Delayed the hasSecretsManagerStandalone call as long as possible.

bitwarden_license/src/Scim/Models/ScimUserRequestModel.cs

@@ -32,8 +32,7 @@ public class ScimUserRequestModel : BaseScimUserModel
     public InviteOrganizationUsersRequest ToRequest(
         ScimProviderType scimProvider,
         InviteOrganization inviteOrganization,
-        DateTimeOffset performedAt,
+        DateTimeOffset performedAt)
-        bool hasSecretsManagerStandalone)
     {
         var email = EmailForInvite(scimProvider);
 
@@ -47,8 +46,7 @@ public class ScimUserRequestModel : BaseScimUserModel
             [
                 new Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models.OrganizationUserInvite(
                         email: email,
-                        externalId: ExternalIdForInvite(),
+                        externalId: ExternalIdForInvite()
-                        accessSecretsManager: hasSecretsManagerStandalone
                     )
             ],
             inviteOrganization: inviteOrganization,

bitwarden_license/src/Scim/Users/PostUserCommand.cs

@@ -56,13 +56,10 @@ public class PostUserCommand(
 
         var plan = await pricingClient.GetPlanOrThrow(organization.PlanType);
 
-        var hasSecretsManagerStandalone = await paymentService.HasSecretsManagerStandalone(organization);
-
         var request = model.ToRequest(
             scimProvider: scimProvider,
             inviteOrganization: new InviteOrganization(organization, plan),
-            performedAt: timeProvider.GetUtcNow(),
+            performedAt: timeProvider.GetUtcNow());
-            hasSecretsManagerStandalone);
 
         var orgUsers = await organizationUserRepository
             .GetManyDetailsByOrganizationAsync(request.InviteOrganization.OrganizationId);

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteUserOrganizationValidationRequest.cs

@@ -6,9 +6,11 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUse
 
 public class InviteUserOrganizationValidationRequest
 {
-    public InviteUserOrganizationValidationRequest() { }
+    public InviteUserOrganizationValidationRequest()
+    {
+    }
 
-    public InviteUserOrganizationValidationRequest(InviteUserOrganizationValidationRequest request, PasswordManagerSubscriptionUpdate subscriptionUpdate, SecretsManagerSubscriptionUpdate smSubscriptionUpdate)
+    public InviteUserOrganizationValidationRequest(InviteUserOrganizationValidationRequest request)
     {
         Invites = request.Invites;
         InviteOrganization = request.InviteOrganization;
@@ -16,6 +18,13 @@ public class InviteUserOrganizationValidationRequest
         PerformedAt = request.PerformedAt;
         OccupiedPmSeats = request.OccupiedPmSeats;
         OccupiedSmSeats = request.OccupiedSmSeats;
+    }
+
+    public InviteUserOrganizationValidationRequest(InviteUserOrganizationValidationRequest request,
+        PasswordManagerSubscriptionUpdate subscriptionUpdate,
+        SecretsManagerSubscriptionUpdate smSubscriptionUpdate)
+        : this(request)
+    {
         PasswordManagerSubscriptionUpdate = subscriptionUpdate;
         SecretsManagerSubscriptionUpdate = smSubscriptionUpdate;
     }

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/OrganizationUserInvite.cs

@@ -17,7 +17,7 @@ public class OrganizationUserInvite
     public bool AccessSecretsManager { get; private init; }
     public Guid[] Groups { get; private init; }
 
-    public OrganizationUserInvite(string email, string externalId, bool accessSecretsManager) :
+    public OrganizationUserInvite(string email, string externalId) :
         this(
             email: email,
             assignedCollections: [],
@@ -25,10 +25,22 @@ public class OrganizationUserInvite
             type: OrganizationUserType.User,
             permissions: new Permissions(),
             externalId: externalId,
-            accessSecretsManager: accessSecretsManager)
+            false)
     {
     }
 
+    public OrganizationUserInvite(OrganizationUserInvite invite, bool accessSecretsManager) :
+        this(invite.Email,
+            invite.AssignedCollections,
+            invite.Groups,
+            invite.Type,
+            invite.Permissions,
+            invite.ExternalId,
+            accessSecretsManager)
+    {
+
+    }
+
     public OrganizationUserInvite(string email,
         IEnumerable<CollectionAccessSelection> assignedCollections,
         IEnumerable<Guid> groups,

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Validation/InviteOrganizationUserValidator.cs

@@ -6,6 +6,9 @@ using Bit.Core.AdminConsole.Shared.Validation;
 using Bit.Core.Models.Business;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
 using Bit.Core.Repositories;
+using Bit.Core.Services;
+using OrganizationUserInvite = Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models.OrganizationUserInvite;
+
 namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
 
 public interface IInviteUsersValidator : IValidator<InviteUserOrganizationValidationRequest>;
@@ -13,7 +16,8 @@ public interface IInviteUsersValidator : IValidator<InviteUserOrganizationValida
 public class InviteUsersValidator(
     IOrganizationRepository organizationRepository,
     IInviteUsersPasswordManagerValidator inviteUsersPasswordManagerValidator,
-    IUpdateSecretsManagerSubscriptionCommand secretsManagerSubscriptionCommand) : IInviteUsersValidator
+    IUpdateSecretsManagerSubscriptionCommand secretsManagerSubscriptionCommand,
+    IPaymentService paymentService) : IInviteUsersValidator
 {
     public async Task<ValidationResult<InviteUserOrganizationValidationRequest>> ValidateAsync(InviteUserOrganizationValidationRequest request)
     {
@@ -26,6 +30,18 @@ public class InviteUsersValidator(
             return invalidSubscriptionUpdate.Map(request);
         }
 
+        // If the organization has the Secrets Manager Standalone Discount, all users are added to secrets manager.
+        // This is an expensive call, so we're doing it now to delay the check as long as possible.
+        if (await paymentService.HasSecretsManagerStandalone(request.InviteOrganization))
+        {
+            request = new InviteUserOrganizationValidationRequest(request)
+            {
+                Invites = request.Invites
+                    .Select(x => new OrganizationUserInvite(x, accessSecretsManager: true))
+                    .ToArray()
+            };
+        }
+
         if (request.InviteOrganization.UseSecretsManager && request.Invites.Any(x => x.AccessSecretsManager))
         {
             return await ValidateSecretsManagerSubscriptionUpdateAsync(request, subscriptionUpdate);