diff --git a/src/Core/Services/Implementations/PolicyService.cs b/src/Core/Services/Implementations/PolicyService.cs
index 5b27dc328b..5e33bff28b 100644
--- a/src/Core/Services/Implementations/PolicyService.cs
+++ b/src/Core/Services/Implementations/PolicyService.cs
@@ -82,7 +82,6 @@ namespace Bit.Core.Services
                 var currentPolicy = await _policyRepository.GetByIdAsync(policy.Id);
                 if (!currentPolicy?.Enabled ?? true)
                 {
-                    Organization organization = null;
                     var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(
                         policy.OrganizationId);
                     var removableOrgUsers = orgUsers.Where(ou =>
@@ -96,28 +95,26 @@ namespace Bit.Core.Services
                             {
                                 if (!await userService.TwoFactorIsEnabledAsync(orgUser))
                                 {
-                                    organization = organization ?? await _organizationRepository.GetByIdAsync(policy.OrganizationId);
                                     await organizationService.DeleteUserAsync(policy.OrganizationId, orgUser.Id,
                                         savingUserId);
                                     await _mailService.SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(
-                                        organization.Name, orgUser.Email);
+                                        org.Name, orgUser.Email);
                                 }
                             }
                         break;
                         case Enums.PolicyType.SingleOrg:
                             var userOrgs = await _organizationUserRepository.GetManyByManyUsersAsync(
                                     removableOrgUsers.Select(ou => ou.UserId.Value));
-                            organization = organization ?? await _organizationRepository.GetByIdAsync(policy.OrganizationId);
                             foreach (var orgUser in removableOrgUsers)
                             {
                                 if (userOrgs.Any(ou => ou.UserId == orgUser.UserId 
-                                            && ou.OrganizationId != organization.Id 
+                                            && ou.OrganizationId != org.Id 
                                             && ou.Status != OrganizationUserStatusType.Invited))
                                 {
                                     await organizationService.DeleteUserAsync(policy.OrganizationId, orgUser.Id,
                                         savingUserId);
                                     await _mailService.SendOrganizationUserRemovedForPolicySingleOrgEmailAsync(
-                                        organization.Name, orgUser.Email);
+                                        org.Name, orgUser.Email);
                                 }
                             }
                         break;
@@ -126,7 +123,7 @@ namespace Bit.Core.Services
                     }
                 }
             }
-            policy.RevisionDate = DateTime.UtcNow;
+            policy.RevisionDate = now;
             await _policyRepository.UpsertAsync(policy);
             await _eventService.LogPolicyEventAsync(policy, Enums.EventType.Policy_Updated);
         }
diff --git a/test/Core.Test/AutoFixture/PolicyFixtures.cs b/test/Core.Test/AutoFixture/PolicyFixtures.cs
index ff791676fb..ad79ff1cfe 100644
--- a/test/Core.Test/AutoFixture/PolicyFixtures.cs
+++ b/test/Core.Test/AutoFixture/PolicyFixtures.cs
@@ -1,4 +1,5 @@
-using System.Reflection;
+using System;
+using System.Reflection;
 using AutoFixture;
 using AutoFixture.Xunit2;
 using Bit.Core.Enums;
@@ -17,6 +18,7 @@ namespace Bit.Core.Test.AutoFixture.OrganizationUserFixtures
         public void Customize(IFixture fixture)
         {
             fixture.Customize<Core.Models.Table.Policy>(composer => composer
+                .With(o => o.OrganizationId, Guid.NewGuid())
                 .With(o => o.Type, Type)
                 .With(o => o.Enabled, true));
         }
diff --git a/test/Core.Test/Services/PolicyServiceTests.cs b/test/Core.Test/Services/PolicyServiceTests.cs
new file mode 100644
index 0000000000..ae04805b34
--- /dev/null
+++ b/test/Core.Test/Services/PolicyServiceTests.cs
@@ -0,0 +1,295 @@
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Table;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Test.AutoFixture;
+using Bit.Core.Test.AutoFixture.Attributes;
+using Bit.Core.Test.AutoFixture.OrganizationUserFixtures;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Services
+{
+    public class PolicyServiceTests
+    {
+        [Theory, CustomAutoData(typeof(SutProviderCustomization))]
+        public async Task SaveAsync_OrganizationDoesNotExist_ThrowsBadRequest([Policy(Enums.PolicyType.DisableSend)] Core.Models.Table.Policy policy, SutProvider<PolicyService> sutProvider)
+        {
+            SetupOrg(sutProvider, policy.OrganizationId, null);
+
+            var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
+                () => sutProvider.Sut.SaveAsync(policy,
+                    Substitute.For<IUserService>(),
+                    Substitute.For<IOrganizationService>(),
+                    Guid.NewGuid()));
+
+            Assert.Contains("Organization not found", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
+
+            await sutProvider.GetDependency<IPolicyRepository>()
+                .DidNotReceiveWithAnyArgs()
+                .UpsertAsync(default);
+
+            await sutProvider.GetDependency<IEventService>()
+                .DidNotReceiveWithAnyArgs()
+                .LogPolicyEventAsync(default, default, default);
+        }
+
+        [Theory, CustomAutoData(typeof(SutProviderCustomization))]
+        public async Task SaveAsync_OrganizationCannotUsePolicies_ThrowsBadRequest([Policy(Enums.PolicyType.DisableSend)] Core.Models.Table.Policy policy, SutProvider<PolicyService> sutProvider)
+        {
+            var orgId = Guid.NewGuid();
+
+            SetupOrg(sutProvider, policy.OrganizationId, new Organization 
+            {
+                UsePolicies = false,
+            });
+
+            var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
+                () => sutProvider.Sut.SaveAsync(policy,
+                    Substitute.For<IUserService>(),
+                    Substitute.For<IOrganizationService>(),
+                    Guid.NewGuid()));
+
+            Assert.Contains("cannot use policies", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
+
+            await sutProvider.GetDependency<IPolicyRepository>()
+                .DidNotReceiveWithAnyArgs()
+                .UpsertAsync(default);
+
+            await sutProvider.GetDependency<IEventService>()
+                .DidNotReceiveWithAnyArgs()
+                .LogPolicyEventAsync(default, default, default);
+        }
+
+        [Theory, CustomAutoData(typeof(SutProviderCustomization))]
+        public async Task SaveAsync_SingleOrg_RequireSsoEnabled_ThrowsBadRequest([Policy(Enums.PolicyType.SingleOrg)] Core.Models.Table.Policy policy, SutProvider<PolicyService> sutProvider)
+        {
+            policy.Enabled = false;
+
+            SetupOrg(sutProvider, policy.OrganizationId, new Organization
+            {
+                Id = policy.OrganizationId,
+                UsePolicies = true,
+            });
+
+            sutProvider.GetDependency<IPolicyRepository>()
+                .GetByOrganizationIdTypeAsync(policy.OrganizationId, Enums.PolicyType.RequireSso)
+                .Returns(Task.FromResult(new Core.Models.Table.Policy { Enabled = true }));
+
+            var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
+                () => sutProvider.Sut.SaveAsync(policy,
+                    Substitute.For<IUserService>(),
+                    Substitute.For<IOrganizationService>(),
+                    Guid.NewGuid()));
+
+            Assert.Contains("Single Sign-On Authentication policy is enabled.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
+
+            await sutProvider.GetDependency<IPolicyRepository>()
+                .DidNotReceiveWithAnyArgs()
+                .UpsertAsync(default);
+
+            await sutProvider.GetDependency<IEventService>()
+                .DidNotReceiveWithAnyArgs()
+                .LogPolicyEventAsync(default, default, default);
+        }
+
+        [Theory, CustomAutoData(typeof(SutProviderCustomization))]
+        public async Task SaveAsync_RequireSsoPolicy_NotEnabled_ThrowsBadRequestAsync([Policy(Enums.PolicyType.RequireSso)] Core.Models.Table.Policy policy, SutProvider<PolicyService> sutProvider)
+        {
+            policy.Enabled = true;
+
+            SetupOrg(sutProvider, policy.OrganizationId, new Organization
+            {
+                Id = policy.OrganizationId,
+                UsePolicies = true,
+            });
+
+            sutProvider.GetDependency<IPolicyRepository>()
+                .GetByOrganizationIdTypeAsync(policy.OrganizationId, Enums.PolicyType.SingleOrg)
+                .Returns(Task.FromResult(new Core.Models.Table.Policy { Enabled = false }));
+
+            var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
+                () => sutProvider.Sut.SaveAsync(policy,
+                    Substitute.For<IUserService>(),
+                    Substitute.For<IOrganizationService>(),
+                    Guid.NewGuid()));
+
+            Assert.Contains("Single Organization policy not enabled.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
+
+            await sutProvider.GetDependency<IPolicyRepository>()
+                .DidNotReceiveWithAnyArgs()
+                .UpsertAsync(default);
+
+            await sutProvider.GetDependency<IEventService>()
+                .DidNotReceiveWithAnyArgs()
+                .LogPolicyEventAsync(default, default, default);
+        }
+
+        [Theory, CustomAutoData(typeof(SutProviderCustomization))]
+        public async Task SaveAsync_NewPolicy_Created([Policy(Enums.PolicyType.MasterPassword)] Core.Models.Table.Policy policy, SutProvider<PolicyService> sutProvider)
+        {
+            policy.Id = default;
+
+            SetupOrg(sutProvider, policy.OrganizationId, new Organization
+            {
+                Id = policy.OrganizationId,
+                UsePolicies = true,
+            });
+
+            var utcNow = DateTime.UtcNow;
+
+            await sutProvider.Sut.SaveAsync(policy, Substitute.For<IUserService>(), Substitute.For<IOrganizationService>(), Guid.NewGuid());
+
+            await sutProvider.GetDependency<IEventService>().Received()
+                .LogPolicyEventAsync(policy, Enums.EventType.Policy_Updated);
+
+            await sutProvider.GetDependency<IPolicyRepository>().Received()
+                .UpsertAsync(policy);
+
+            Assert.True(policy.CreationDate - utcNow < TimeSpan.FromSeconds(1));
+            Assert.True(policy.RevisionDate - utcNow < TimeSpan.FromSeconds(1));
+        }
+
+        [Theory, CustomAutoData(typeof(SutProviderCustomization))]
+        public async Task SaveAsync_ExistingPolicy_UpdateTwoFactor([Policy(Enums.PolicyType.TwoFactorAuthentication)] Core.Models.Table.Policy policy, SutProvider<PolicyService> sutProvider)
+        {
+            // If the policy that this is updating isn't enabled then do some work now that the current one is enabled
+
+            var org = new Organization
+            {
+                Id = policy.OrganizationId,
+                UsePolicies = true,
+                Name = "TEST",
+            };
+
+            SetupOrg(sutProvider, policy.OrganizationId, org);
+
+            sutProvider.GetDependency<IPolicyRepository>()
+                .GetByIdAsync(policy.Id)
+                .Returns(new Core.Models.Table.Policy
+                { 
+                    Id = policy.Id,
+                    Type = Enums.PolicyType.TwoFactorAuthentication,
+                    Enabled = false,
+                });
+
+            var orgUserDetail = new Core.Models.Data.OrganizationUserUserDetails
+            {
+                Id = Guid.NewGuid(),
+                Status = Enums.OrganizationUserStatusType.Accepted,
+                Type = Enums.OrganizationUserType.User,
+                // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
+                Email = "test@bitwarden.com",
+                Name = "TEST",
+                UserId = Guid.NewGuid(),
+            };
+
+            sutProvider.GetDependency<IOrganizationUserRepository>()
+                .GetManyDetailsByOrganizationAsync(policy.OrganizationId)
+                .Returns(new List<Core.Models.Data.OrganizationUserUserDetails>
+                {
+                    orgUserDetail,
+                });
+
+            var userService = Substitute.For<IUserService>();
+            var organizationService = Substitute.For<IOrganizationService>();
+
+            userService.TwoFactorIsEnabledAsync(orgUserDetail)
+                .Returns(false);
+
+            var utcNow = DateTime.UtcNow;
+
+            var savingUserId = Guid.NewGuid();
+
+            await sutProvider.Sut.SaveAsync(policy, userService, organizationService, savingUserId);
+
+            await organizationService.Received()
+                .DeleteUserAsync(policy.OrganizationId, orgUserDetail.Id, savingUserId);
+
+            await sutProvider.GetDependency<IMailService>().Received()
+                .SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(org.Name, orgUserDetail.Email);
+
+            await sutProvider.GetDependency<IEventService>().Received()
+                .LogPolicyEventAsync(policy, Enums.EventType.Policy_Updated);
+
+            await sutProvider.GetDependency<IPolicyRepository>().Received()
+                .UpsertAsync(policy);
+
+            Assert.True(policy.CreationDate - utcNow < TimeSpan.FromSeconds(1));
+            Assert.True(policy.RevisionDate - utcNow < TimeSpan.FromSeconds(1));
+        }
+
+        [Theory, CustomAutoData(typeof(SutProviderCustomization))]
+        public async Task SaveAsync_ExistingPolicy_UpdateSingleOrg([Policy(Enums.PolicyType.TwoFactorAuthentication)] Core.Models.Table.Policy policy, SutProvider<PolicyService> sutProvider)
+        {
+            // If the policy that this is updating isn't enabled then do some work now that the current one is enabled
+
+            var org = new Organization
+            {
+                Id = policy.OrganizationId,
+                UsePolicies = true,
+                Name = "TEST",
+            };
+
+            SetupOrg(sutProvider, policy.OrganizationId, org);
+
+            sutProvider.GetDependency<IPolicyRepository>()
+                .GetByIdAsync(policy.Id)
+                .Returns(new Core.Models.Table.Policy
+                {
+                    Id = policy.Id,
+                    Type = Enums.PolicyType.SingleOrg,
+                    Enabled = false,
+                });
+
+            var orgUserDetail = new Core.Models.Data.OrganizationUserUserDetails
+            {
+                Id = Guid.NewGuid(),
+                Status = Enums.OrganizationUserStatusType.Accepted,
+                Type = Enums.OrganizationUserType.User,
+                // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
+                Email = "test@bitwarden.com",
+                Name = "TEST",
+                UserId = Guid.NewGuid(),
+            };
+
+            sutProvider.GetDependency<IOrganizationUserRepository>()
+                .GetManyDetailsByOrganizationAsync(policy.OrganizationId)
+                .Returns(new List<Core.Models.Data.OrganizationUserUserDetails>
+                {
+                    orgUserDetail,
+                });
+
+            var userService = Substitute.For<IUserService>();
+            var organizationService = Substitute.For<IOrganizationService>();
+
+            userService.TwoFactorIsEnabledAsync(orgUserDetail)
+                .Returns(false);
+
+            var utcNow = DateTime.UtcNow;
+
+            var savingUserId = Guid.NewGuid();
+
+            await sutProvider.Sut.SaveAsync(policy, userService, organizationService, savingUserId);
+
+            await sutProvider.GetDependency<IEventService>().Received()
+                .LogPolicyEventAsync(policy, Enums.EventType.Policy_Updated);
+
+            await sutProvider.GetDependency<IPolicyRepository>().Received()
+                .UpsertAsync(policy);
+
+            Assert.True(policy.CreationDate - utcNow < TimeSpan.FromSeconds(1));
+            Assert.True(policy.RevisionDate - utcNow < TimeSpan.FromSeconds(1));
+        }
+
+        private static void SetupOrg(SutProvider<PolicyService> sutProvider, Guid organizationId, Organization organization)
+        {
+            sutProvider.GetDependency<IOrganizationRepository>()
+                .GetByIdAsync(organizationId)
+                .Returns(Task.FromResult(organization));
+        }
+    }
+}
diff --git a/test/Core.Test/Services/SsoConfigServiceTests.cs b/test/Core.Test/Services/SsoConfigServiceTests.cs
new file mode 100644
index 0000000000..403df8dac7
--- /dev/null
+++ b/test/Core.Test/Services/SsoConfigServiceTests.cs
@@ -0,0 +1,70 @@
+using System;
+using System.Threading.Tasks;
+using Bit.Core.Models.Table;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Test.AutoFixture;
+using Bit.Core.Test.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Services
+{
+    public class SsoConfigServiceTests
+    {
+        [Theory, CustomAutoData(typeof(SutProviderCustomization))]
+        public async Task SaveAsync_ExistingItem_UpdatesRevisionDateOnly(SutProvider<SsoConfigService> sutProvider)
+        {
+
+            var utcNow = DateTime.UtcNow;
+
+            var ssoConfig = new SsoConfig
+            {
+                Id = 1,
+                Data = "TESTDATA",
+                Enabled = true,
+                OrganizationId = Guid.NewGuid(),
+                CreationDate = utcNow.AddDays(-10),
+                RevisionDate = utcNow.AddDays(-10),
+            };
+
+            sutProvider.GetDependency<ISsoConfigRepository>()
+                .UpsertAsync(ssoConfig).Returns(Task.CompletedTask);
+
+            await sutProvider.Sut.SaveAsync(ssoConfig);
+
+            await sutProvider.GetDependency<ISsoConfigRepository>().Received()
+                .UpsertAsync(ssoConfig);
+
+            Assert.Equal(utcNow.AddDays(-10), ssoConfig.CreationDate);
+            Assert.True(ssoConfig.RevisionDate - utcNow < TimeSpan.FromSeconds(1));
+        }
+
+        [Theory, CustomAutoData(typeof(SutProviderCustomization))]
+        public async Task SaveAsync_NewItem_UpdatesCreationAndRevisionDate(SutProvider<SsoConfigService> sutProvider)
+        {
+            var utcNow = DateTime.UtcNow;
+
+            var ssoConfig = new SsoConfig
+            {
+                Id = default,
+                Data = "TESTDATA",
+                Enabled = true,
+                OrganizationId = Guid.NewGuid(),
+                CreationDate = utcNow.AddDays(-10),
+                RevisionDate = utcNow.AddDays(-10),
+            };
+
+            sutProvider.GetDependency<ISsoConfigRepository>()
+                .UpsertAsync(ssoConfig).Returns(Task.CompletedTask);
+
+            await sutProvider.Sut.SaveAsync(ssoConfig);
+
+            await sutProvider.GetDependency<ISsoConfigRepository>().Received()
+                .UpsertAsync(ssoConfig);
+
+            Assert.True(ssoConfig.CreationDate - utcNow < TimeSpan.FromSeconds(1));
+            Assert.True(ssoConfig.RevisionDate - utcNow < TimeSpan.FromSeconds(1));
+        }
+    }
+}