId, new[] { organizationUserId });
        var hasOtherConfirmedOwners = await _hasConfirmedOwnersExceptQuery.HasConfirmedOwnersExceptAsync(organizationId, new[] { organizationUserId }, includeProvider: true);

-        await ValidateDeleteUserAsync(organizationId, organizationUser, deletingUserId, managementStatus, hasOtherConfirmedOwners);
+        await ValidateDeleteUserAsync(organizationId, organizationUser, deletingUserId, claimedStatus, hasOtherConfirmedOwners);

        var user = await _userRepository.GetByIdAsync(organizationUser.UserId!.Value);
        if (user == null)
@ -83,7 +83,7 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
        var userIds = orgUsers.Where(ou => ou.UserId.HasValue).Select(ou => ou.UserId!.Value).ToList();
        var users = await _userRepository.GetManyAsync(userIds);

-        var managementStatus = await _getOrganizationUsersManagementStatusQuery.GetUsersOrganizationManagementStatusAsync(organizationId, orgUserIds);
+        var claimedStatus = await _getOrganizationUsersClaimedStatusQuery.GetUsersOrganizationClaimedStatusAsync(organizationId, orgUserIds);
        var hasOtherConfirmedOwners = await _hasConfirmedOwnersExceptQuery.HasConfirmedOwnersExceptAsync(organizationId, orgUserIds, includeProvider: true);

        var results = new List<(Guid OrganizationUserId, string? ErrorMessage)>();
@ -97,7 +97,7 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
                    throw new NotFoundException("Member not found.");
                }

-                await ValidateDeleteUserAsync(organizationId, orgUser, deletingUserId, managementStatus, hasOtherConfirmedOwners);
+                await ValidateDeleteUserAsync(organizationId, orgUser, deletingUserId, claimedStatus, hasOtherConfirmedOwners);

                var user = users.FirstOrDefault(u => u.Id == orgUser.UserId);
                if (user == null)
@ -129,7 +129,7 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
        return results;
    }

-    private async Task ValidateDeleteUserAsync(Guid organizationId, OrganizationUser orgUser, Guid? deletingUserId, IDictionary<Guid, bool> managementStatus, bool hasOtherConfirmedOwners)
+    private async Task ValidateDeleteUserAsync(Guid organizationId, OrganizationUser orgUser, Guid? deletingUserId, IDictionary<Guid, bool> claimedStatus, bool hasOtherConfirmedOwners)
    {
        if (!orgUser.UserId.HasValue || orgUser.Status == OrganizationUserStatusType.Invited)
        {
@ -154,9 +154,14 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
            }
        }

-        if (!managementStatus.TryGetValue(orgUser.Id, out var isManaged) || !isManaged)
+        if (orgUser.Type == OrganizationUserType.Admin && await _currentContext.OrganizationCustom(organizationId))
        {
-            throw new BadRequestException("Member is not managed by the organization.");
+            throw new BadRequestException("Custom users can not delete admins.");
+        }
+
+        if (!claimedStatus.TryGetValue(orgUser.Id, out var isClaimed) || !isClaimed)
+        {
+            throw new BadRequestException("Member is not claimed by the organization.");
        }
    }

--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/GetOrganizationUsersManagementStatusQuery.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/GetOrganizationUsersManagementStatusQuery.cs
@ -4,12 +4,12 @@ using Bit.Core.Services;

 namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;

-public class GetOrganizationUsersManagementStatusQuery : IGetOrganizationUsersManagementStatusQuery
+public class GetOrganizationUsersClaimedStatusQuery : IGetOrganizationUsersClaimedStatusQuery
 {
    private readonly IApplicationCacheService _applicationCacheService;
    private readonly IOrganizationUserRepository _organizationUserRepository;

-    public GetOrganizationUsersManagementStatusQuery(
+    public GetOrganizationUsersClaimedStatusQuery(
        IApplicationCacheService applicationCacheService,
        IOrganizationUserRepository organizationUserRepository)
    {
@ -17,11 +17,11 @@ public class GetOrganizationUsersManagementStatusQuery : IGetOrganizationUsersMa
        _organizationUserRepository = organizationUserRepository;
    }

-    public async Task<IDictionary<Guid, bool>> GetUsersOrganizationManagementStatusAsync(Guid organizationId, IEnumerable<Guid> organizationUserIds)
+    public async Task<IDictionary<Guid, bool>> GetUsersOrganizationClaimedStatusAsync(Guid organizationId, IEnumerable<Guid> organizationUserIds)
    {
        if (organizationUserIds.Any())
        {
-            // Users can only be managed by an Organization that is enabled and can have organization domains
+            // Users can only be claimed by an Organization that is enabled and can have organization domains
            var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId);

            // TODO: Replace "UseSso" with a new organization ability like "UseOrganizationDomains" (PM-11622).
@ -31,7 +31,7 @@ public class GetOrganizationUsersManagementStatusQuery : IGetOrganizationUsersMa
                // Get all organization users with claimed domains by the organization
                var organizationUsersWithClaimedDomain = await _organizationUserRepository.GetManyByOrganizationWithClaimedDomainsAsync(organizationId);

-                // Create a dictionary with the OrganizationUserId and a boolean indicating if the user is managed by the organization
+                // Create a dictionary with the OrganizationUserId and a boolean indicating if the user is claimed by the organization
                return organizationUserIds.ToDictionary(ouId => ouId, ouId => organizationUsersWithClaimedDomain.Any(ou => ou.Id == ouId));
            }
        }
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IConfirmOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IConfirmOrganizationUserCommand.cs
@ -0,0 +1,30 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+
+/// <summary>
+/// Command to confirm organization users who have accepted their invitations.
+/// </summary>
+public interface IConfirmOrganizationUserCommand
+{
+    /// <summary>
+    /// Confirms a single organization user who has accepted their invitation.
+    /// </summary>
+    /// <param name="organizationId">The ID of the organization.</param>
+    /// <param name="organizationUserId">The ID of the organization user to confirm.</param>
+    /// <param name="key">The encrypted organization key for the user.</param>
+    /// <param name="confirmingUserId">The ID of the user performing the confirmation.</param>
+    /// <returns>The confirmed organization user.</returns>
+    /// <exception cref="BadRequestException">Thrown when the user is not valid or cannot be confirmed.</exception>
+    Task<OrganizationUser> ConfirmUserAsync(Guid organizationId, Guid organizationUserId, string key, Guid confirmingUserId);
+
+    /// <summary>
+    /// Confirms multiple organization users who have accepted their invitations.
+    /// </summary>
+    /// <param name="organizationId">The ID of the organization.</param>
+    /// <param name="keys">A dictionary mapping organization user IDs to their encrypted organization keys.</param>
+    /// <param name="confirmingUserId">The ID of the user performing the confirmation.</param>
+    /// <returns>A list of tuples containing the organization user and an error message (if any).</returns>
+    Task<List<Tuple<OrganizationUser, string>>> ConfirmUsersAsync(Guid organizationId, Dictionary<Guid, string> keys,
+        Guid confirmingUserId);
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IDeleteClaimedOrganizationUserAccountCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IDeleteClaimedOrganizationUserAccountCommand.cs
@ -2,7 +2,7 @@

 namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;

-public interface IDeleteManagedOrganizationUserAccountCommand
+public interface IDeleteClaimedOrganizationUserAccountCommand
 {
    /// <summary>
    /// Removes a user from an organization and deletes all of their associated user data.
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IGetOrganizationUsersManagementStatusQuery.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IGetOrganizationUsersManagementStatusQuery.cs
@ -1,19 +1,19 @@
 namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;

-public interface IGetOrganizationUsersManagementStatusQuery
+public interface IGetOrganizationUsersClaimedStatusQuery
 {
    /// <summary>
-    /// Checks whether each user in the provided list of organization user IDs is managed by the specified organization.
+    /// Checks whether each user in the provided list of organization user IDs is claimed by the specified organization.
    /// </summary>
    /// <param name="organizationId">The unique identifier of the organization to check against.</param>
    /// <param name="organizationUserIds">A list of OrganizationUserIds to be checked.</param>
    /// <remarks>
-    /// A managed user is a user whose email domain matches one of the Organization's verified domains.
+    /// A claimed user is a user whose email domain matches one of the Organization's verified domains.
    /// The organization must be enabled and be on an Enterprise plan.
    /// </remarks>
    /// <returns>
-    /// A dictionary containing the OrganizationUserId and a boolean indicating if the user is managed by the organization.
+    /// A dictionary containing the OrganizationUserId and a boolean indicating if the user is claimed by the organization.
    /// </returns>
-    Task<IDictionary<Guid, bool>> GetUsersOrganizationManagementStatusAsync(Guid organizationId,
+    Task<IDictionary<Guid, bool>> GetUsersOrganizationClaimedStatusAsync(Guid organizationId,
        IEnumerable<Guid> organizationUserIds);
 }
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/ErrorMapper.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/ErrorMapper.cs
@ -0,0 +1,37 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.Exceptions;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
+
+public static class ErrorMapper
+{
+
+    /// <summary>
+    /// Maps the ErrorT to a Bit.Exception class.
+    /// </summary>
+    /// <param name="error"></param>
+    /// <typeparam name="T"></typeparam>
+    /// <returns></returns>
+    public static Exception MapToBitException<T>(Error<T> error) =>
+        error switch
+        {
+            UserAlreadyExistsError alreadyExistsError => new ConflictException(alreadyExistsError.Message),
+            _ => new BadRequestException(error.Message)
+        };
+
+    /// <summary>
+    /// This maps the ErrorT object to the Bit.Exception class.
+    ///
+    /// This should be replaced by an IActionResult mapper when possible.
+    /// </summary>
+    /// <param name="errors"></param>
+    /// <typeparam name="T"></typeparam>
+    /// <returns></returns>
+    public static Exception MapToBitException<T>(ICollection<Error<T>> errors) =>
+        errors switch
+        {
+            not null when errors.Count == 1 => MapToBitException(errors.First()),
+            not null when errors.Count > 1 => new BadRequestException(string.Join(' ', errors.Select(e => e.Message))),
+            _ => new BadRequestException()
+        };
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/FailedToInviteUsersError.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/FailedToInviteUsersError.cs
@ -0,0 +1,9 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
+
+public record FailedToInviteUsersError(InviteOrganizationUsersResponse Response) : Error<InviteOrganizationUsersResponse>(Code, Response)
+{
+    public const string Code = "Failed to invite users";
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/NoUsersToInviteError.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/NoUsersToInviteError.cs
@ -0,0 +1,9 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
+
+public record NoUsersToInviteError(InviteOrganizationUsersResponse Response) : Error<InviteOrganizationUsersResponse>(Code, Response)
+{
+    public const string Code = "No users to invite";
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/UserAlreadyExistsError.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/UserAlreadyExistsError.cs
@ -0,0 +1,9 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
+
+public record UserAlreadyExistsError(ScimInviteOrganizationUsersResponse Response) : Error<ScimInviteOrganizationUsersResponse>(Code, Response)
+{
+    public const string Code = "User already exists";
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/IInviteOrganizationUsersCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/IInviteOrganizationUsersCommand.cs
@ -0,0 +1,22 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.Models.Commands;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+
+/// <summary>
+/// Defines the contract for inviting organization users via SCIM (System for Cross-domain Identity Management).
+/// Provides functionality for handling single email invitation requests within an organization context.
+/// </summary>
+public interface IInviteOrganizationUsersCommand
+{
+    /// <summary>
+    /// Sends an invitation to add an organization user via SCIM (System for Cross-domain Identity Management) system.
+    /// This can be a Success or a Failure. Failure will contain the Error along with a representation of the errored value.
+    /// Success will be the successful return object.
+    /// </summary>
+    /// <param name="request">
+    /// Contains the details for inviting a single organization user via email.
+    /// </param>
+    /// <returns>Response from InviteScimOrganiation<see cref="ScimInviteOrganizationUsersResponse"/></returns>
+    Task<CommandResult<ScimInviteOrganizationUsersResponse>> InviteScimOrganizationUserAsync(InviteOrganizationUsersRequest request);
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/ISendOrganizationInvitesCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/ISendOrganizationInvitesCommand.cs
@ -0,0 +1,16 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+
+/// <summary>
+/// This is for sending the invite to an organization user.
+/// </summary>
+public interface ISendOrganizationInvitesCommand
+{
+    /// <summary>
+    /// This sends emails out to organization users for a given organization.
+    /// </summary>
+    /// <param name="request"><see cref="SendInvitesRequest"/></param>
+    /// <returns></returns>
+    Task SendInvitesAsync(SendInvitesRequest request);
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/InviteOrganizationUsersCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/InviteOrganizationUsersCommand.cs
@ -0,0 +1,282 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.Interfaces;
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.Shared.Validation;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Models.Business;
+using Bit.Core.Models.Commands;
+using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Tools.Enums;
+using Bit.Core.Tools.Models.Business;
+using Bit.Core.Tools.Services;
+using Microsoft.Extensions.Logging;
+using OrganizationUserInvite = Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models.OrganizationUserInvite;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+
+public class InviteOrganizationUsersCommand(IEventService eventService,
+    IOrganizationUserRepository organizationUserRepository,
+    IInviteUsersValidator inviteUsersValidator,
+    IPaymentService paymentService,
+    IOrganizationRepository organizationRepository,
+    IReferenceEventService referenceEventService,
+    ICurrentContext currentContext,
+    IApplicationCacheService applicationCacheService,
+    IMailService mailService,
+    ILogger<InviteOrganizationUsersCommand> logger,
+    IUpdateSecretsManagerSubscriptionCommand updateSecretsManagerSubscriptionCommand,
+    ISendOrganizationInvitesCommand sendOrganizationInvitesCommand,
+    IProviderOrganizationRepository providerOrganizationRepository,
+    IProviderUserRepository providerUserRepository
+    ) : IInviteOrganizationUsersCommand
+{
+
+    public const string IssueNotifyingOwnersOfSeatLimitReached = "Error encountered notifying organization owners of seat limit reached.";
+
+    public async Task<CommandResult<ScimInviteOrganizationUsersResponse>> InviteScimOrganizationUserAsync(InviteOrganizationUsersRequest request)
+    {
+        var result = await InviteOrganizationUsersAsync(request);
+
+        switch (result)
+        {
+            case Failure<InviteOrganizationUsersResponse> failure:
+                return new Failure<ScimInviteOrganizationUsersResponse>(
+                    failure.Errors.Select(error => new Error<ScimInviteOrganizationUsersResponse>(error.Message,
+                        new ScimInviteOrganizationUsersResponse
+                        {
+                            InvitedUser = error.ErroredValue.InvitedUsers.FirstOrDefault()
+                        })));
+
+            case Success<InviteOrganizationUsersResponse> success when success.Value.InvitedUsers.Any():
+                var user = success.Value.InvitedUsers.First();
+
+                await eventService.LogOrganizationUserEventAsync<IOrganizationUser>(
+                    organizationUser: user,
+                    type: EventType.OrganizationUser_Invited,
+                    systemUser: EventSystemUser.SCIM,
+                    date: request.PerformedAt.UtcDateTime);
+
+                return new Success<ScimInviteOrganizationUsersResponse>(new ScimInviteOrganizationUsersResponse
+                {
+                    InvitedUser = user
+                });
+
+            default:
+                return new Failure<ScimInviteOrganizationUsersResponse>(
+                    new InvalidResultTypeError<ScimInviteOrganizationUsersResponse>(
+                        new ScimInviteOrganizationUsersResponse()));
+        }
+    }
+
+    private async Task<CommandResult<InviteOrganizationUsersResponse>> InviteOrganizationUsersAsync(InviteOrganizationUsersRequest request)
+    {
+        var invitesToSend = (await FilterExistingUsersAsync(request)).ToArray();
+
+        if (invitesToSend.Length == 0)
+        {
+            return new Failure<InviteOrganizationUsersResponse>(new NoUsersToInviteError(
+                new InviteOrganizationUsersResponse(request.InviteOrganization.OrganizationId)));
+        }
+
+        var validationResult = await inviteUsersValidator.ValidateAsync(new InviteOrganizationUsersValidationRequest
+        {
+            Invites = invitesToSend.ToArray(),
+            InviteOrganization = request.InviteOrganization,
+            PerformedBy = request.PerformedBy,
+            PerformedAt = request.PerformedAt,
+            OccupiedPmSeats = await organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(request.InviteOrganization.OrganizationId),
+            OccupiedSmSeats = await organizationUserRepository.GetOccupiedSmSeatCountByOrganizationIdAsync(request.InviteOrganization.OrganizationId)
+        });
+
+        if (validationResult is Invalid<InviteOrganizationUsersValidationRequest> invalid)
+        {
+            return invalid.MapToFailure(r => new InviteOrganizationUsersResponse(r));
+        }
+
+        var validatedRequest = validationResult as Valid<InviteOrganizationUsersValidationRequest>;
+
+        var organizationUserToInviteEntities = invitesToSend
+            .Select(x => x.MapToDataModel(request.PerformedAt, validatedRequest!.Value.InviteOrganization))
+            .ToArray();
+
+        var organization = await organizationRepository.GetByIdAsync(validatedRequest!.Value.InviteOrganization.OrganizationId);
+
+        try
+        {
+            await organizationUserRepository.CreateManyAsync(organizationUserToInviteEntities);
+
+            await AdjustPasswordManagerSeatsAsync(validatedRequest, organization);
+
+            await AdjustSecretsManagerSeatsAsync(validatedRequest);
+
+            await SendAdditionalEmailsAsync(validatedRequest, organization);
+
+            await SendInvitesAsync(organizationUserToInviteEntities, organization);
+
+            await PublishReferenceEventAsync(validatedRequest, organization);
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, FailedToInviteUsersError.Code);
+
+            await organizationUserRepository.DeleteManyAsync(organizationUserToInviteEntities.Select(x => x.OrganizationUser.Id));
+
+            // Do this first so that SmSeats never exceed PM seats (due to current billing requirements)
+            await RevertSecretsManagerChangesAsync(validatedRequest, organization, validatedRequest.Value.InviteOrganization.SmSeats);
+
+            await RevertPasswordManagerChangesAsync(validatedRequest, organization);
+
+            return new Failure<InviteOrganizationUsersResponse>(
+                new FailedToInviteUsersError(
+                    new InviteOrganizationUsersResponse(validatedRequest.Value)));
+        }
+
+        return new Success<InviteOrganizationUsersResponse>(
+            new InviteOrganizationUsersResponse(
+                invitedOrganizationUsers: organizationUserToInviteEntities.Select(x => x.OrganizationUser).ToArray(),
+                organizationId: organization!.Id));
+    }
+
+    private async Task<IEnumerable<OrganizationUserInvite>> FilterExistingUsersAsync(InviteOrganizationUsersRequest request)
+    {
+        var existingEmails = new HashSet<string>(await organizationUserRepository.SelectKnownEmailsAsync(
+                request.InviteOrganization.OrganizationId, request.Invites.Select(i => i.Email), false),
+            StringComparer.OrdinalIgnoreCase);
+
+        return request.Invites
+            .Where(invite => !existingEmails.Contains(invite.Email))
+            .ToArray();
+    }
+
+    private async Task RevertPasswordManagerChangesAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult, Organization organization)
+    {
+        if (validatedResult.Value.PasswordManagerSubscriptionUpdate.SeatsRequiredToAdd > 0)
+        {
+            // When reverting seats, we have to tell payments service that the seats are going back down by what we attempted to add.
+            // However, this might lead to a problem if we don't actually update stripe but throw any ways.
+            // stripe could not be updated, and then we would decrement the number of seats in stripe accidentally.
+            var seatsToRemove = validatedResult.Value.PasswordManagerSubscriptionUpdate.SeatsRequiredToAdd;
+            await paymentService.AdjustSeatsAsync(organization, validatedResult.Value.InviteOrganization.Plan, -seatsToRemove);
+
+            organization.Seats = (short?)validatedResult.Value.PasswordManagerSubscriptionUpdate.Seats;
+
+            await organizationRepository.ReplaceAsync(organization);
+            await applicationCacheService.UpsertOrganizationAbilityAsync(organization);
+        }
+    }
+
+    private async Task RevertSecretsManagerChangesAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult, Organization organization, int? initialSmSeats)
+    {
+        if (validatedResult.Value.SecretsManagerSubscriptionUpdate?.SmSeatsChanged is true)
+        {
+            var smSubscriptionUpdateRevert = new SecretsManagerSubscriptionUpdate(
+                organization: organization,
+                plan: validatedResult.Value.InviteOrganization.Plan,
+                autoscaling: false)
+            {
+                SmSeats = initialSmSeats
+            };
+
+            await updateSecretsManagerSubscriptionCommand.UpdateSubscriptionAsync(smSubscriptionUpdateRevert);
+        }
+    }
+
+    private async Task PublishReferenceEventAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult,
+        Organization organization) =>
+        await referenceEventService.RaiseEventAsync(
+            new ReferenceEvent(ReferenceEventType.InvitedUsers, organization, currentContext)
+            {
+                Users = validatedResult.Value.Invites.Length
+            });
+
+    private async Task SendInvitesAsync(IEnumerable<CreateOrganizationUser> users, Organization organization) =>
+        await sendOrganizationInvitesCommand.SendInvitesAsync(
+            new SendInvitesRequest(
+                users.Select(x => x.OrganizationUser),
+                organization));
+
+    private async Task SendAdditionalEmailsAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult, Organization organization)
+    {
+        await SendPasswordManagerMaxSeatLimitEmailsAsync(validatedResult, organization);
+    }
+
+    private async Task SendPasswordManagerMaxSeatLimitEmailsAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult, Organization organization)
+    {
+        if (!validatedResult.Value.PasswordManagerSubscriptionUpdate.MaxSeatsReached)
+        {
+            return;
+        }
+
+        try
+        {
+            var ownerEmails = await GetOwnerEmailAddressesAsync(validatedResult.Value.InviteOrganization);
+
+            await mailService.SendOrganizationMaxSeatLimitReachedEmailAsync(organization,
+                validatedResult.Value.PasswordManagerSubscriptionUpdate.MaxAutoScaleSeats!.Value, ownerEmails);
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, IssueNotifyingOwnersOfSeatLimitReached);
+        }
+    }
+
+    private async Task<IEnumerable<string>> GetOwnerEmailAddressesAsync(InviteOrganization organization)
+    {
+        var providerOrganization = await providerOrganizationRepository
+            .GetByOrganizationId(organization.OrganizationId);
+
+        if (providerOrganization == null)
+        {
+            return (await organizationUserRepository
+                    .GetManyByMinimumRoleAsync(organization.OrganizationId, OrganizationUserType.Owner))
+                .Select(x => x.Email)
+                .Distinct();
+        }
+
+        return (await providerUserRepository
+                .GetManyDetailsByProviderAsync(providerOrganization.ProviderId, ProviderUserStatusType.Confirmed))
+            .Select(u => u.Email).Distinct();
+    }
+
+    private async Task AdjustSecretsManagerSeatsAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult)
+    {
+        if (validatedResult.Value.SecretsManagerSubscriptionUpdate?.SmSeatsChanged is true)
+        {
+            await updateSecretsManagerSubscriptionCommand.UpdateSubscriptionAsync(validatedResult.Value.SecretsManagerSubscriptionUpdate);
+        }
+
+    }
+
+    private async Task AdjustPasswordManagerSeatsAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult, Organization organization)
+    {
+        if (validatedResult.Value.PasswordManagerSubscriptionUpdate.SeatsRequiredToAdd <= 0)
+        {
+            return;
+        }
+
+        await paymentService.AdjustSeatsAsync(organization, validatedResult.Value.InviteOrganization.Plan, validatedResult.Value.PasswordManagerSubscriptionUpdate.SeatsRequiredToAdd);
+
+        organization.Seats = (short?)validatedResult.Value.PasswordManagerSubscriptionUpdate.UpdatedSeatTotal;
+
+        await organizationRepository.ReplaceAsync(organization); // could optimize this with only a property update
+        await applicationCacheService.UpsertOrganizationAbilityAsync(organization);
+
+        await referenceEventService.RaiseEventAsync(
+            new ReferenceEvent(ReferenceEventType.AdjustSeats, organization, currentContext)
+            {
+                PlanName = validatedResult.Value.InviteOrganization.Plan.Name,
+                PlanType = validatedResult.Value.InviteOrganization.Plan.Type,
+                Seats = validatedResult.Value.PasswordManagerSubscriptionUpdate.UpdatedSeatTotal,
+                PreviousSeats = validatedResult.Value.PasswordManagerSubscriptionUpdate.Seats
+            });
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/CreateOrganizationUser.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/CreateOrganizationUser.cs
@ -0,0 +1,15 @@
+using Bit.Core.Entities;
+using Bit.Core.Models.Data;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+/// <summary>
+/// Object for associating the <see cref="OrganizationUser"/> with their assigned collections
+/// <see cref="CollectionAccessSelection"/> and Group Ids.
+/// </summary>
+public class CreateOrganizationUser
+{
+    public OrganizationUser OrganizationUser { get; set; }
+    public CollectionAccessSelection[] Collections { get; set; } = [];
+    public Guid[] Groups { get; set; } = [];
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/CreateOrganizationUserExtensions.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/CreateOrganizationUserExtensions.cs
@ -0,0 +1,30 @@
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+public static class CreateOrganizationUserExtensions
+{
+    public static CreateOrganizationUser MapToDataModel(this OrganizationUserInvite organizationUserInvite,
+        DateTimeOffset performedAt,
+        InviteOrganization organization) =>
+        new()
+        {
+            OrganizationUser = new OrganizationUser
+            {
+                Id = CoreHelpers.GenerateComb(),
+                OrganizationId = organization.OrganizationId,
+                Email = organizationUserInvite.Email.ToLowerInvariant(),
+                Type = organizationUserInvite.Type,
+                Status = OrganizationUserStatusType.Invited,
+                AccessSecretsManager = organizationUserInvite.AccessSecretsManager,
+                ExternalId = string.IsNullOrWhiteSpace(organizationUserInvite.ExternalId) ? null : organizationUserInvite.ExternalId,
+                CreationDate = performedAt.UtcDateTime,
+                RevisionDate = performedAt.UtcDateTime
+            },
+            Collections = organizationUserInvite.AssignedCollections,
+            Groups = organizationUserInvite.Groups
+        };
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUserErrorMessages.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUserErrorMessages.cs
@ -0,0 +1,7 @@
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+public static class InviteOrganizationUserErrorMessages
+{
+    public const string InvalidEmailErrorMessage = "The email address is not valid.";
+    public const string InvalidCollectionConfigurationErrorMessage = "The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.";
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersRequest.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersRequest.cs
@ -0,0 +1,22 @@
+using Bit.Core.AdminConsole.Models.Business;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+public class InviteOrganizationUsersRequest
+{
+    public OrganizationUserInvite[] Invites { get; } = [];
+    public InviteOrganization InviteOrganization { get; }
+    public Guid PerformedBy { get; }
+    public DateTimeOffset PerformedAt { get; }
+
+    public InviteOrganizationUsersRequest(OrganizationUserInvite[] invites,
+        InviteOrganization inviteOrganization,
+        Guid performedBy,
+        DateTimeOffset performedAt)
+    {
+        Invites = invites;
+        InviteOrganization = inviteOrganization;
+        PerformedBy = performedBy;
+        PerformedAt = performedAt;
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersResponse.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersResponse.cs
@ -0,0 +1,42 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+public class InviteOrganizationUsersResponse(Guid organizationId)
+{
+    public IEnumerable<OrganizationUser> InvitedUsers { get; } = [];
+    public Guid OrganizationId { get; } = organizationId;
+
+    public InviteOrganizationUsersResponse(InviteOrganizationUsersValidationRequest usersValidationRequest)
+        : this(usersValidationRequest.InviteOrganization.OrganizationId)
+    {
+        InvitedUsers = usersValidationRequest.Invites.Select(x => new OrganizationUser { Email = x.Email });
+    }
+
+    public InviteOrganizationUsersResponse(IEnumerable<OrganizationUser> invitedOrganizationUsers, Guid organizationId)
+        : this(organizationId)
+    {
+        InvitedUsers = invitedOrganizationUsers;
+    }
+}
+
+public class ScimInviteOrganizationUsersResponse
+{
+    public OrganizationUser InvitedUser { get; init; }
+
+    public ScimInviteOrganizationUsersResponse()
+    {
+
+    }
+
+    public ScimInviteOrganizationUsersResponse(InviteOrganizationUsersRequest request)
+    {
+        var userToInvite = request.Invites.First();
+
+        InvitedUser = new OrganizationUser
+        {
+            Email = userToInvite.Email,
+            ExternalId = userToInvite.ExternalId
+        };
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersValidationRequest.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersValidationRequest.cs
@ -0,0 +1,40 @@
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.PasswordManager;
+using Bit.Core.Models.Business;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+public class InviteOrganizationUsersValidationRequest
+{
+    public InviteOrganizationUsersValidationRequest()
+    {
+    }
+
+    public InviteOrganizationUsersValidationRequest(InviteOrganizationUsersValidationRequest request)
+    {
+        Invites = request.Invites;
+        InviteOrganization = request.InviteOrganization;
+        PerformedBy = request.PerformedBy;
+        PerformedAt = request.PerformedAt;
+        OccupiedPmSeats = request.OccupiedPmSeats;
+        OccupiedSmSeats = request.OccupiedSmSeats;
+    }
+
+    public InviteOrganizationUsersValidationRequest(InviteOrganizationUsersValidationRequest request,
+        PasswordManagerSubscriptionUpdate subscriptionUpdate,
+        SecretsManagerSubscriptionUpdate smSubscriptionUpdate)
+        : this(request)
+    {
+        PasswordManagerSubscriptionUpdate = subscriptionUpdate;
+        SecretsManagerSubscriptionUpdate = smSubscriptionUpdate;
+    }
+
+    public OrganizationUserInvite[] Invites { get; init; } = [];
+    public InviteOrganization InviteOrganization { get; init; }
+    public Guid PerformedBy { get; init; }
+    public DateTimeOffset PerformedAt { get; init; }
+    public int OccupiedPmSeats { get; init; }
+    public int OccupiedSmSeats { get; init; }
+    public PasswordManagerSubscriptionUpdate PasswordManagerSubscriptionUpdate { get; set; }
+    public SecretsManagerSubscriptionUpdate SecretsManagerSubscriptionUpdate { get; set; }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/OrganizationUserInvite.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/OrganizationUserInvite.cs
@ -0,0 +1,77 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Data;
+using Bit.Core.Utilities;
+using static Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models.InviteOrganizationUserErrorMessages;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+public class OrganizationUserInvite
+{
+    public string Email { get; private init; }
+    public CollectionAccessSelection[] AssignedCollections { get; private init; }
+    public OrganizationUserType Type { get; private init; }
+    public Permissions Permissions { get; private init; }
+    public string ExternalId { get; private init; }
+    public bool AccessSecretsManager { get; private init; }
+    public Guid[] Groups { get; private init; }
+
+    public OrganizationUserInvite(string email, string externalId) :
+        this(
+            email: email,
+            assignedCollections: [],
+            groups: [],
+            type: OrganizationUserType.User,
+            permissions: new Permissions(),
+            externalId: externalId,
+            false)
+    {
+    }
+
+    public OrganizationUserInvite(OrganizationUserInvite invite, bool accessSecretsManager) :
+        this(invite.Email,
+            invite.AssignedCollections,
+            invite.Groups,
+            invite.Type,
+            invite.Permissions,
+            invite.ExternalId,
+            accessSecretsManager)
+    {
+
+    }
+
+    public OrganizationUserInvite(string email,
+        IEnumerable<CollectionAccessSelection> assignedCollections,
+        IEnumerable<Guid> groups,
+        OrganizationUserType type,
+        Permissions permissions,
+        string externalId,
+        bool accessSecretsManager)
+    {
+        ValidateEmailAddress(email);
+
+        var collections = assignedCollections?.ToArray() ?? [];
+
+        if (collections.Any(x => x.IsValidCollectionAccessConfiguration()))
+        {
+            throw new BadRequestException(InvalidCollectionConfigurationErrorMessage);
+        }
+
+        Email = email;
+        AssignedCollections = collections;
+        Groups = groups.ToArray();
+        Type = type;
+        Permissions = permissions ?? new Permissions();
+        ExternalId = externalId;
+        AccessSecretsManager = accessSecretsManager;
+    }
+
+    private static void ValidateEmailAddress(string email)
+    {
+        if (!email.IsValidEmail())
+        {
+            throw new BadRequestException($"{email} {InvalidEmailErrorMessage}");
+        }
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/SendInvitesRequest.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/SendInvitesRequest.cs
@ -0,0 +1,33 @@
+#nullable enable
+
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Entities;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+/// <summary>
+/// Represents a request to send invitations to a group of organization users.
+/// </summary>
+public class SendInvitesRequest
+{
+    public SendInvitesRequest(IEnumerable<OrganizationUser> users, Organization organization) =>
+        (Users, Organization) = (users.ToArray(), organization);
+
+    public SendInvitesRequest(IEnumerable<OrganizationUser> users, Organization organization, bool initOrganization) =>
+        (Users, Organization, InitOrganization) = (users.ToArray(), organization, initOrganization);
+
+    /// <summary>
+    /// Organization Users to send emails to.
+    /// </summary>
+    public OrganizationUser[] Users { get; set; } = [];
+
+    /// <summary>
+    /// The organization to invite the users to.
+    /// </summary>
+    public Organization Organization { get; init; }
+
+    /// <summary>
+    /// This is for when the organization is being created and this is the owners initial invite
+    /// </summary>
+    public bool InitOrganization { get; init; }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/SendOrganizationInvitesCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/SendOrganizationInvitesCommand.cs
@ -0,0 +1,80 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Auth.Models.Business;
+using Bit.Core.Auth.Models.Business.Tokenables;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Entities;
+using Bit.Core.Models.Mail;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Tokens;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+
+public class SendOrganizationInvitesCommand(
+    IUserRepository userRepository,
+    ISsoConfigRepository ssoConfigurationRepository,
+    IPolicyRepository policyRepository,
+    IOrgUserInviteTokenableFactory orgUserInviteTokenableFactory,
+    IDataProtectorTokenFactory<OrgUserInviteTokenable> dataProtectorTokenFactory,
+    IMailService mailService) : ISendOrganizationInvitesCommand
+{
+    public async Task SendInvitesAsync(SendInvitesRequest request)
+    {
+        var orgInvitesInfo = await BuildOrganizationInvitesInfoAsync(request.Users, request.Organization, request.InitOrganization);
+
+        await mailService.SendOrganizationInviteEmailsAsync(orgInvitesInfo);
+    }
+
+    private async Task<OrganizationInvitesInfo> BuildOrganizationInvitesInfoAsync(IEnumerable<OrganizationUser> orgUsers,
+        Organization organization, bool initOrganization = false)
+    {
+        // Materialize the sequence into a list to avoid multiple enumeration warnings
+        var orgUsersList = orgUsers.ToList();
+
+        // Email links must include information about the org and user for us to make routing decisions client side
+        // Given an org user, determine if existing BW user exists
+        var orgUserEmails = orgUsersList.Select(ou => ou.Email).ToList();
+        var existingUsers = await userRepository.GetManyByEmailsAsync(orgUserEmails);
+
+        // hash existing users emails list for O(1) lookups
+        var existingUserEmailsHashSet = new HashSet<string>(existingUsers.Select(u => u.Email));
+
+        // Create a dictionary of org user guids and bools for whether or not they have an existing BW user
+        var orgUserHasExistingUserDict = orgUsersList.ToDictionary(
+            ou => ou.Id,
+            ou => existingUserEmailsHashSet.Contains(ou.Email)
+        );
+
+        // Determine if org has SSO enabled and if user is required to login with SSO
+        // Note: we only want to call the DB after checking if the org can use SSO per plan and if they have any policies enabled.
+        var orgSsoEnabled = organization.UseSso && (await ssoConfigurationRepository.GetByOrganizationIdAsync(organization.Id))?.Enabled == true;
+        // Even though the require SSO policy can be turned on regardless of SSO being enabled, for this logic, we only
+        // need to check the policy if the org has SSO enabled.
+        var orgSsoLoginRequiredPolicyEnabled = orgSsoEnabled &&
+                                               organization.UsePolicies &&
+                                               (await policyRepository.GetByOrganizationIdTypeAsync(organization.Id, PolicyType.RequireSso))?.Enabled == true;
+
+        // Generate the list of org users and expiring tokens
+        // create helper function to create expiring tokens
+        (OrganizationUser, ExpiringToken) MakeOrgUserExpiringTokenPair(OrganizationUser orgUser)
+        {
+            var orgUserInviteTokenable = orgUserInviteTokenableFactory.CreateToken(orgUser);
+            var protectedToken = dataProtectorTokenFactory.Protect(orgUserInviteTokenable);
+            return (orgUser, new ExpiringToken(protectedToken, orgUserInviteTokenable.ExpirationDate));
+        }
+
+        var orgUsersWithExpTokens = orgUsers.Select(MakeOrgUserExpiringTokenPair);
+
+        return new OrganizationInvitesInfo(
+            organization,
+            orgSsoEnabled,
+            orgSsoLoginRequiredPolicyEnabled,
+            orgUsersWithExpTokens,
+            orgUserHasExistingUserDict,
+            initOrganization
+        );
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/CollectionAccessSelectionExtensions.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/CollectionAccessSelectionExtensions.cs
@ -0,0 +1,12 @@
+using Bit.Core.Models.Data;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+
+public static class CollectionAccessSelectionExtensions
+{
+    /// <summary>
+    /// This validates the permissions on the given assigned collection
+    /// </summary>
+    public static bool IsValidCollectionAccessConfiguration(this CollectionAccessSelection collectionAccessSelection) =>
+        collectionAccessSelection.Manage && (collectionAccessSelection.ReadOnly || collectionAccessSelection.HidePasswords);
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/GlobalSettings/CannotAutoScaleOnSelfHostError.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/GlobalSettings/CannotAutoScaleOnSelfHostError.cs
@ -0,0 +1,8 @@
+using Bit.Core.AdminConsole.Errors;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.GlobalSettings;
+
+public record CannotAutoScaleOnSelfHostError(EnvironmentRequest Invalid) : Error<EnvironmentRequest>(Code, Invalid)
+{
+    public const string Code = "Cannot auto scale self-host.";
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/GlobalSettings/EnvironmentRequest.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/GlobalSettings/EnvironmentRequest.cs
@ -0,0 +1,18 @@
+#nullable enable
+
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.PasswordManager;
+using Bit.Core.Settings;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.GlobalSettings;
+
+public class EnvironmentRequest
+{
+    public bool IsSelfHosted { get; init; }
+    public PasswordManagerSubscriptionUpdate PasswordManagerSubscriptionUpdate { get; init; }
+
+    public EnvironmentRequest(IGlobalSettings globalSettings, PasswordManagerSubscriptionUpdate passwordManagerSubscriptionUpdate)
+    {
+        IsSelfHosted = globalSettings.SelfHosted;
+        PasswordManagerSubscriptionUpdate = passwordManagerSubscriptionUpdate;
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/GlobalSettings/InviteUsersEnvironmentValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/GlobalSettings/InviteUsersEnvironmentValidator.cs
@ -0,0 +1,14 @@
+using Bit.Core.AdminConsole.Shared.Validation;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.GlobalSettings;
+
+public interface IInviteUsersEnvironmentValidator : IValidator<EnvironmentRequest>;
+
+public class InviteUsersEnvironmentValidator : IInviteUsersEnvironmentValidator
+{
+    public Task<ValidationResult<EnvironmentRequest>> ValidateAsync(EnvironmentRequest value) =>
+        Task.FromResult<ValidationResult<EnvironmentRequest>>(
+            value.IsSelfHosted && value.PasswordManagerSubscriptionUpdate.SeatsRequiredToAdd > 0 ?
+                new Invalid<EnvironmentRequest>(new CannotAutoScaleOnSelfHostError(value)) :
+                new Valid<EnvironmentRequest>(value));
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteOrganizationUserValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteOrganizationUserValidator.cs
@ -0,0 +1,108 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.PasswordManager;
+using Bit.Core.AdminConsole.Shared.Validation;
+using Bit.Core.Models.Business;
+using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using OrganizationUserInvite = Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models.OrganizationUserInvite;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+
+public interface IInviteUsersValidator : IValidator<InviteOrganizationUsersValidationRequest>;
+
+public class InviteOrganizationUsersValidator(
+    IOrganizationRepository organizationRepository,
+    IInviteUsersPasswordManagerValidator inviteUsersPasswordManagerValidator,
+    IUpdateSecretsManagerSubscriptionCommand secretsManagerSubscriptionCommand,
+    IPaymentService paymentService) : IInviteUsersValidator
+{
+    public async Task<ValidationResult<InviteOrganizationUsersValidationRequest>> ValidateAsync(
+        InviteOrganizationUsersValidationRequest request)
+    {
+        var subscriptionUpdate = new PasswordManagerSubscriptionUpdate(request);
+
+        var passwordManagerValidationResult =
+            await inviteUsersPasswordManagerValidator.ValidateAsync(subscriptionUpdate);
+
+        if (passwordManagerValidationResult is Invalid<PasswordManagerSubscriptionUpdate> invalidSubscriptionUpdate)
+        {
+            return invalidSubscriptionUpdate.Map(request);
+        }
+
+        // If the organization has the Secrets Manager Standalone Discount, all users are added to secrets manager.
+        // This is an expensive call, so we're doing it now to delay the check as long as possible.
+        if (await paymentService.HasSecretsManagerStandalone(request.InviteOrganization))
+        {
+            request = new InviteOrganizationUsersValidationRequest(request)
+            {
+                Invites = request.Invites
+                    .Select(x => new OrganizationUserInvite(x, accessSecretsManager: true))
+                    .ToArray()
+            };
+        }
+
+        if (request.InviteOrganization.UseSecretsManager && request.Invites.Any(x => x.AccessSecretsManager))
+        {
+            return await ValidateSecretsManagerSubscriptionUpdateAsync(request, subscriptionUpdate);
+        }
+
+        return new Valid<InviteOrganizationUsersValidationRequest>(new InviteOrganizationUsersValidationRequest(
+            request,
+            subscriptionUpdate,
+            null));
+    }
+
+    private async Task<ValidationResult<InviteOrganizationUsersValidationRequest>> ValidateSecretsManagerSubscriptionUpdateAsync(
+            InviteOrganizationUsersValidationRequest request,
+            PasswordManagerSubscriptionUpdate subscriptionUpdate)
+    {
+        try
+        {
+
+            var smSubscriptionUpdate = new SecretsManagerSubscriptionUpdate(
+                organization: await organizationRepository.GetByIdAsync(request.InviteOrganization.OrganizationId),
+                plan: request.InviteOrganization.Plan,
+                autoscaling: true);
+
+            var seatsToAdd = GetSecretManagerSeatAdjustment(request);
+
+            if (seatsToAdd > 0)
+            {
+                smSubscriptionUpdate.AdjustSeats(seatsToAdd);
+
+                await secretsManagerSubscriptionCommand.ValidateUpdateAsync(smSubscriptionUpdate);
+            }
+
+            return new Valid<InviteOrganizationUsersValidationRequest>(new InviteOrganizationUsersValidationRequest(
+                request,
+                subscriptionUpdate,
+                smSubscriptionUpdate));
+        }
+        catch (Exception ex)
+        {
+            return new Invalid<InviteOrganizationUsersValidationRequest>(
+                new Error<InviteOrganizationUsersValidationRequest>(ex.Message, request));
+        }
+    }
+
+    /// <summary>
+    /// This calculates the number of SM seats to add to the organization seat total.
+    ///
+    /// If they have a current seat limit (it can be null), we want to figure out how many are available (seats -
+    /// occupied seats). Then, we'll subtract the available seats from the number of users we're trying to invite.
+    ///
+    /// If it's negative, we have available seats and do not need to increase, so we go with 0.
+    /// </summary>
+    /// <param name="request"></param>
+    /// <returns></returns>
+    private static int GetSecretManagerSeatAdjustment(InviteOrganizationUsersValidationRequest request) =>
+        request.InviteOrganization.SmSeats.HasValue
+            ? Math.Max(
+                request.Invites.Count(x => x.AccessSecretsManager) -
+                (request.InviteOrganization.SmSeats.Value -
+                 request.OccupiedSmSeats),
+                0)
+            : 0;
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Organization/Errors.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Organization/Errors.cs
@ -0,0 +1,16 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.Models.Business;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Organization;
+
+public record OrganizationNoPaymentMethodFoundError(InviteOrganization InvalidRequest)
+    : Error<InviteOrganization>(Code, InvalidRequest)
+{
+    public const string Code = "No payment method found.";
+}
+
+public record OrganizationNoSubscriptionFoundError(InviteOrganization InvalidRequest)
+    : Error<InviteOrganization>(Code, InvalidRequest)
+{
+    public const string Code = "No subscription found.";
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Organization/InviteUsersOrganizationValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Organization/InviteUsersOrganizationValidator.cs
@ -0,0 +1,32 @@
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.Shared.Validation;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Organization;
+
+public interface IInviteUsersOrganizationValidator : IValidator<InviteOrganization>;
+
+public class InviteUsersOrganizationValidator : IInviteUsersOrganizationValidator
+{
+    public Task<ValidationResult<InviteOrganization>> ValidateAsync(InviteOrganization inviteOrganization)
+    {
+        if (inviteOrganization.Seats is null)
+        {
+            return Task.FromResult<ValidationResult<InviteOrganization>>(
+                new Valid<InviteOrganization>(inviteOrganization));
+        }
+
+        if (string.IsNullOrWhiteSpace(inviteOrganization.GatewayCustomerId))
+        {
+            return Task.FromResult<ValidationResult<InviteOrganization>>(
+                new Invalid<InviteOrganization>(new OrganizationNoPaymentMethodFoundError(inviteOrganization)));
+        }
+
+        if (string.IsNullOrWhiteSpace(inviteOrganization.GatewaySubscriptionId))
+        {
+            return Task.FromResult<ValidationResult<InviteOrganization>>(
+                new Invalid<InviteOrganization>(new OrganizationNoSubscriptionFoundError(inviteOrganization)));
+        }
+
+        return Task.FromResult<ValidationResult<InviteOrganization>>(new Valid<InviteOrganization>(inviteOrganization));
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/Errors.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/Errors.cs
@ -0,0 +1,30 @@
+using Bit.Core.AdminConsole.Errors;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.PasswordManager;
+
+public record PasswordManagerSeatLimitHasBeenReachedError(PasswordManagerSubscriptionUpdate InvalidRequest)
+    : Error<PasswordManagerSubscriptionUpdate>(Code, InvalidRequest)
+{
+    public const string Code = "Seat limit has been reached.";
+}
+
+public record PasswordManagerPlanDoesNotAllowAdditionalSeatsError(PasswordManagerSubscriptionUpdate InvalidRequest)
+    : Error<PasswordManagerSubscriptionUpdate>(Code, InvalidRequest)
+{
+    public const string Code = "Plan does not allow additional seats.";
+}
+
+public record PasswordManagerPlanOnlyAllowsMaxAdditionalSeatsError(PasswordManagerSubscriptionUpdate InvalidRequest)
+    : Error<PasswordManagerSubscriptionUpdate>(GetErrorMessage(InvalidRequest), InvalidRequest)
+{
+    private static string GetErrorMessage(PasswordManagerSubscriptionUpdate invalidRequest) =>
+        string.Format(Code, invalidRequest.PasswordManagerPlan.MaxAdditionalSeats);
+
+    public const string Code = "Organization plan allows a maximum of {0} additional seats.";
+}
+
+public record PasswordManagerMustHaveSeatsError(PasswordManagerSubscriptionUpdate InvalidRequest)
+    : Error<PasswordManagerSubscriptionUpdate>(Code, InvalidRequest)
+{
+    public const string Code = "You do not have any Password Manager seats!";
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/InviteUsersPasswordManagerValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/InviteUsersPasswordManagerValidator.cs
@ -0,0 +1,117 @@
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.GlobalSettings;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Models;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Organization;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Provider;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.Shared.Validation;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.PasswordManager;
+
+public interface IInviteUsersPasswordManagerValidator : IValidator<PasswordManagerSubscriptionUpdate>;
+
+public class InviteUsersPasswordManagerValidator(
+    IGlobalSettings globalSettings,
+    IInviteUsersEnvironmentValidator inviteUsersEnvironmentValidator,
+    IInviteUsersOrganizationValidator inviteUsersOrganizationValidator,
+    IProviderRepository providerRepository,
+    IPaymentService paymentService,
+    IOrganizationRepository organizationRepository
+    ) : IInviteUsersPasswordManagerValidator
+{
+    /// <summary>
+    /// This is for validating if the organization can add additional users.
+    /// </summary>
+    /// <param name="subscriptionUpdate"></param>
+    /// <returns></returns>
+    public static ValidationResult<PasswordManagerSubscriptionUpdate> ValidatePasswordManager(PasswordManagerSubscriptionUpdate subscriptionUpdate)
+    {
+        if (subscriptionUpdate.Seats is null)
+        {
+            return new Valid<PasswordManagerSubscriptionUpdate>(subscriptionUpdate);
+        }
+
+        if (subscriptionUpdate.SeatsRequiredToAdd == 0)
+        {
+            return new Valid<PasswordManagerSubscriptionUpdate>(subscriptionUpdate);
+        }
+
+        if (subscriptionUpdate.PasswordManagerPlan.BaseSeats + subscriptionUpdate.SeatsRequiredToAdd <= 0)
+        {
+            return new Invalid<PasswordManagerSubscriptionUpdate>(new PasswordManagerMustHaveSeatsError(subscriptionUpdate));
+        }
+
+        if (subscriptionUpdate.MaxSeatsReached)
+        {
+            return new Invalid<PasswordManagerSubscriptionUpdate>(
+                new PasswordManagerSeatLimitHasBeenReachedError(subscriptionUpdate));
+        }
+
+        if (subscriptionUpdate.PasswordManagerPlan.HasAdditionalSeatsOption is false)
+        {
+            return new Invalid<PasswordManagerSubscriptionUpdate>(
+                new PasswordManagerPlanDoesNotAllowAdditionalSeatsError(subscriptionUpdate));
+        }
+
+        // Apparently MaxAdditionalSeats is never set. Can probably be removed.
+        if (subscriptionUpdate.UpdatedSeatTotal - subscriptionUpdate.PasswordManagerPlan.BaseSeats > subscriptionUpdate.PasswordManagerPlan.MaxAdditionalSeats)
+        {
+            return new Invalid<PasswordManagerSubscriptionUpdate>(
+                new PasswordManagerPlanOnlyAllowsMaxAdditionalSeatsError(subscriptionUpdate));
+        }
+
+        return new Valid<PasswordManagerSubscriptionUpdate>(subscriptionUpdate);
+    }
+
+    public async Task<ValidationResult<PasswordManagerSubscriptionUpdate>> ValidateAsync(PasswordManagerSubscriptionUpdate request)
+    {
+        switch (ValidatePasswordManager(request))
+        {
+            case Valid<PasswordManagerSubscriptionUpdate> valid
+                when valid.Value.SeatsRequiredToAdd is 0:
+                return new Valid<PasswordManagerSubscriptionUpdate>(request);
+
+            case Invalid<PasswordManagerSubscriptionUpdate> invalid:
+                return invalid;
+        }
+
+        if (await inviteUsersEnvironmentValidator.ValidateAsync(new EnvironmentRequest(globalSettings, request)) is Invalid<EnvironmentRequest> invalidEnvironment)
+        {
+            return invalidEnvironment.Map(request);
+        }
+
+        var organizationValidationResult = await inviteUsersOrganizationValidator.ValidateAsync(request.InviteOrganization);
+
+        if (organizationValidationResult is Invalid<InviteOrganization> organizationValidation)
+        {
+            return organizationValidation.Map(request);
+        }
+
+        var provider = await providerRepository.GetByOrganizationIdAsync(request.InviteOrganization.OrganizationId);
+        if (provider is not null)
+        {
+            var providerValidationResult = InvitingUserOrganizationProviderValidator.Validate(new InviteOrganizationProvider(provider));
+
+            if (providerValidationResult is Invalid<InviteOrganizationProvider> invalidProviderValidation)
+            {
+                return invalidProviderValidation.Map(request);
+            }
+        }
+
+        var paymentSubscription = await paymentService.GetSubscriptionAsync(
+            await organizationRepository.GetByIdAsync(request.InviteOrganization.OrganizationId));
+
+        var paymentValidationResult = InviteUserPaymentValidation.Validate(
+            new PaymentsSubscription(paymentSubscription, request.InviteOrganization));
+
+        if (paymentValidationResult is Invalid<PaymentsSubscription> invalidPaymentValidation)
+        {
+            return invalidPaymentValidation.Map(request);
+        }
+
+        return new Valid<PasswordManagerSubscriptionUpdate>(request);
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/PasswordManagerSubscriptionUpdate.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/PasswordManager/PasswordManagerSubscriptionUpdate.cs
@ -0,0 +1,89 @@
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.Models.StaticStore;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.PasswordManager;
+
+public class PasswordManagerSubscriptionUpdate
+{
+    /// <summary>
+    /// Seats the organization has
+    /// </summary>
+    public int? Seats { get; }
+
+    /// <summary>
+    /// Max number of seats that the organization can have
+    /// </summary>
+    public int? MaxAutoScaleSeats { get; }
+
+    /// <summary>
+    /// Seats currently occupied by current users
+    /// </summary>
+    public int OccupiedSeats { get; }
+
+    /// <summary>
+    /// Users to add to the organization seats
+    /// </summary>
+    public int NewUsersToAdd { get; }
+
+    /// <summary>
+    /// Number of seats available for users
+    /// </summary>
+    public int? AvailableSeats => Seats - OccupiedSeats;
+
+    /// <summary>
+    /// Number of seats to scale the organization by.
+    ///
+    /// If Organization has no seat limit (Seats is null), then there are no new seats to add.
+    /// </summary>
+    public int SeatsRequiredToAdd => AvailableSeats.HasValue ? Math.Max(NewUsersToAdd - AvailableSeats.Value, 0) : 0;
+
+    /// <summary>
+    /// New total of seats for the organization
+    /// </summary>
+    public int? UpdatedSeatTotal => Seats + SeatsRequiredToAdd;
+
+    /// <summary>
+    /// If the new seat total is equal to the organization's auto-scale seat count
+    /// </summary>
+    public bool MaxSeatsReached => UpdatedSeatTotal.HasValue && MaxAutoScaleSeats.HasValue && UpdatedSeatTotal.Value >= MaxAutoScaleSeats.Value;
+
+    public Plan.PasswordManagerPlanFeatures PasswordManagerPlan { get; }
+
+    public InviteOrganization InviteOrganization { get; }
+
+    private PasswordManagerSubscriptionUpdate(int? organizationSeats,
+        int? organizationAutoScaleSeatLimit,
+        int currentSeats,
+        int newUsersToAdd,
+        Plan.PasswordManagerPlanFeatures plan,
+        InviteOrganization inviteOrganization)
+    {
+        Seats = organizationSeats;
+        MaxAutoScaleSeats = organizationAutoScaleSeatLimit;
+        OccupiedSeats = currentSeats;
+        NewUsersToAdd = newUsersToAdd;
+        PasswordManagerPlan = plan;
+        InviteOrganization = inviteOrganization;
+    }
+
+    public PasswordManagerSubscriptionUpdate(InviteOrganization inviteOrganization, int occupiedSeats, int newUsersToAdd) :
+        this(
+            organizationSeats: inviteOrganization.Seats,
+            organizationAutoScaleSeatLimit: inviteOrganization.MaxAutoScaleSeats,
+            currentSeats: occupiedSeats,
+            newUsersToAdd: newUsersToAdd,
+            plan: inviteOrganization.Plan.PasswordManager,
+            inviteOrganization: inviteOrganization)
+    { }
+
+    public PasswordManagerSubscriptionUpdate(InviteOrganizationUsersValidationRequest usersValidationRequest) :
+        this(
+            organizationSeats: usersValidationRequest.InviteOrganization.Seats,
+            organizationAutoScaleSeatLimit: usersValidationRequest.InviteOrganization.MaxAutoScaleSeats,
+            currentSeats: usersValidationRequest.OccupiedPmSeats,
+            newUsersToAdd: usersValidationRequest.Invites.Length,
+            plan: usersValidationRequest.InviteOrganization.Plan.PasswordManager,
+            inviteOrganization: usersValidationRequest.InviteOrganization)
+    { }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/Errors.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/Errors.cs
@ -0,0 +1,10 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Models;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Payments;
+
+public record PaymentCancelledSubscriptionError(PaymentsSubscription InvalidRequest)
+    : Error<PaymentsSubscription>(Code, InvalidRequest)
+{
+    public const string Code = "You do not have an active subscription. Reinstate your subscription to make changes.";
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/InviteUserPaymentValidation.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/InviteUserPaymentValidation.cs
@ -0,0 +1,25 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Models;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Payments;
+using Bit.Core.AdminConsole.Shared.Validation;
+using Bit.Core.Billing.Constants;
+using Bit.Core.Billing.Enums;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+
+public static class InviteUserPaymentValidation
+{
+    public static ValidationResult<PaymentsSubscription> Validate(PaymentsSubscription subscription)
+    {
+        if (subscription.ProductTierType is ProductTierType.Free)
+        {
+            return new Valid<PaymentsSubscription>(subscription);
+        }
+
+        if (subscription.SubscriptionStatus == StripeConstants.SubscriptionStatus.Canceled)
+        {
+            return new Invalid<PaymentsSubscription>(new PaymentCancelledSubscriptionError(subscription));
+        }
+
+        return new Valid<PaymentsSubscription>(subscription);
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/PaymentsSubscription.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Payments/PaymentsSubscription.cs
@ -0,0 +1,19 @@
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Models.Business;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Models;
+
+public class PaymentsSubscription
+{
+    public ProductTierType ProductTierType { get; init; }
+    public string SubscriptionStatus { get; init; }
+
+    public PaymentsSubscription() { }
+
+    public PaymentsSubscription(SubscriptionInfo subscriptionInfo, InviteOrganization inviteOrganization)
+    {
+        SubscriptionStatus = subscriptionInfo?.Subscription?.Status ?? string.Empty;
+        ProductTierType = inviteOrganization.Plan.ProductTier;
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Provider/Errors.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Provider/Errors.cs
@ -0,0 +1,13 @@
+using Bit.Core.AdminConsole.Errors;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Provider;
+
+public record ProviderBillableSeatLimitError(InviteOrganizationProvider InvalidRequest) : Error<InviteOrganizationProvider>(Code, InvalidRequest)
+{
+    public const string Code = "Seat limit has been reached. Please contact your provider to add more seats.";
+}
+
+public record ProviderResellerSeatLimitError(InviteOrganizationProvider InvalidRequest) : Error<InviteOrganizationProvider>(Code, InvalidRequest)
+{
+    public const string Code = "Seat limit has been reached. Contact your provider to purchase additional seats.";
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Provider/InviteOrganizationProvider.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Provider/InviteOrganizationProvider.cs
@ -0,0 +1,19 @@
+using Bit.Core.AdminConsole.Enums.Provider;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Provider;
+
+public class InviteOrganizationProvider
+{
+    public Guid ProviderId { get; init; }
+    public ProviderType Type { get; init; }
+    public ProviderStatusType Status { get; init; }
+    public bool Enabled { get; init; }
+
+    public InviteOrganizationProvider(Entities.Provider.Provider provider)
+    {
+        ProviderId = provider.Id;
+        Type = provider.Type;
+        Status = provider.Status;
+        Enabled = provider.Enabled;
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Provider/InvitingUserOrganizationProviderValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/Provider/InvitingUserOrganizationProviderValidator.cs
@ -0,0 +1,28 @@
+using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.AdminConsole.Shared.Validation;
+using Bit.Core.Billing.Extensions;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Provider;
+
+public static class InvitingUserOrganizationProviderValidator
+{
+    public static ValidationResult<InviteOrganizationProvider> Validate(InviteOrganizationProvider inviteOrganizationProvider)
+    {
+        if (inviteOrganizationProvider is not { Enabled: true })
+        {
+            return new Valid<InviteOrganizationProvider>(inviteOrganizationProvider);
+        }
+
+        if (inviteOrganizationProvider.IsBillable())
+        {
+            return new Invalid<InviteOrganizationProvider>(new ProviderBillableSeatLimitError(inviteOrganizationProvider));
+        }
+
+        if (inviteOrganizationProvider.Type == ProviderType.Reseller)
+        {
+            return new Invalid<InviteOrganizationProvider>(new ProviderResellerSeatLimitError(inviteOrganizationProvider));
+        }
+
+        return new Valid<InviteOrganizationProvider>(inviteOrganizationProvider);
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs
@ -18,14 +18,15 @@ public class RemoveOrganizationUserCommand : IRemoveOrganizationUserCommand
    private readonly IPushRegistrationService _pushRegistrationService;
    private readonly ICurrentContext _currentContext;
    private readonly IHasConfirmedOwnersExceptQuery _hasConfirmedOwnersExceptQuery;
-    private readonly IGetOrganizationUsersManagementStatusQuery _getOrganizationUsersManagementStatusQuery;
+    private readonly IGetOrganizationUsersClaimedStatusQuery _getOrganizationUsersClaimedStatusQuery;
    private readonly IFeatureService _featureService;
    private readonly TimeProvider _timeProvider;

    public const string UserNotFoundErrorMessage = "User not found.";
    public const string UsersInvalidErrorMessage = "Users invalid.";
    public const string RemoveYourselfErrorMessage = "You cannot remove yourself.";
-    public const string RemoveOwnerByNonOwnerErrorMessage = "Only owners can delete other owners.";
+    public const string RemoveOwnerByNonOwnerErrorMessage = "Only owners can remove other owners.";
+    public const string RemoveAdminByCustomUserErrorMessage = "Custom users can not remove admins.";
    public const string RemoveLastConfirmedOwnerErrorMessage = "Organization must have at least one confirmed owner.";
    public const string RemoveClaimedAccountErrorMessage = "Cannot remove member accounts claimed by the organization. To offboard a member, revoke or delete the account.";

@ -37,7 +38,7 @@ public class RemoveOrganizationUserCommand : IRemoveOrganizationUserCommand
        IPushRegistrationService pushRegistrationService,
        ICurrentContext currentContext,
        IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery,
-        IGetOrganizationUsersManagementStatusQuery getOrganizationUsersManagementStatusQuery,
+        IGetOrganizationUsersClaimedStatusQuery getOrganizationUsersClaimedStatusQuery,
        IFeatureService featureService,
        TimeProvider timeProvider)
    {
@ -48,7 +49,7 @@ public class RemoveOrganizationUserCommand : IRemoveOrganizationUserCommand
        _pushRegistrationService = pushRegistrationService;
        _currentContext = currentContext;
        _hasConfirmedOwnersExceptQuery = hasConfirmedOwnersExceptQuery;
-        _getOrganizationUsersManagementStatusQuery = getOrganizationUsersManagementStatusQuery;
+        _getOrganizationUsersClaimedStatusQuery = getOrganizationUsersClaimedStatusQuery;
        _featureService = featureService;
        _timeProvider = timeProvider;
    }
@ -153,10 +154,15 @@ public class RemoveOrganizationUserCommand : IRemoveOrganizationUserCommand
            }
        }

+        if (orgUser.Type == OrganizationUserType.Admin && await _currentContext.OrganizationCustom(orgUser.OrganizationId))
+        {
+            throw new BadRequestException(RemoveAdminByCustomUserErrorMessage);
+        }
+
        if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning) && deletingUserId.HasValue && eventSystemUser == null)
        {
-            var managementStatus = await _getOrganizationUsersManagementStatusQuery.GetUsersOrganizationManagementStatusAsync(orgUser.OrganizationId, new[] { orgUser.Id });
-            if (managementStatus.TryGetValue(orgUser.Id, out var isManaged) && isManaged)
+            var claimedStatus = await _getOrganizationUsersClaimedStatusQuery.GetUsersOrganizationClaimedStatusAsync(orgUser.OrganizationId, new[] { orgUser.Id });
+            if (claimedStatus.TryGetValue(orgUser.Id, out var isClaimed) && isClaimed)
            {
                throw new BadRequestException(RemoveClaimedAccountErrorMessage);
            }
@ -208,8 +214,8 @@ public class RemoveOrganizationUserCommand : IRemoveOrganizationUserCommand
            deletingUserIsOwner = await _currentContext.OrganizationOwner(organizationId);
        }

-        var managementStatus = _featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning) && deletingUserId.HasValue && eventSystemUser == null
-            ? await _getOrganizationUsersManagementStatusQuery.GetUsersOrganizationManagementStatusAsync(organizationId, filteredUsers.Select(u => u.Id))
+        var claimedStatus = _featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning) && deletingUserId.HasValue && eventSystemUser == null
+            ? await _getOrganizationUsersClaimedStatusQuery.GetUsersOrganizationClaimedStatusAsync(organizationId, filteredUsers.Select(u => u.Id))
            : filteredUsers.ToDictionary(u => u.Id, u => false);
        var result = new List<(OrganizationUser OrganizationUser, string ErrorMessage)>();
        foreach (var orgUser in filteredUsers)
@ -226,7 +232,7 @@ public class RemoveOrganizationUserCommand : IRemoveOrganizationUserCommand
                    throw new BadRequestException(RemoveOwnerByNonOwnerErrorMessage);
                }

-                if (managementStatus.TryGetValue(orgUser.Id, out var isManaged) && isManaged)
+                if (claimedStatus.TryGetValue(orgUser.Id, out var isClaimed) && isClaimed)
                {
                    throw new BadRequestException(RemoveClaimedAccountErrorMessage);
                }
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/IRestoreOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/IRestoreOrganizationUserCommand.cs
@ -0,0 +1,54 @@
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Services;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+
+/// <summary>
+/// Restores a user back to their previous status.
+/// </summary>
+public interface IRestoreOrganizationUserCommand
+{
+    /// <summary>
+    /// Validates that the requesting user can perform the action. There is also a check done to ensure the organization
+    /// can re-add this user based on their current occupied seats.
+    ///
+    /// Checks are performed to make sure the user is conforming to all policies enforced by the organization as well as
+    /// other organizations the user may belong to.
+    ///
+    /// Reference Events and Push Notifications are fired off for this as well.
+    /// </summary>
+    /// <param name="organizationUser">Revoked user to be restored.</param>
+    /// <param name="restoringUserId">UserId of the user performing the action.</param>
+    Task RestoreUserAsync(OrganizationUser organizationUser, Guid? restoringUserId);
+
+    /// <summary>
+    /// Validates that the requesting user can perform the action. There is also a check done to ensure the organization
+    /// can re-add this user based on their current occupied seats.
+    ///
+    /// Checks are performed to make sure the user is conforming to all policies enforced by the organization as well as
+    /// other organizations the user may belong to.
+    ///
+    /// Reference Events and Push Notifications are fired off for this as well.
+    /// </summary>
+    /// <param name="organizationUser">Revoked user to be restored.</param>
+    /// <param name="systemUser">System that is performing the action on behalf of the organization (Public API, SCIM, etc.)</param>
+    Task RestoreUserAsync(OrganizationUser organizationUser, EventSystemUser systemUser);
+
+    /// <summary>
+    /// Validates that the requesting user can perform the action. There is also a check done to ensure the organization
+    /// can re-add this user based on their current occupied seats.
+    ///
+    /// Checks are performed to make sure the user is conforming to all policies enforced by the organization as well as
+    /// other organizations the user may belong to.
+    ///
+    /// Reference Events and Push Notifications are fired off for this as well.
+    /// </summary>
+    /// <param name="organizationId">Organization the users should be restored to.</param>
+    /// <param name="organizationUserIds">List of organization user ids to restore to previous status.</param>
+    /// <param name="restoringUserId">UserId of the user performing the action.</param>
+    /// <param name="userService">Passed in from caller to avoid circular dependency</param>
+    /// <returns>List of organization user Ids and strings. A successful restoration will have an empty string.
+    /// If an error occurs, the error message will be provided.</returns>
+    Task<List<Tuple<OrganizationUser, string>>> RestoreUsersAsync(Guid organizationId, IEnumerable<Guid> organizationUserIds, Guid? restoringUserId, IUserService userService);
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs
@ -0,0 +1,302 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Services;
+using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+
+public class RestoreOrganizationUserCommand(
+    ICurrentContext currentContext,
+    IEventService eventService,
+    IPushNotificationService pushNotificationService,
+    IOrganizationUserRepository organizationUserRepository,
+    IOrganizationRepository organizationRepository,
+    ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
+    IPolicyService policyService,
+    IUserRepository userRepository,
+    IOrganizationService organizationService) : IRestoreOrganizationUserCommand
+{
+    public async Task RestoreUserAsync(OrganizationUser organizationUser, Guid? restoringUserId)
+    {
+        if (restoringUserId.HasValue && organizationUser.UserId == restoringUserId.Value)
+        {
+            throw new BadRequestException("You cannot restore yourself.");
+        }
+
+        if (organizationUser.Type == OrganizationUserType.Owner && restoringUserId.HasValue &&
+            !await currentContext.OrganizationOwner(organizationUser.OrganizationId))
+        {
+            throw new BadRequestException("Only owners can restore other owners.");
+        }
+
+        await RepositoryRestoreUserAsync(organizationUser);
+        await eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
+
+        if (organizationUser.UserId.HasValue)
+        {
+            await pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
+        }
+    }
+
+    public async Task RestoreUserAsync(OrganizationUser organizationUser, EventSystemUser systemUser)
+    {
+        await RepositoryRestoreUserAsync(organizationUser);
+        await eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored,
+            systemUser);
+
+        if (organizationUser.UserId.HasValue)
+        {
+            await pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
+        }
+    }
+
+    private async Task RepositoryRestoreUserAsync(OrganizationUser organizationUser)
+    {
+        if (organizationUser.Status != OrganizationUserStatusType.Revoked)
+        {
+            throw new BadRequestException("Already active.");
+        }
+
+        var organization = await organizationRepository.GetByIdAsync(organizationUser.OrganizationId);
+        var occupiedSeats = await organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
+        var availableSeats = organization.Seats.GetValueOrDefault(0) - occupiedSeats;
+
+        if (availableSeats < 1)
+        {
+            await organizationService.AutoAddSeatsAsync(organization, 1); // Hooray
+        }
+
+        var userTwoFactorIsEnabled = false;
+        // Only check 2FA status if the user is linked to a user account
+        if (organizationUser.UserId.HasValue)
+        {
+            userTwoFactorIsEnabled =
+                (await twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync([organizationUser.UserId.Value]))
+                .FirstOrDefault()
+                .twoFactorIsEnabled;
+        }
+
+        if (organization.PlanType == PlanType.Free)
+        {
+            await CheckUserForOtherFreeOrganizationOwnershipAsync(organizationUser);
+        }
+
+        await CheckPoliciesBeforeRestoreAsync(organizationUser, userTwoFactorIsEnabled);
+
+        var status = OrganizationService.GetPriorActiveOrganizationUserStatusType(organizationUser);
+
+        await organizationUserRepository.RestoreAsync(organizationUser.Id, status);
+
+        organizationUser.Status = status;
+    }
+
+    private async Task CheckUserForOtherFreeOrganizationOwnershipAsync(OrganizationUser organizationUser)
+    {
+        var relatedOrgUsersFromOtherOrgs = await organizationUserRepository.GetManyByUserAsync(organizationUser.UserId!.Value);
+        var otherOrgs = await organizationRepository.GetManyByUserIdAsync(organizationUser.UserId.Value);
+
+        var orgOrgUserDict = relatedOrgUsersFromOtherOrgs
+            .Where(x => x.Id != organizationUser.Id)
+            .ToDictionary(x => x, x => otherOrgs.FirstOrDefault(y => y.Id == x.OrganizationId));
+
+        CheckForOtherFreeOrganizationOwnership(organizationUser, orgOrgUserDict);
+    }
+
+    private async Task<Dictionary<OrganizationUser, Organization>> GetRelatedOrganizationUsersAndOrganizationsAsync(
+        List<OrganizationUser> organizationUsers)
+    {
+        var allUserIds = organizationUsers
+            .Where(x => x.UserId.HasValue)
+            .Select(x => x.UserId.Value);
+
+        var otherOrganizationUsers = (await organizationUserRepository.GetManyByManyUsersAsync(allUserIds))
+            .Where(x => organizationUsers.Any(y => y.Id == x.Id) == false)
+            .ToArray();
+
+        var otherOrgs = await organizationRepository.GetManyByIdsAsync(otherOrganizationUsers
+                .Select(x => x.OrganizationId)
+                .Distinct());
+
+        return otherOrganizationUsers
+            .ToDictionary(x => x, x => otherOrgs.FirstOrDefault(y => y.Id == x.OrganizationId));
+    }
+
+    private static void CheckForOtherFreeOrganizationOwnership(OrganizationUser organizationUser,
+        Dictionary<OrganizationUser, Organization> otherOrgUsersAndOrgs)
+    {
+        var ownerOrAdminList = new[] { OrganizationUserType.Owner, OrganizationUserType.Admin };
+
+        if (ownerOrAdminList.Any(x => organizationUser.Type == x) &&
+            otherOrgUsersAndOrgs.Any(x =>
+                x.Key.UserId == organizationUser.UserId &&
+                ownerOrAdminList.Any(userType => userType == x.Key.Type) &&
+                x.Key.Status == OrganizationUserStatusType.Confirmed &&
+                x.Value.PlanType == PlanType.Free))
+        {
+            throw new BadRequestException(
+                "User is an owner/admin of another free organization. Please have them upgrade to a paid plan to restore their account.");
+        }
+    }
+
+    public async Task<List<Tuple<OrganizationUser, string>>> RestoreUsersAsync(Guid organizationId,
+        IEnumerable<Guid> organizationUserIds, Guid? restoringUserId, IUserService userService)
+    {
+        var orgUsers = await organizationUserRepository.GetManyAsync(organizationUserIds);
+        var filteredUsers = orgUsers.Where(u => u.OrganizationId == organizationId)
+            .ToList();
+
+        if (filteredUsers.Count == 0)
+        {
+            throw new BadRequestException("Users invalid.");
+        }
+
+        var organization = await organizationRepository.GetByIdAsync(organizationId);
+        var occupiedSeats = await organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
+        var availableSeats = organization.Seats.GetValueOrDefault(0) - occupiedSeats;
+        var newSeatsRequired = organizationUserIds.Count() - availableSeats;
+        await organizationService.AutoAddSeatsAsync(organization, newSeatsRequired);
+
+        var deletingUserIsOwner = false;
+        if (restoringUserId.HasValue)
+        {
+            deletingUserIsOwner = await currentContext.OrganizationOwner(organizationId);
+        }
+
+        // Query Two Factor Authentication status for all users in the organization
+        // This is an optimization to avoid querying the Two Factor Authentication status for each user individually
+        var organizationUsersTwoFactorEnabled = await twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(
+            filteredUsers.Where(ou => ou.UserId.HasValue).Select(ou => ou.UserId.Value));
+
+        var orgUsersAndOrgs = await GetRelatedOrganizationUsersAndOrganizationsAsync(filteredUsers);
+
+        var result = new List<Tuple<OrganizationUser, string>>();
+
+        foreach (var organizationUser in filteredUsers)
+        {
+            try
+            {
+                if (organizationUser.Status != OrganizationUserStatusType.Revoked)
+                {
+                    throw new BadRequestException("Already active.");
+                }
+
+                if (restoringUserId.HasValue && organizationUser.UserId == restoringUserId)
+                {
+                    throw new BadRequestException("You cannot restore yourself.");
+                }
+
+                if (organizationUser.Type == OrganizationUserType.Owner && restoringUserId.HasValue &&
+                    !deletingUserIsOwner)
+                {
+                    throw new BadRequestException("Only owners can restore other owners.");
+                }
+
+                var twoFactorIsEnabled = organizationUser.UserId.HasValue
+                                         && organizationUsersTwoFactorEnabled
+                                             .FirstOrDefault(ou => ou.userId == organizationUser.UserId.Value)
+                                             .twoFactorIsEnabled;
+
+                await CheckPoliciesBeforeRestoreAsync(organizationUser, twoFactorIsEnabled);
+
+                if (organization.PlanType == PlanType.Free)
+                {
+                    CheckForOtherFreeOrganizationOwnership(organizationUser, orgUsersAndOrgs);
+                }
+
+                var status = OrganizationService.GetPriorActiveOrganizationUserStatusType(organizationUser);
+
+                await organizationUserRepository.RestoreAsync(organizationUser.Id, status);
+                organizationUser.Status = status;
+                await eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
+                if (organizationUser.UserId.HasValue)
+                {
+                    await pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
+                }
+
+                result.Add(Tuple.Create(organizationUser, ""));
+            }
+            catch (BadRequestException e)
+            {
+                result.Add(Tuple.Create(organizationUser, e.Message));
+            }
+        }
+
+        return result;
+    }
+
+    private async Task CheckPoliciesBeforeRestoreAsync(OrganizationUser orgUser, bool userHasTwoFactorEnabled)
+    {
+        // An invited OrganizationUser isn't linked with a user account yet, so these checks are irrelevant
+        // The user will be subject to the same checks when they try to accept the invite
+        if (OrganizationService.GetPriorActiveOrganizationUserStatusType(orgUser) == OrganizationUserStatusType.Invited)
+        {
+            return;
+        }
+
+        var userId = orgUser.UserId.Value;
+
+        // Enforce Single Organization Policy of organization user is being restored to
+        var allOrgUsers = await organizationUserRepository.GetManyByUserAsync(userId);
+        var hasOtherOrgs = allOrgUsers.Any(ou => ou.OrganizationId != orgUser.OrganizationId);
+        var singleOrgPoliciesApplyingToRevokedUsers = await policyService.GetPoliciesApplicableToUserAsync(userId,
+            PolicyType.SingleOrg, OrganizationUserStatusType.Revoked);
+        var singleOrgPolicyApplies =
+            singleOrgPoliciesApplyingToRevokedUsers.Any(p => p.OrganizationId == orgUser.OrganizationId);
+
+        var singleOrgCompliant = true;
+        var belongsToOtherOrgCompliant = true;
+        var twoFactorCompliant = true;
+
+        if (hasOtherOrgs && singleOrgPolicyApplies)
+        {
+            singleOrgCompliant = false;
+        }
+
+        // Enforce Single Organization Policy of other organizations user is a member of
+        var anySingleOrgPolicies = await policyService.AnyPoliciesApplicableToUserAsync(userId, PolicyType.SingleOrg);
+        if (anySingleOrgPolicies)
+        {
+            belongsToOtherOrgCompliant = false;
+        }
+
+        // Enforce 2FA Policy of organization user is trying to join
+        if (!userHasTwoFactorEnabled)
+        {
+            var invitedTwoFactorPolicies = await policyService.GetPoliciesApplicableToUserAsync(userId,
+                PolicyType.TwoFactorAuthentication, OrganizationUserStatusType.Revoked);
+            if (invitedTwoFactorPolicies.Any(p => p.OrganizationId == orgUser.OrganizationId))
+            {
+                twoFactorCompliant = false;
+            }
+        }
+
+        var user = await userRepository.GetByIdAsync(userId);
+
+        if (!singleOrgCompliant && !twoFactorCompliant)
+        {
+            throw new BadRequestException(user.Email +
+                                          " is not compliant with the single organization and two-step login policy");
+        }
+        else if (!singleOrgCompliant)
+        {
+            throw new BadRequestException(user.Email + " is not compliant with the single organization policy");
+        }
+        else if (!belongsToOtherOrgCompliant)
+        {
+            throw new BadRequestException(user.Email +
+                                          " belongs to an organization that doesn't allow them to join multiple organizations");
+        }
+        else if (!twoFactorCompliant)
+        {
+            throw new BadRequestException(user.Email + " is not compliant with the two-step login policy");
+        }
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/Implementations/PolicyRequirementQuery.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/Implementations/PolicyRequirementQuery.cs
@ -8,21 +8,25 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.Implementations;

 public class PolicyRequirementQuery(
    IPolicyRepository policyRepository,
-    IEnumerable<RequirementFactory<IPolicyRequirement>> factories)
+    IEnumerable<IPolicyRequirementFactory<IPolicyRequirement>> factories)
    : IPolicyRequirementQuery
 {
    public async Task<T> GetAsync<T>(Guid userId) where T : IPolicyRequirement
    {
-        var factory = factories.OfType<RequirementFactory<T>>().SingleOrDefault();
+        var factory = factories.OfType<IPolicyRequirementFactory<T>>().SingleOrDefault();
        if (factory is null)
        {
-            throw new NotImplementedException("No Policy Requirement found for " + typeof(T));
+            throw new NotImplementedException("No Requirement Factory found for " + typeof(T));
        }

-        return factory(await GetPolicyDetails(userId));
+        var policyDetails = await GetPolicyDetails(userId);
+        var filteredPolicies = policyDetails
+            .Where(p => p.PolicyType == factory.PolicyType)
+            .Where(factory.Enforce);
+        var requirement = factory.Create(filteredPolicies);
+        return requirement;
    }

-    private Task<IEnumerable<PolicyDetails>> GetPolicyDetails(Guid userId) =>
-        policyRepository.GetPolicyDetailsByUserId(userId);
+    private Task<IEnumerable<PolicyDetails>> GetPolicyDetails(Guid userId)
+        => policyRepository.GetPolicyDetailsByUserId(userId);
 }
-
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/BasePolicyRequirementFactory.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/BasePolicyRequirementFactory.cs
@ -0,0 +1,44 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.Enums;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+/// <summary>
+/// A simple base implementation of <see cref="IPolicyRequirementFactory{T}"/> which will be suitable for most policies.
+/// It provides sensible defaults to help teams to implement their own Policy Requirements.
+/// </summary>
+/// <typeparam name="T"></typeparam>
+public abstract class BasePolicyRequirementFactory<T> : IPolicyRequirementFactory<T> where T : IPolicyRequirement
+{
+    /// <summary>
+    /// User roles that are exempt from policy enforcement.
+    /// Owners and Admins are exempt by default but this may be overridden.
+    /// </summary>
+    protected virtual IEnumerable<OrganizationUserType> ExemptRoles { get; } =
+        [OrganizationUserType.Owner, OrganizationUserType.Admin];
+
+    /// <summary>
+    /// User statuses that are exempt from policy enforcement.
+    /// Invited and Revoked users are exempt by default, which is appropriate in the majority of cases.
+    /// </summary>
+    protected virtual IEnumerable<OrganizationUserStatusType> ExemptStatuses { get; } =
+        [OrganizationUserStatusType.Invited, OrganizationUserStatusType.Revoked];
+
+    /// <summary>
+    /// Whether a Provider User for the organization is exempt from policy enforcement.
+    /// Provider Users are exempt by default, which is appropriate in the majority of cases.
+    /// </summary>
+    protected virtual bool ExemptProviders { get; } = true;
+
+    /// <inheritdoc />
+    public abstract PolicyType PolicyType { get; }
+
+    public bool Enforce(PolicyDetails policyDetails)
+        => !policyDetails.HasRole(ExemptRoles) &&
+            !policyDetails.HasStatus(ExemptStatuses) &&
+            (!policyDetails.IsProvider || !ExemptProviders);
+
+    /// <inheritdoc />
+    public abstract T Create(IEnumerable<PolicyDetails> policyDetails);
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/DisableSendPolicyRequirement.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/DisableSendPolicyRequirement.cs
@ -0,0 +1,27 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+/// <summary>
+/// Policy requirements for the Disable Send policy.
+/// </summary>
+public class DisableSendPolicyRequirement : IPolicyRequirement
+{
+    /// <summary>
+    /// Indicates whether Send is disabled for the user. If true, the user should not be able to create or edit Sends.
+    /// They may still delete existing Sends.
+    /// </summary>
+    public bool DisableSend { get; init; }
+}
+
+public class DisableSendPolicyRequirementFactory : BasePolicyRequirementFactory<DisableSendPolicyRequirement>
+{
+    public override PolicyType PolicyType => PolicyType.DisableSend;
+
+    public override DisableSendPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
+    {
+        var result = new DisableSendPolicyRequirement { DisableSend = policyDetails.Any() };
+        return result;
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/IPolicyRequirement.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/IPolicyRequirement.cs
@ -1,24 +1,11 @@
-#nullable enable
-
-using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;

 namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;

 /// <summary>
-/// Represents the business requirements of how one or more enterprise policies will be enforced against a user.
-/// The implementation of this interface will depend on how the policies are enforced in the relevant domain.
+/// An object that represents how a <see cref="PolicyType"/> will be enforced against a user.
+/// This acts as a bridge between the <see cref="Policy"/> entity saved to the database and the domain that the policy
+/// affects. You may represent the impact of the policy in any way that makes sense for the domain.
 /// </summary>
 public interface IPolicyRequirement;
-
-/// <summary>
-/// A factory function that takes a sequence of <see cref="PolicyDetails"/> and transforms them into a single
-/// <see cref="IPolicyRequirement"/> for consumption by the relevant domain. This will receive *all* policy types
-/// that may be enforced against a user; when implementing this delegate, you must filter out irrelevant policy types
-/// as well as policies that should not be enforced against a user (e.g. due to the user's role or status).
-/// </summary>
-/// <remarks>
-/// See <see cref="PolicyRequirementHelpers"/> for extension methods to handle common requirements when implementing
-/// this delegate.
-/// </remarks>
-public delegate T RequirementFactory<out T>(IEnumerable<PolicyDetails> policyDetails)
-    where T : IPolicyRequirement;
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/IPolicyRequirementFactory.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/IPolicyRequirementFactory.cs
@ -0,0 +1,39 @@
+#nullable enable
+
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+/// <summary>
+/// An interface that defines how to create a single <see cref="IPolicyRequirement"/> from a sequence of
+/// <see cref="PolicyDetails"/>.
+/// </summary>
+/// <typeparam name="T">The <see cref="IPolicyRequirement"/> that the factory produces.</typeparam>
+/// <remarks>
+/// See <see cref="BasePolicyRequirementFactory{T}"/> for a simple base implementation suitable for most policies.
+/// </remarks>
+public interface IPolicyRequirementFactory<out T> where T : IPolicyRequirement
+{
+    /// <summary>
+    /// The <see cref="PolicyType"/> that the requirement relates to.
+    /// </summary>
+    PolicyType PolicyType { get; }
+
+    /// <summary>
+    /// A predicate that determines whether a policy should be enforced against the user.
+    /// </summary>
+    /// <remarks>Use this to exempt users based on their role, status or other attributes.</remarks>
+    /// <param name="policyDetails">Policy details for the defined PolicyType.</param>
+    /// <returns>True if the policy should be enforced against the user, false otherwise.</returns>
+    bool Enforce(PolicyDetails policyDetails);
+
+    /// <summary>
+    /// A reducer method that creates a single <see cref="IPolicyRequirement"/> from a set of PolicyDetails.
+    /// </summary>
+    /// <param name="policyDetails">
+    /// PolicyDetails for the specified PolicyType, after they have been filtered by the Enforce predicate. That is,
+    /// this is the final interface to be called.
+    /// </param>
+    T Create(IEnumerable<PolicyDetails> policyDetails);
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PersonalOwnershipPolicyRequirement.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PersonalOwnershipPolicyRequirement.cs
@ -0,0 +1,26 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+/// <summary>
+/// Policy requirements for the Disable Personal Ownership policy.
+/// </summary>
+public class PersonalOwnershipPolicyRequirement : IPolicyRequirement
+{
+    /// <summary>
+    /// Indicates whether Personal Ownership is disabled for the user. If true, members are required to save items to an organization.
+    /// </summary>
+    public bool DisablePersonalOwnership { get; init; }
+}
+
+public class PersonalOwnershipPolicyRequirementFactory : BasePolicyRequirementFactory<PersonalOwnershipPolicyRequirement>
+{
+    public override PolicyType PolicyType => PolicyType.PersonalOwnership;
+
+    public override PersonalOwnershipPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
+    {
+        var result = new PersonalOwnershipPolicyRequirement { DisablePersonalOwnership = policyDetails.Any() };
+        return result;
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PolicyRequirementHelpers.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/PolicyRequirementHelpers.cs
@ -1,5 +1,4 @@
-using Bit.Core.AdminConsole.Enums;
-using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.Enums;

 namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
@ -7,35 +6,16 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements
 public static class PolicyRequirementHelpers
 {
    /// <summary>
-    /// Filters the PolicyDetails by PolicyType. This is generally required to only get the PolicyDetails that your
-    /// IPolicyRequirement relates to.
+    /// Returns true if the <see cref="PolicyDetails"/> is for one of the specified roles, false otherwise.
    /// </summary>
-    public static IEnumerable<PolicyDetails> GetPolicyType(
-        this IEnumerable<PolicyDetails> policyDetails,
-        PolicyType type)
-        => policyDetails.Where(x => x.PolicyType == type);
-
-    /// <summary>
-    /// Filters the PolicyDetails to remove the specified user roles. This can be used to exempt
-    /// owners and admins from policy enforcement.
-    /// </summary>
-    public static IEnumerable<PolicyDetails> ExemptRoles(
-        this IEnumerable<PolicyDetails> policyDetails,
+    public static bool HasRole(
+        this PolicyDetails policyDetails,
        IEnumerable<OrganizationUserType> roles)
-        => policyDetails.Where(x => !roles.Contains(x.OrganizationUserType));
+        => roles.Contains(policyDetails.OrganizationUserType);

    /// <summary>
-    /// Filters the PolicyDetails to remove organization users who are also provider users for the organization.
-    /// This can be used to exempt provider users from policy enforcement.
+    /// Returns true if the <see cref="PolicyDetails"/> relates to one of the specified statuses, false otherwise.
    /// </summary>
-    public static IEnumerable<PolicyDetails> ExemptProviders(this IEnumerable<PolicyDetails> policyDetails)
-        => policyDetails.Where(x => !x.IsProvider);
-
-    /// <summary>
-    /// Filters the PolicyDetails to remove the specified organization user statuses. For example, this can be used
-    /// to exempt users in the invited and revoked statuses from policy enforcement.
-    /// </summary>
-    public static IEnumerable<PolicyDetails> ExemptStatus(
-        this IEnumerable<PolicyDetails> policyDetails, IEnumerable<OrganizationUserStatusType> status)
-        => policyDetails.Where(x => !status.Contains(x.OrganizationUserStatus));
+    public static bool HasStatus(this PolicyDetails policyDetails, IEnumerable<OrganizationUserStatusType> status)
+        => status.Contains(policyDetails.OrganizationUserStatus);
 }
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirement.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/ResetPasswordPolicyRequirement.cs
@ -0,0 +1,48 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.Enums;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+/// <summary>
+/// Policy requirements for the Account recovery administration policy.
+/// </summary>
+public class ResetPasswordPolicyRequirement : IPolicyRequirement
+{
+    /// <summary>
+    /// List of Organization Ids that require automatic enrollment in password recovery.
+    /// </summary>
+    private IEnumerable<Guid> _autoEnrollOrganizations;
+    public IEnumerable<Guid> AutoEnrollOrganizations { init => _autoEnrollOrganizations = value; }
+
+    /// <summary>
+    /// Returns true if provided organizationId requires automatic enrollment in password recovery.
+    /// </summary>
+    public bool AutoEnrollEnabled(Guid organizationId)
+    {
+        return _autoEnrollOrganizations.Contains(organizationId);
+    }
+
+
+}
+
+public class ResetPasswordPolicyRequirementFactory : BasePolicyRequirementFactory<ResetPasswordPolicyRequirement>
+{
+    public override PolicyType PolicyType => PolicyType.ResetPassword;
+
+    protected override bool ExemptProviders => false;
+
+    protected override IEnumerable<OrganizationUserType> ExemptRoles => [];
+
+    protected override IEnumerable<OrganizationUserStatusType> ExemptStatuses => [OrganizationUserStatusType.Revoked];
+
+    public override ResetPasswordPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
+    {
+        var result = policyDetails
+        .Where(p => p.GetDataModel<ResetPasswordDataModel>().AutoEnrollEnabled)
+        .Select(p => p.OrganizationId)
+        .ToHashSet();
+
+        return new ResetPasswordPolicyRequirement() { AutoEnrollOrganizations = result };
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendOptionsPolicyRequirement.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendOptionsPolicyRequirement.cs
@ -0,0 +1,34 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+/// <summary>
+/// Policy requirements for the Send Options policy.
+/// </summary>
+public class SendOptionsPolicyRequirement : IPolicyRequirement
+{
+    /// <summary>
+    /// Indicates whether the user is prohibited from hiding their email from the recipient of a Send.
+    /// </summary>
+    public bool DisableHideEmail { get; init; }
+}
+
+public class SendOptionsPolicyRequirementFactory : BasePolicyRequirementFactory<SendOptionsPolicyRequirement>
+{
+    public override PolicyType PolicyType => PolicyType.SendOptions;
+
+    public override SendOptionsPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
+    {
+        var result = policyDetails
+            .Select(p => p.GetDataModel<SendOptionsPolicyData>())
+            .Aggregate(
+                new SendOptionsPolicyRequirement(),
+                (result, data) => new SendOptionsPolicyRequirement
+                {
+                    DisableHideEmail = result.DisableHideEmail || data.DisableHideEmail
+                });
+
+        return result;
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendPolicyRequirement.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendPolicyRequirement.cs
@ -1,54 +0,0 @@
-using Bit.Core.AdminConsole.Enums;
-using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
-using Bit.Core.Enums;
-
-namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
-
-/// <summary>
-/// Policy requirements for the Disable Send and Send Options policies.
-/// </summary>
-public class SendPolicyRequirement : IPolicyRequirement
-{
-    /// <summary>
-    /// Indicates whether Send is disabled for the user. If true, the user should not be able to create or edit Sends.
-    /// They may still delete existing Sends.
-    /// </summary>
-    public bool DisableSend { get; init; }
-    /// <summary>
-    /// Indicates whether the user is prohibited from hiding their email from the recipient of a Send.
-    /// </summary>
-    public bool DisableHideEmail { get; init; }
-
-    /// <summary>
-    /// Create a new SendPolicyRequirement.
-    /// </summary>
-    /// <param name="policyDetails">All PolicyDetails relating to the user.</param>
-    /// <remarks>
-    /// This is a <see cref="RequirementFactory{T}"/> for the SendPolicyRequirement.
-    /// </remarks>
-    public static SendPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
-    {
-        var filteredPolicies = policyDetails
-            .ExemptRoles([OrganizationUserType.Owner, OrganizationUserType.Admin])
-            .ExemptStatus([OrganizationUserStatusType.Invited, OrganizationUserStatusType.Revoked])
-            .ExemptProviders()
-            .ToList();
-
-        var result = filteredPolicies
-            .GetPolicyType(PolicyType.SendOptions)
-            .Select(p => p.GetDataModel<SendOptionsPolicyData>())
-            .Aggregate(
-                new SendPolicyRequirement
-                {
-                    // Set Disable Send requirement in the initial seed
-                    DisableSend = filteredPolicies.GetPolicyType(PolicyType.DisableSend).Any()
-                },
-                (result, data) => new SendPolicyRequirement
-                {
-                    DisableSend = result.DisableSend,
-                    DisableHideEmail = result.DisableHideEmail || data.DisableHideEmail
-                });
-
-        return result;
-    }
-}
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
@ -31,32 +31,9 @@ public static class PolicyServiceCollectionExtensions

    private static void AddPolicyRequirements(this IServiceCollection services)
    {
-        // Register policy requirement factories here
-        services.AddPolicyRequirement(SendPolicyRequirement.Create);
+        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, DisableSendPolicyRequirementFactory>();
+        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, SendOptionsPolicyRequirementFactory>();
+        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, ResetPasswordPolicyRequirementFactory>();
+        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, PersonalOwnershipPolicyRequirementFactory>();
    }
-
-    /// <summary>
-    /// Used to register simple policy requirements where its factory method implements CreateRequirement.
-    /// This MUST be used rather than calling AddScoped directly, because it will ensure the factory method has
-    /// the correct type to be injected and then identified by <see cref="PolicyRequirementQuery"/> at runtime.
-    /// </summary>
-    /// <typeparam name="T">The specific PolicyRequirement being registered.</typeparam>
-    private static void AddPolicyRequirement<T>(this IServiceCollection serviceCollection, RequirementFactory<T> factory)
-        where T : class, IPolicyRequirement
-        => serviceCollection.AddPolicyRequirement(_ => factory);
-
-    /// <summary>
-    /// Used to register policy requirements where you need to access additional dependencies (usually to return a
-    /// curried factory method).
-    /// This MUST be used rather than calling AddScoped directly, because it will ensure the factory method has
-    /// the correct type to be injected and then identified by <see cref="PolicyRequirementQuery"/> at runtime.
-    /// </summary>
-    /// <typeparam name="T">
-    /// A callback that takes IServiceProvider and returns a RequirementFactory for
-    /// your policy requirement.
-    /// </typeparam>
-    private static void AddPolicyRequirement<T>(this IServiceCollection serviceCollection,
-        Func<IServiceProvider, RequirementFactory<T>> factory)
-        where T : class, IPolicyRequirement
-        => serviceCollection.AddScoped<RequirementFactory<IPolicyRequirement>>(factory);
 }
--- a/src/Core/AdminConsole/Repositories/IOrganizationIntegrationConfigurationRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IOrganizationIntegrationConfigurationRepository.cs
@ -0,0 +1,13 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data.Organizations;
+
+namespace Bit.Core.Repositories;
+
+public interface IOrganizationIntegrationConfigurationRepository : IRepository<OrganizationIntegrationConfiguration, Guid>
+{
+    Task<List<OrganizationIntegrationConfigurationDetails>> GetConfigurationDetailsAsync(
+        Guid organizationId,
+        IntegrationType integrationType,
+        EventType eventType);
+}
--- a/src/Core/AdminConsole/Repositories/IOrganizationIntegrationRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IOrganizationIntegrationRepository.cs
@ -0,0 +1,7 @@
+using Bit.Core.AdminConsole.Entities;
+
+namespace Bit.Core.Repositories;
+
+public interface IOrganizationIntegrationRepository : IRepository<OrganizationIntegration, Guid>
+{
+}
--- a/src/Core/AdminConsole/Repositories/IOrganizationRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IOrganizationRepository.cs
@ -24,4 +24,5 @@ public interface IOrganizationRepository : IRepository<Organization, Guid>
    /// </summary>
    Task<ICollection<Organization>> GetByVerifiedUserEmailDomainAsync(Guid userId);
    Task<ICollection<Organization>> GetAddableToProviderByUserIdAsync(Guid userId, ProviderType providerType);
+    Task<ICollection<Organization>> GetManyByIdsAsync(IEnumerable<Guid> ids);
 }
--- a/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.KeyManagement.UserKey;
@ -68,4 +69,6 @@ public interface IOrganizationUserRepository : IRepository<OrganizationUser, Gui
    /// <param name="role">The role to search for</param>
    /// <returns>A list of OrganizationUsersUserDetails with the specified role</returns>
    Task<IEnumerable<OrganizationUserUserDetails>> GetManyDetailsByRoleAsync(Guid organizationId, OrganizationUserType role);
+
+    Task CreateManyAsync(IEnumerable<CreateOrganizationUser> organizationUserCollection);
 }
--- a/src/Core/AdminConsole/Services/IOrganizationService.cs
+++ b/src/Core/AdminConsole/Services/IOrganizationService.cs
@ -36,9 +36,6 @@ public interface IOrganizationService
        IEnumerable<(OrganizationUserInvite invite, string externalId)> invites);
    Task<IEnumerable<Tuple<OrganizationUser, string>>> ResendInvitesAsync(Guid organizationId, Guid? invitingUserId, IEnumerable<Guid> organizationUsersId);
    Task ResendInviteAsync(Guid organizationId, Guid? invitingUserId, Guid organizationUserId, bool initOrganization = false);
-    Task<OrganizationUser> ConfirmUserAsync(Guid organizationId, Guid organizationUserId, string key, Guid confirmingUserId);
-    Task<List<Tuple<OrganizationUser, string>>> ConfirmUsersAsync(Guid organizationId, Dictionary<Guid, string> keys,
-        Guid confirmingUserId);
    Task UpdateUserResetPasswordEnrollmentAsync(Guid organizationId, Guid userId, string resetPasswordKey, Guid? callingUserId);
    Task ImportAsync(Guid organizationId, IEnumerable<ImportedGroup> groups,
        IEnumerable<ImportedOrganizationUser> newUsers, IEnumerable<string> removeUserExternalIds,
@ -49,10 +46,6 @@ public interface IOrganizationService
    Task RevokeUserAsync(OrganizationUser organizationUser, EventSystemUser systemUser);
    Task<List<Tuple<OrganizationUser, string>>> RevokeUsersAsync(Guid organizationId,
        IEnumerable<Guid> organizationUserIds, Guid? revokingUserId);
-    Task RestoreUserAsync(OrganizationUser organizationUser, Guid? restoringUserId);
-    Task RestoreUserAsync(OrganizationUser organizationUser, EventSystemUser systemUser);
-    Task<List<Tuple<OrganizationUser, string>>> RestoreUsersAsync(Guid organizationId,
-        IEnumerable<Guid> organizationUserIds, Guid? restoringUserId, IUserService userService);
    Task CreatePendingOrganization(Organization organization, string ownerEmail, ClaimsPrincipal user, IUserService userService, bool salesAssistedTrialStarted);
    /// <summary>
    /// Update an Organization entry by setting the public/private keys, set it as 'Enabled' and move the Status from 'Pending' to 'Created'.
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@ -6,11 +6,13 @@ using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Models.Business;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Enums;
-using Bit.Core.Auth.Models.Business;
-using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 using Bit.Core.Billing.Constants;
@ -24,18 +26,17 @@ using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.Data;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
-using Bit.Core.Models.Mail;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
-using Bit.Core.Tokens;
 using Bit.Core.Tools.Enums;
 using Bit.Core.Tools.Models.Business;
 using Bit.Core.Tools.Services;
 using Bit.Core.Utilities;
 using Microsoft.Extensions.Logging;
 using Stripe;
+using OrganizationUserInvite = Bit.Core.Models.Business.OrganizationUserInvite;

 namespace Bit.Core.Services;

@ -56,7 +57,6 @@ public class OrganizationService : IOrganizationService
    private readonly IPaymentService _paymentService;
    private readonly IPolicyRepository _policyRepository;
    private readonly IPolicyService _policyService;
-    private readonly ISsoConfigRepository _ssoConfigRepository;
    private readonly ISsoUserRepository _ssoUserRepository;
    private readonly IReferenceEventService _referenceEventService;
    private readonly IGlobalSettings _globalSettings;
@ -68,12 +68,12 @@ public class OrganizationService : IOrganizationService
    private readonly ICountNewSmSeatsRequiredQuery _countNewSmSeatsRequiredQuery;
    private readonly IUpdateSecretsManagerSubscriptionCommand _updateSecretsManagerSubscriptionCommand;
    private readonly IProviderRepository _providerRepository;
-    private readonly IOrgUserInviteTokenableFactory _orgUserInviteTokenableFactory;
-    private readonly IDataProtectorTokenFactory<OrgUserInviteTokenable> _orgUserInviteTokenDataFactory;
    private readonly IFeatureService _featureService;
    private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
    private readonly IHasConfirmedOwnersExceptQuery _hasConfirmedOwnersExceptQuery;
    private readonly IPricingClient _pricingClient;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;
+    private readonly ISendOrganizationInvitesCommand _sendOrganizationInvitesCommand;

    public OrganizationService(
        IOrganizationRepository organizationRepository,
@ -91,7 +91,6 @@ public class OrganizationService : IOrganizationService
        IPaymentService paymentService,
        IPolicyRepository policyRepository,
        IPolicyService policyService,
-        ISsoConfigRepository ssoConfigRepository,
        ISsoUserRepository ssoUserRepository,
        IReferenceEventService referenceEventService,
        IGlobalSettings globalSettings,
@ -101,14 +100,14 @@ public class OrganizationService : IOrganizationService
        IProviderOrganizationRepository providerOrganizationRepository,
        IProviderUserRepository providerUserRepository,
        ICountNewSmSeatsRequiredQuery countNewSmSeatsRequiredQuery,
-        IOrgUserInviteTokenableFactory orgUserInviteTokenableFactory,
-        IDataProtectorTokenFactory<OrgUserInviteTokenable> orgUserInviteTokenDataFactory,
        IUpdateSecretsManagerSubscriptionCommand updateSecretsManagerSubscriptionCommand,
        IProviderRepository providerRepository,
        IFeatureService featureService,
        ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
        IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery,
-        IPricingClient pricingClient)
+        IPricingClient pricingClient,
+        IPolicyRequirementQuery policyRequirementQuery,
+        ISendOrganizationInvitesCommand sendOrganizationInvitesCommand)
    {
        _organizationRepository = organizationRepository;
        _organizationUserRepository = organizationUserRepository;
@ -125,7 +124,6 @@ public class OrganizationService : IOrganizationService
        _paymentService = paymentService;
        _policyRepository = policyRepository;
        _policyService = policyService;
-        _ssoConfigRepository = ssoConfigRepository;
        _ssoUserRepository = ssoUserRepository;
        _referenceEventService = referenceEventService;
        _globalSettings = globalSettings;
@ -137,12 +135,12 @@ public class OrganizationService : IOrganizationService
        _countNewSmSeatsRequiredQuery = countNewSmSeatsRequiredQuery;
        _updateSecretsManagerSubscriptionCommand = updateSecretsManagerSubscriptionCommand;
        _providerRepository = providerRepository;
-        _orgUserInviteTokenableFactory = orgUserInviteTokenableFactory;
-        _orgUserInviteTokenDataFactory = orgUserInviteTokenDataFactory;
        _featureService = featureService;
        _twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
        _hasConfirmedOwnersExceptQuery = hasConfirmedOwnersExceptQuery;
        _pricingClient = pricingClient;
+        _policyRequirementQuery = policyRequirementQuery;
+        _sendOrganizationInvitesCommand = sendOrganizationInvitesCommand;
    }

    public async Task CancelSubscriptionAsync(Guid organizationId, bool? endOfPeriod = null)
@ -549,6 +547,7 @@ public class OrganizationService : IOrganizationService
            UseSecretsManager = license.UseSecretsManager,
            SmSeats = license.SmSeats,
            SmServiceAccounts = license.SmServiceAccounts,
+            UseRiskInsights = license.UseRiskInsights,
        };

        var result = await SignUpAsync(organization, owner.Id, ownerKey, collectionName, false);
@ -1028,166 +1027,14 @@ public class OrganizationService : IOrganizationService
        await SendInviteAsync(orgUser, org, initOrganization);
    }

-    private async Task SendInvitesAsync(IEnumerable<OrganizationUser> orgUsers, Organization organization)
-    {
-        var orgInvitesInfo = await BuildOrganizationInvitesInfoAsync(orgUsers, organization);
+    private async Task SendInvitesAsync(IEnumerable<OrganizationUser> orgUsers, Organization organization) =>
+        await _sendOrganizationInvitesCommand.SendInvitesAsync(new SendInvitesRequest(orgUsers, organization));

-        await _mailService.SendOrganizationInviteEmailsAsync(orgInvitesInfo);
-    }
-
-    private async Task SendInviteAsync(OrganizationUser orgUser, Organization organization, bool initOrganization)
-    {
-        // convert single org user into array of 1 org user
-        var orgUsers = new[] { orgUser };
-
-        var orgInvitesInfo = await BuildOrganizationInvitesInfoAsync(orgUsers, organization, initOrganization);
-
-        await _mailService.SendOrganizationInviteEmailsAsync(orgInvitesInfo);
-    }
-
-    private async Task<OrganizationInvitesInfo> BuildOrganizationInvitesInfoAsync(
-        IEnumerable<OrganizationUser> orgUsers,
-        Organization organization,
-        bool initOrganization = false)
-    {
-        // Materialize the sequence into a list to avoid multiple enumeration warnings
-        var orgUsersList = orgUsers.ToList();
-
-        // Email links must include information about the org and user for us to make routing decisions client side
-        // Given an org user, determine if existing BW user exists
-        var orgUserEmails = orgUsersList.Select(ou => ou.Email).ToList();
-        var existingUsers = await _userRepository.GetManyByEmailsAsync(orgUserEmails);
-
-        // hash existing users emails list for O(1) lookups
-        var existingUserEmailsHashSet = new HashSet<string>(existingUsers.Select(u => u.Email));
-
-        // Create a dictionary of org user guids and bools for whether or not they have an existing BW user
-        var orgUserHasExistingUserDict = orgUsersList.ToDictionary(
-            ou => ou.Id,
-            ou => existingUserEmailsHashSet.Contains(ou.Email)
-        );
-
-        // Determine if org has SSO enabled and if user is required to login with SSO
-        // Note: we only want to call the DB after checking if the org can use SSO per plan and if they have any policies enabled.
-        var orgSsoEnabled = organization.UseSso && (await _ssoConfigRepository.GetByOrganizationIdAsync(organization.Id))?.Enabled == true;
-        // Even though the require SSO policy can be turned on regardless of SSO being enabled, for this logic, we only
-        // need to check the policy if the org has SSO enabled.
-        var orgSsoLoginRequiredPolicyEnabled = orgSsoEnabled &&
-                                               organization.UsePolicies &&
-                                               (await _policyRepository.GetByOrganizationIdTypeAsync(organization.Id, PolicyType.RequireSso))?.Enabled == true;
-
-        // Generate the list of org users and expiring tokens
-        // create helper function to create expiring tokens
-        (OrganizationUser, ExpiringToken) MakeOrgUserExpiringTokenPair(OrganizationUser orgUser)
-        {
-            var orgUserInviteTokenable = _orgUserInviteTokenableFactory.CreateToken(orgUser);
-            var protectedToken = _orgUserInviteTokenDataFactory.Protect(orgUserInviteTokenable);
-            return (orgUser, new ExpiringToken(protectedToken, orgUserInviteTokenable.ExpirationDate));
-        }
-
-        var orgUsersWithExpTokens = orgUsers.Select(MakeOrgUserExpiringTokenPair);
-
-        return new OrganizationInvitesInfo(
-            organization,
-            orgSsoEnabled,
-            orgSsoLoginRequiredPolicyEnabled,
-            orgUsersWithExpTokens,
-            orgUserHasExistingUserDict,
-            initOrganization
-        );
-    }
-
-    public async Task<OrganizationUser> ConfirmUserAsync(Guid organizationId, Guid organizationUserId, string key,
-        Guid confirmingUserId)
-    {
-        var result = await ConfirmUsersAsync(
-            organizationId,
-            new Dictionary<Guid, string>() { { organizationUserId, key } },
-            confirmingUserId);
-
-        if (!result.Any())
-        {
-            throw new BadRequestException("User not valid.");
-        }
-
-        var (orgUser, error) = result[0];
-        if (error != "")
-        {
-            throw new BadRequestException(error);
-        }
-        return orgUser;
-    }
-
-    public async Task<List<Tuple<OrganizationUser, string>>> ConfirmUsersAsync(Guid organizationId, Dictionary<Guid, string> keys,
-        Guid confirmingUserId)
-    {
-        var selectedOrganizationUsers = await _organizationUserRepository.GetManyAsync(keys.Keys);
-        var validSelectedOrganizationUsers = selectedOrganizationUsers
-            .Where(u => u.Status == OrganizationUserStatusType.Accepted && u.OrganizationId == organizationId && u.UserId != null)
-            .ToList();
-
-        if (!validSelectedOrganizationUsers.Any())
-        {
-            return new List<Tuple<OrganizationUser, string>>();
-        }
-
-        var validSelectedUserIds = validSelectedOrganizationUsers.Select(u => u.UserId.Value).ToList();
-
-        var organization = await GetOrgById(organizationId);
-        var allUsersOrgs = await _organizationUserRepository.GetManyByManyUsersAsync(validSelectedUserIds);
-        var users = await _userRepository.GetManyAsync(validSelectedUserIds);
-        var usersTwoFactorEnabled = await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(validSelectedUserIds);
-
-        var keyedFilteredUsers = validSelectedOrganizationUsers.ToDictionary(u => u.UserId.Value, u => u);
-        var keyedOrganizationUsers = allUsersOrgs.GroupBy(u => u.UserId.Value)
-            .ToDictionary(u => u.Key, u => u.ToList());
-
-        var succeededUsers = new List<OrganizationUser>();
-        var result = new List<Tuple<OrganizationUser, string>>();
-
-        foreach (var user in users)
-        {
-            if (!keyedFilteredUsers.ContainsKey(user.Id))
-            {
-                continue;
-            }
-            var orgUser = keyedFilteredUsers[user.Id];
-            var orgUsers = keyedOrganizationUsers.GetValueOrDefault(user.Id, new List<OrganizationUser>());
-            try
-            {
-                if (organization.PlanType == PlanType.Free && (orgUser.Type == OrganizationUserType.Admin
-                    || orgUser.Type == OrganizationUserType.Owner))
-                {
-                    // Since free organizations only supports a few users there is not much point in avoiding N+1 queries for this.
-                    var adminCount = await _organizationUserRepository.GetCountByFreeOrganizationAdminUserAsync(user.Id);
-                    if (adminCount > 0)
-                    {
-                        throw new BadRequestException("User can only be an admin of one free organization.");
-                    }
-                }
-
-                var twoFactorEnabled = usersTwoFactorEnabled.FirstOrDefault(tuple => tuple.userId == user.Id).twoFactorIsEnabled;
-                await CheckPoliciesAsync(organizationId, user, orgUsers, twoFactorEnabled);
-                orgUser.Status = OrganizationUserStatusType.Confirmed;
-                orgUser.Key = keys[orgUser.Id];
-                orgUser.Email = null;
-
-                await _eventService.LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_Confirmed);
-                await _mailService.SendOrganizationConfirmedEmailAsync(organization.DisplayName(), user.Email, orgUser.AccessSecretsManager);
-                await DeleteAndPushUserRegistrationAsync(organizationId, user.Id);
-                succeededUsers.Add(orgUser);
-                result.Add(Tuple.Create(orgUser, ""));
-            }
-            catch (BadRequestException e)
-            {
-                result.Add(Tuple.Create(orgUser, e.Message));
-            }
-        }
-
-        await _organizationUserRepository.ReplaceManyAsync(succeededUsers);
-
-        return result;
-    }
+    private async Task SendInviteAsync(OrganizationUser orgUser, Organization organization, bool initOrganization) =>
+        await _sendOrganizationInvitesCommand.SendInvitesAsync(new SendInvitesRequest(
+            users: [orgUser],
+            organization: organization,
+            initOrganization: initOrganization));

    internal async Task<(bool canScale, string failureReason)> CanScaleAsync(
        Organization organization,
@ -1275,32 +1122,7 @@ public class OrganizationService : IOrganizationService
        }
    }

-    private async Task CheckPoliciesAsync(Guid organizationId, User user,
-        ICollection<OrganizationUser> userOrgs, bool twoFactorEnabled)
-    {
-        // Enforce Two Factor Authentication Policy for this organization
-        var orgRequiresTwoFactor = (await _policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.TwoFactorAuthentication))
-            .Any(p => p.OrganizationId == organizationId);
-        if (orgRequiresTwoFactor && !twoFactorEnabled)
-        {
-            throw new BadRequestException("User does not have two-step login enabled.");
-        }

-        var hasOtherOrgs = userOrgs.Any(ou => ou.OrganizationId != organizationId);
-        var singleOrgPolicies = await _policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.SingleOrg);
-        var otherSingleOrgPolicies =
-            singleOrgPolicies.Where(p => p.OrganizationId != organizationId);
-        // Enforce Single Organization Policy for this organization
-        if (hasOtherOrgs && singleOrgPolicies.Any(p => p.OrganizationId == organizationId))
-        {
-            throw new BadRequestException("Cannot confirm this member to the organization until they leave or remove all other organizations.");
-        }
-        // Enforce Single Organization Policy of other organizations user is a member of
-        if (otherSingleOrgPolicies.Any())
-        {
-            throw new BadRequestException("Cannot confirm this member to the organization because they are in another organization which forbids it.");
-        }
-    }

    public async Task UpdateUserResetPasswordEnrollmentAsync(Guid organizationId, Guid userId, string resetPasswordKey, Guid? callingUserId)
    {
@ -1328,13 +1150,25 @@ public class OrganizationService : IOrganizationService
        }

        // Block the user from withdrawal if auto enrollment is enabled
-        if (resetPasswordKey == null && resetPasswordPolicy.Data != null)
+        if (_featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements))
        {
-            var data = JsonSerializer.Deserialize<ResetPasswordDataModel>(resetPasswordPolicy.Data, JsonHelpers.IgnoreCase);
-
-            if (data?.AutoEnrollEnabled ?? false)
+            var resetPasswordPolicyRequirement = await _policyRequirementQuery.GetAsync<ResetPasswordPolicyRequirement>(userId);
+            if (resetPasswordKey == null && resetPasswordPolicyRequirement.AutoEnrollEnabled(organizationId))
            {
-                throw new BadRequestException("Due to an Enterprise Policy, you are not allowed to withdraw from Password Reset.");
+                throw new BadRequestException("Due to an Enterprise Policy, you are not allowed to withdraw from account recovery.");
+            }
+
+        }
+        else
+        {
+            if (resetPasswordKey == null && resetPasswordPolicy.Data != null)
+            {
+                var data = JsonSerializer.Deserialize<ResetPasswordDataModel>(resetPasswordPolicy.Data, JsonHelpers.IgnoreCase);
+
+                if (data?.AutoEnrollEnabled ?? false)
+                {
+                    throw new BadRequestException("Due to an Enterprise Policy, you are not allowed to withdraw from account recovery.");
+                }
            }
        }

@ -1598,15 +1432,6 @@ public class OrganizationService : IOrganizationService
        await _groupRepository.UpdateUsersAsync(group.Id, users);
    }

-    private async Task DeleteAndPushUserRegistrationAsync(Guid organizationId, Guid userId)
-    {
-        var devices = await GetUserDeviceIdsAsync(userId);
-        await _pushRegistrationService.DeleteUserRegistrationOrganizationAsync(devices,
-            organizationId.ToString());
-        await _pushNotificationService.PushSyncOrgKeysAsync(userId);
-    }
-
-
    private async Task<IEnumerable<string>> GetUserDeviceIdsAsync(Guid userId)
    {
        var devices = await _deviceRepository.GetManyByUserIdAsync(userId);
@ -1878,7 +1703,7 @@ public class OrganizationService : IOrganizationService
        await RepositoryRevokeUserAsync(organizationUser);
        await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Revoked);

-        if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
+        if (organizationUser.UserId.HasValue)
        {
            await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
        }
@ -1890,7 +1715,7 @@ public class OrganizationService : IOrganizationService
        await RepositoryRevokeUserAsync(organizationUser);
        await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Revoked, systemUser);

-        if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
+        if (organizationUser.UserId.HasValue)
        {
            await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
        }
@ -1959,145 +1784,7 @@ public class OrganizationService : IOrganizationService
                await _organizationUserRepository.RevokeAsync(organizationUser.Id);
                organizationUser.Status = OrganizationUserStatusType.Revoked;
                await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Revoked);
-                if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
-                {
-                    await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
-                }
-
-                result.Add(Tuple.Create(organizationUser, ""));
-            }
-            catch (BadRequestException e)
-            {
-                result.Add(Tuple.Create(organizationUser, e.Message));
-            }
-        }
-
-        return result;
-    }
-
-    public async Task RestoreUserAsync(OrganizationUser organizationUser, Guid? restoringUserId)
-    {
-        if (restoringUserId.HasValue && organizationUser.UserId == restoringUserId.Value)
-        {
-            throw new BadRequestException("You cannot restore yourself.");
-        }
-
-        if (organizationUser.Type == OrganizationUserType.Owner && restoringUserId.HasValue &&
-            !await _currentContext.OrganizationOwner(organizationUser.OrganizationId))
-        {
-            throw new BadRequestException("Only owners can restore other owners.");
-        }
-
-        await RepositoryRestoreUserAsync(organizationUser);
-        await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
-
-        if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
-        {
-            await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
-        }
-    }
-
-    public async Task RestoreUserAsync(OrganizationUser organizationUser, EventSystemUser systemUser)
-    {
-        await RepositoryRestoreUserAsync(organizationUser);
-        await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored, systemUser);
-
-        if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
-        {
-            await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
-        }
-    }
-
-    private async Task RepositoryRestoreUserAsync(OrganizationUser organizationUser)
-    {
-        if (organizationUser.Status != OrganizationUserStatusType.Revoked)
-        {
-            throw new BadRequestException("Already active.");
-        }
-
-        var organization = await _organizationRepository.GetByIdAsync(organizationUser.OrganizationId);
-        var occupiedSeats = await _organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
-        var availableSeats = organization.Seats.GetValueOrDefault(0) - occupiedSeats;
-        if (availableSeats < 1)
-        {
-            await AutoAddSeatsAsync(organization, 1);
-        }
-
-        var userTwoFactorIsEnabled = false;
-        // Only check Two Factor Authentication status if the user is linked to a user account
-        if (organizationUser.UserId.HasValue)
-        {
-            userTwoFactorIsEnabled = (await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(new[] { organizationUser.UserId.Value })).FirstOrDefault().twoFactorIsEnabled;
-        }
-
-        await CheckPoliciesBeforeRestoreAsync(organizationUser, userTwoFactorIsEnabled);
-
-        var status = GetPriorActiveOrganizationUserStatusType(organizationUser);
-
-        await _organizationUserRepository.RestoreAsync(organizationUser.Id, status);
-        organizationUser.Status = status;
-    }
-
-    public async Task<List<Tuple<OrganizationUser, string>>> RestoreUsersAsync(Guid organizationId,
-        IEnumerable<Guid> organizationUserIds, Guid? restoringUserId, IUserService userService)
-    {
-        var orgUsers = await _organizationUserRepository.GetManyAsync(organizationUserIds);
-        var filteredUsers = orgUsers.Where(u => u.OrganizationId == organizationId)
-            .ToList();
-
-        if (!filteredUsers.Any())
-        {
-            throw new BadRequestException("Users invalid.");
-        }
-
-        var organization = await _organizationRepository.GetByIdAsync(organizationId);
-        var occupiedSeats = await _organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
-        var availableSeats = organization.Seats.GetValueOrDefault(0) - occupiedSeats;
-        var newSeatsRequired = organizationUserIds.Count() - availableSeats;
-        await AutoAddSeatsAsync(organization, newSeatsRequired);
-
-        var deletingUserIsOwner = false;
-        if (restoringUserId.HasValue)
-        {
-            deletingUserIsOwner = await _currentContext.OrganizationOwner(organizationId);
-        }
-
-        // Query Two Factor Authentication status for all users in the organization
-        // This is an optimization to avoid querying the Two Factor Authentication status for each user individually
-        var organizationUsersTwoFactorEnabled = await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(
-            filteredUsers.Where(ou => ou.UserId.HasValue).Select(ou => ou.UserId.Value));
-
-        var result = new List<Tuple<OrganizationUser, string>>();
-
-        foreach (var organizationUser in filteredUsers)
-        {
-            try
-            {
-                if (organizationUser.Status != OrganizationUserStatusType.Revoked)
-                {
-                    throw new BadRequestException("Already active.");
-                }
-
-                if (restoringUserId.HasValue && organizationUser.UserId == restoringUserId)
-                {
-                    throw new BadRequestException("You cannot restore yourself.");
-                }
-
-                if (organizationUser.Type == OrganizationUserType.Owner && restoringUserId.HasValue && !deletingUserIsOwner)
-                {
-                    throw new BadRequestException("Only owners can restore other owners.");
-                }
-
-                var twoFactorIsEnabled = organizationUser.UserId.HasValue
-                    && organizationUsersTwoFactorEnabled.FirstOrDefault(ou => ou.userId == organizationUser.UserId.Value).twoFactorIsEnabled;
-                await CheckPoliciesBeforeRestoreAsync(organizationUser, twoFactorIsEnabled);
-
-                var status = GetPriorActiveOrganizationUserStatusType(organizationUser);
-
-                await _organizationUserRepository.RestoreAsync(organizationUser.Id, status);
-                organizationUser.Status = status;
-                await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
-                if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
+                if (organizationUser.UserId.HasValue)
                {
                    await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
                }
@ -2179,7 +1866,7 @@ public class OrganizationService : IOrganizationService
        }
    }

-    static OrganizationUserStatusType GetPriorActiveOrganizationUserStatusType(OrganizationUser organizationUser)
+    public static OrganizationUserStatusType GetPriorActiveOrganizationUserStatusType(OrganizationUser organizationUser)
    {
        // Determine status to revert back to
        var status = OrganizationUserStatusType.Invited;
--- a/src/Core/AdminConsole/Shared/Validation/IValidator.cs
+++ b/src/Core/AdminConsole/Shared/Validation/IValidator.cs
@ -0,0 +1,6 @@
+namespace Bit.Core.AdminConsole.Shared.Validation;
+
+public interface IValidator<T>
+{
+    public Task<ValidationResult<T>> ValidateAsync(T value);
+}
--- a/src/Core/AdminConsole/Shared/Validation/ValidationResult.cs
+++ b/src/Core/AdminConsole/Shared/Validation/ValidationResult.cs
@ -0,0 +1,44 @@
+using Bit.Core.AdminConsole.Errors;
+
+namespace Bit.Core.AdminConsole.Shared.Validation;
+
+public abstract record ValidationResult<T>;
+
+public record Valid<T> : ValidationResult<T>
+{
+    public Valid() { }
+
+    public Valid(T Value)
+    {
+        this.Value = Value;
+    }
+
+    public T Value { get; init; }
+}
+
+public record Invalid<T> : ValidationResult<T>
+{
+    public IEnumerable<Error<T>> Errors { get; init; } = [];
+
+    public string ErrorMessageString => string.Join(" ", Errors.Select(e => e.Message));
+
+    public Invalid() { }
+
+    public Invalid(Error<T> error) : this([error]) { }
+
+    public Invalid(IEnumerable<Error<T>> errors)
+    {
+        Errors = errors;
+    }
+}
+
+public static class ValidationResultMappers
+{
+    public static ValidationResult<B> Map<A, B>(this ValidationResult<A> validationResult, B invalidValue) =>
+        validationResult switch
+        {
+            Valid<A> => new Valid<B>(invalidValue),
+            Invalid<A> invalid => new Invalid<B>(invalid.Errors.Select(x => x.ToError(invalidValue))),
+            _ => throw new ArgumentOutOfRangeException(nameof(validationResult), "Unhandled validation result type")
+        };
+}