Merge branch 'main' into PM-19180

.github/CODEOWNERS

@@ -37,6 +37,8 @@ util/Setup/** @bitwarden/dept-bre @bitwarden/team-platform-dev
 **/Auth @bitwarden/team-auth-dev
 bitwarden_license/src/Sso @bitwarden/team-auth-dev
 src/Identity @bitwarden/team-auth-dev
+src/Core/Identity @bitwarden/team-auth-dev
+src/Core/IdentityServer @bitwarden/team-auth-dev
 
 # Key Management team
 **/KeyManagement @bitwarden/team-key-management-dev

.github/workflows/build.yml

@@ -627,55 +627,16 @@ jobs:
               }
             })
 
-  trigger-ee-updates:
+  setup-ephemeral-environment:
-    name: Trigger Ephemeral Environment updates
+    name: Setup Ephemeral Environment
-    if: |
+    needs: build-docker
-      needs.build-artifacts.outputs.has_secrets == 'true'
-      && github.event_name == 'pull_request'
-      && contains(github.event.pull_request.labels.*.name, 'ephemeral-environment')
-    runs-on: ubuntu-24.04
-    needs:
-      - build-docker
-    steps:
-      - name: Log in to Azure - CI subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
-        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-
-      - name: Retrieve GitHub PAT secrets
-        id: retrieve-secret-pat
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
-
-      - name: Trigger Ephemeral Environment update
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
-          script: |
-            await github.rest.actions.createWorkflowDispatch({
-              owner: 'bitwarden',
-              repo: 'devops',
-              workflow_id: '_update_ephemeral_tags.yml',
-              ref: 'main',
-              inputs: {
-                ephemeral_env_branch: process.env.GITHUB_HEAD_REF
-              }
-            })
-
-  trigger-ephemeral-environment-sync:
-    name: Trigger Ephemeral Environment Sync
-    needs: trigger-ee-updates
     if: |
       needs.build-artifacts.outputs.has_secrets == 'true'
       && github.event_name == 'pull_request'
       && contains(github.event.pull_request.labels.*.name, 'ephemeral-environment')
     uses: bitwarden/gh-actions/.github/workflows/_ephemeral_environment_manager.yml@main
     with:
-      ephemeral_env_branch: process.env.GITHUB_HEAD_REF
       project: server
-      sync_environment: true
       pull_request_number: ${{ github.event.number }}
     secrets: inherit
 

.github/workflows/ephemeral-environment.yml

@@ -5,34 +5,12 @@ on:
     types: [labeled]
 
 jobs:
-  trigger-ee-updates:
+  setup-ephemeral-environment:
-    name: Trigger Ephemeral Environment updates
+    name: Setup Ephemeral Environment
-    runs-on: ubuntu-24.04
     if: github.event.label.name == 'ephemeral-environment'
-    steps:
+    uses: bitwarden/gh-actions/.github/workflows/_ephemeral_environment_manager.yml@main
-      - name: Log in to Azure - CI subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
     with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+      project: server
-
+      pull_request_number: ${{ github.event.number }}
-      - name: Retrieve GitHub PAT secrets
+      sync_environment: true
-        id: retrieve-secret-pat
+    secrets: inherit
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
-
-      - name: Trigger Ephemeral Environment update
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
-          script: |
-            await github.rest.actions.createWorkflowDispatch({
-              owner: 'bitwarden',
-              repo: 'devops',
-              workflow_id: '_update_ephemeral_tags.yml',
-              ref: 'main',
-              inputs: {
-                ephemeral_env_branch: process.env.GITHUB_HEAD_REF
-              }
-            })

Directory.Build.props

@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.4.0</Version>
+    <Version>2025.4.1</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

bitwarden_license/src/Commercial.Core/AdminConsole/Providers/CreateProviderCommand.cs

@@ -48,7 +48,7 @@ public class CreateProviderCommand : ICreateProviderCommand
         await ProviderRepositoryCreateAsync(provider, ProviderStatusType.Created);
     }
 
-    public async Task CreateMultiOrganizationEnterpriseAsync(Provider provider, string ownerEmail, PlanType plan, int minimumSeats)
+    public async Task CreateBusinessUnitAsync(Provider provider, string ownerEmail, PlanType plan, int minimumSeats)
     {
         var providerId = await CreateProviderAsync(provider, ownerEmail);
 

bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs

@@ -692,10 +692,10 @@ public class ProviderService : IProviderService
                     throw new BadRequestException($"Managed Service Providers cannot manage organizations with the plan type {requestedType}. Only Teams (Monthly) and Enterprise (Monthly) are allowed.");
                 }
                 break;
-            case ProviderType.MultiOrganizationEnterprise:
+            case ProviderType.BusinessUnit:
                 if (requestedType is not (PlanType.EnterpriseMonthly or PlanType.EnterpriseAnnually))
                 {
-                    throw new BadRequestException($"Multi-organization Enterprise Providers cannot manage organizations with the plan type {requestedType}. Only Enterprise (Monthly) and Enterprise (Annually) are allowed.");
+                    throw new BadRequestException($"Business Unit Providers cannot manage organizations with the plan type {requestedType}. Only Enterprise (Monthly) and Enterprise (Annually) are allowed.");
                 }
                 break;
             case ProviderType.Reseller:

bitwarden_license/src/Commercial.Core/Billing/BusinessUnitConverter.cs

@@ -0,0 +1,462 @@
+#nullable enable
+using System.Diagnostics.CodeAnalysis;
+using Bit.Core;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Entities.Provider;
+using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Billing;
+using Bit.Core.Billing.Constants;
+using Bit.Core.Billing.Entities;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Extensions;
+using Bit.Core.Billing.Pricing;
+using Bit.Core.Billing.Repositories;
+using Bit.Core.Billing.Services;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+using Bit.Core.Utilities;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.Extensions.Logging;
+using OneOf;
+using Stripe;
+
+namespace Bit.Commercial.Core.Billing;
+
+[RequireFeature(FeatureFlagKeys.PM18770_EnableOrganizationBusinessUnitConversion)]
+public class BusinessUnitConverter(
+    IDataProtectionProvider dataProtectionProvider,
+    GlobalSettings globalSettings,
+    ILogger<BusinessUnitConverter> logger,
+    IMailService mailService,
+    IOrganizationRepository organizationRepository,
+    IOrganizationUserRepository organizationUserRepository,
+    IPricingClient pricingClient,
+    IProviderOrganizationRepository providerOrganizationRepository,
+    IProviderPlanRepository providerPlanRepository,
+    IProviderRepository providerRepository,
+    IProviderUserRepository providerUserRepository,
+    IStripeAdapter stripeAdapter,
+    ISubscriberService subscriberService,
+    IUserRepository userRepository) : IBusinessUnitConverter
+{
+    private readonly IDataProtector _dataProtector =
+        dataProtectionProvider.CreateProtector($"{nameof(BusinessUnitConverter)}DataProtector");
+
+    public async Task<Guid> FinalizeConversion(
+        Organization organization,
+        Guid userId,
+        string token,
+        string providerKey,
+        string organizationKey)
+    {
+        var user = await userRepository.GetByIdAsync(userId);
+
+        var (subscription, provider, providerOrganization, providerUser) = await ValidateFinalizationAsync(organization, user, token);
+
+        var existingPlan = await pricingClient.GetPlanOrThrow(organization.PlanType);
+        var updatedPlan = await pricingClient.GetPlanOrThrow(existingPlan.IsAnnual ? PlanType.EnterpriseAnnually : PlanType.EnterpriseMonthly);
+
+        // Bring organization under management.
+        organization.Plan = updatedPlan.Name;
+        organization.PlanType = updatedPlan.Type;
+        organization.MaxCollections = updatedPlan.PasswordManager.MaxCollections;
+        organization.MaxStorageGb = updatedPlan.PasswordManager.BaseStorageGb;
+        organization.UsePolicies = updatedPlan.HasPolicies;
+        organization.UseSso = updatedPlan.HasSso;
+        organization.UseGroups = updatedPlan.HasGroups;
+        organization.UseEvents = updatedPlan.HasEvents;
+        organization.UseDirectory = updatedPlan.HasDirectory;
+        organization.UseTotp = updatedPlan.HasTotp;
+        organization.Use2fa = updatedPlan.Has2fa;
+        organization.UseApi = updatedPlan.HasApi;
+        organization.UseResetPassword = updatedPlan.HasResetPassword;
+        organization.SelfHost = updatedPlan.HasSelfHost;
+        organization.UsersGetPremium = updatedPlan.UsersGetPremium;
+        organization.UseCustomPermissions = updatedPlan.HasCustomPermissions;
+        organization.UseScim = updatedPlan.HasScim;
+        organization.UseKeyConnector = updatedPlan.HasKeyConnector;
+        organization.MaxStorageGb = updatedPlan.PasswordManager.BaseStorageGb;
+        organization.BillingEmail = provider.BillingEmail!;
+        organization.GatewayCustomerId = null;
+        organization.GatewaySubscriptionId = null;
+        organization.ExpirationDate = null;
+        organization.MaxAutoscaleSeats = null;
+        organization.Status = OrganizationStatusType.Managed;
+
+        // Enable organization access via key exchange.
+        providerOrganization.Key = organizationKey;
+
+        // Complete provider setup.
+        provider.Gateway = GatewayType.Stripe;
+        provider.GatewayCustomerId = subscription.CustomerId;
+        provider.GatewaySubscriptionId = subscription.Id;
+        provider.Status = ProviderStatusType.Billable;
+
+        // Enable provider access via key exchange.
+        providerUser.Key = providerKey;
+        providerUser.Status = ProviderUserStatusType.Confirmed;
+
+        // Stripe requires that we clear all the custom fields from the invoice settings if we want to replace them.
+        await stripeAdapter.CustomerUpdateAsync(subscription.CustomerId, new CustomerUpdateOptions
+        {
+            InvoiceSettings = new CustomerInvoiceSettingsOptions
+            {
+                CustomFields = []
+            }
+        });
+
+        var metadata = new Dictionary<string, string>
+        {
+            [StripeConstants.MetadataKeys.OrganizationId] = string.Empty,
+            [StripeConstants.MetadataKeys.ProviderId] = provider.Id.ToString(),
+            ["convertedFrom"] = organization.Id.ToString()
+        };
+
+        var updateCustomer = stripeAdapter.CustomerUpdateAsync(subscription.CustomerId, new CustomerUpdateOptions
+        {
+            InvoiceSettings = new CustomerInvoiceSettingsOptions
+            {
+                CustomFields = [
+                    new CustomerInvoiceSettingsCustomFieldOptions
+                    {
+                        Name = provider.SubscriberType(),
+                        Value = provider.DisplayName()?.Length <= 30
+                            ? provider.DisplayName()
+                            : provider.DisplayName()?[..30]
+                    }
+                ]
+            },
+            Metadata = metadata
+        });
+
+        // Find the existing password manager price on the subscription.
+        var passwordManagerItem = subscription.Items.First(item =>
+        {
+            var priceId = existingPlan.HasNonSeatBasedPasswordManagerPlan()
+                ? existingPlan.PasswordManager.StripePlanId
+                : existingPlan.PasswordManager.StripeSeatPlanId;
+
+            return item.Price.Id == priceId;
+        });
+
+        // Get the new business unit price.
+        var updatedPriceId = ProviderPriceAdapter.GetActivePriceId(provider, updatedPlan.Type);
+
+        // Replace the existing password manager price with the new business unit price.
+        var updateSubscription =
+            stripeAdapter.SubscriptionUpdateAsync(subscription.Id,
+                new SubscriptionUpdateOptions
+                {
+                    Items = [
+                        new SubscriptionItemOptions
+                        {
+                            Id = passwordManagerItem.Id,
+                            Deleted = true
+                        },
+                        new SubscriptionItemOptions
+                        {
+                            Price = updatedPriceId,
+                            Quantity = organization.Seats
+                        }
+                    ],
+                    Metadata = metadata
+                });
+
+        await Task.WhenAll(updateCustomer, updateSubscription);
+
+        // Complete database updates for provider setup.
+        await Task.WhenAll(
+            organizationRepository.ReplaceAsync(organization),
+            providerOrganizationRepository.ReplaceAsync(providerOrganization),
+            providerRepository.ReplaceAsync(provider),
+            providerUserRepository.ReplaceAsync(providerUser));
+
+        return provider.Id;
+    }
+
+    public async Task<OneOf<Guid, List<string>>> InitiateConversion(
+        Organization organization,
+        string providerAdminEmail)
+    {
+        var user = await userRepository.GetByEmailAsync(providerAdminEmail);
+
+        var problems = await ValidateInitiationAsync(organization, user);
+
+        if (problems is { Count: > 0 })
+        {
+            return problems;
+        }
+
+        var provider = await providerRepository.CreateAsync(new Provider
+        {
+            Name = organization.Name,
+            BillingEmail = organization.BillingEmail,
+            Status = ProviderStatusType.Pending,
+            UseEvents = true,
+            Type = ProviderType.BusinessUnit
+        });
+
+        var plan = await pricingClient.GetPlanOrThrow(organization.PlanType);
+
+        var managedPlanType = plan.IsAnnual
+            ? PlanType.EnterpriseAnnually
+            : PlanType.EnterpriseMonthly;
+
+        var createProviderOrganization = providerOrganizationRepository.CreateAsync(new ProviderOrganization
+        {
+            ProviderId = provider.Id,
+            OrganizationId = organization.Id
+        });
+
+        var createProviderPlan = providerPlanRepository.CreateAsync(new ProviderPlan
+        {
+            ProviderId = provider.Id,
+            PlanType = managedPlanType,
+            SeatMinimum = 0,
+            PurchasedSeats = organization.Seats,
+            AllocatedSeats = organization.Seats
+        });
+
+        var createProviderUser = providerUserRepository.CreateAsync(new ProviderUser
+        {
+            ProviderId = provider.Id,
+            UserId = user!.Id,
+            Email = user.Email,
+            Status = ProviderUserStatusType.Invited,
+            Type = ProviderUserType.ProviderAdmin
+        });
+
+        await Task.WhenAll(createProviderOrganization, createProviderPlan, createProviderUser);
+
+        await SendInviteAsync(organization, user.Email);
+
+        return provider.Id;
+    }
+
+    public Task ResendConversionInvite(
+        Organization organization,
+        string providerAdminEmail) =>
+        IfConversionInProgressAsync(organization, providerAdminEmail,
+            async (_, _, providerUser) =>
+            {
+                if (!string.IsNullOrEmpty(providerUser.Email))
+                {
+                    await SendInviteAsync(organization, providerUser.Email);
+                }
+            });
+
+    public Task ResetConversion(
+        Organization organization,
+        string providerAdminEmail) =>
+        IfConversionInProgressAsync(organization, providerAdminEmail,
+            async (provider, providerOrganization, providerUser) =>
+            {
+                var tasks = new List<Task>
+                {
+                    providerOrganizationRepository.DeleteAsync(providerOrganization),
+                    providerUserRepository.DeleteAsync(providerUser)
+                };
+
+                var providerPlans = await providerPlanRepository.GetByProviderId(provider.Id);
+
+                if (providerPlans is { Count: > 0 })
+                {
+                    tasks.AddRange(providerPlans.Select(providerPlanRepository.DeleteAsync));
+                }
+
+                await Task.WhenAll(tasks);
+
+                await providerRepository.DeleteAsync(provider);
+            });
+
+    #region Utilities
+
+    private async Task IfConversionInProgressAsync(
+        Organization organization,
+        string providerAdminEmail,
+        Func<Provider, ProviderOrganization, ProviderUser, Task> callback)
+    {
+        var user = await userRepository.GetByEmailAsync(providerAdminEmail);
+
+        if (user == null)
+        {
+            return;
+        }
+
+        var provider = await providerRepository.GetByOrganizationIdAsync(organization.Id);
+
+        if (provider is not
+            {
+                Type: ProviderType.BusinessUnit,
+                Status: ProviderStatusType.Pending
+            })
+        {
+            return;
+        }
+
+        var providerUser = await providerUserRepository.GetByProviderUserAsync(provider.Id, user.Id);
+
+        if (providerUser is
+            {
+                Type: ProviderUserType.ProviderAdmin,
+                Status: ProviderUserStatusType.Invited
+            })
+        {
+            var providerOrganization = await providerOrganizationRepository.GetByOrganizationId(organization.Id);
+            await callback(provider, providerOrganization!, providerUser);
+        }
+    }
+
+    private async Task SendInviteAsync(
+        Organization organization,
+        string providerAdminEmail)
+    {
+        var token = _dataProtector.Protect(
+            $"BusinessUnitConversionInvite {organization.Id} {providerAdminEmail} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
+
+        await mailService.SendBusinessUnitConversionInviteAsync(organization, token, providerAdminEmail);
+    }
+
+    private async Task<(Subscription, Provider, ProviderOrganization, ProviderUser)> ValidateFinalizationAsync(
+        Organization organization,
+        User? user,
+        string token)
+    {
+        if (organization.PlanType.GetProductTier() != ProductTierType.Enterprise)
+        {
+            Fail("Organization must be on an enterprise plan.");
+        }
+
+        var subscription = await subscriberService.GetSubscription(organization);
+
+        if (subscription is not
+            {
+                Status:
+                StripeConstants.SubscriptionStatus.Active or
+                StripeConstants.SubscriptionStatus.Trialing or
+                StripeConstants.SubscriptionStatus.PastDue
+            })
+        {
+            Fail("Organization must have a valid subscription.");
+        }
+
+        if (user == null)
+        {
+            Fail("Provider admin must be a Bitwarden user.");
+        }
+
+        if (!CoreHelpers.TokenIsValid(
+                "BusinessUnitConversionInvite",
+                _dataProtector,
+                token,
+                user.Email,
+                organization.Id,
+                globalSettings.OrganizationInviteExpirationHours))
+        {
+            Fail("Email token is invalid.");
+        }
+
+        var organizationUser =
+            await organizationUserRepository.GetByOrganizationAsync(organization.Id, user.Id);
+
+        if (organizationUser is not
+            {
+                Status: OrganizationUserStatusType.Confirmed
+            })
+        {
+            Fail("Provider admin must be a confirmed member of the organization being converted.");
+        }
+
+        var provider = await providerRepository.GetByOrganizationIdAsync(organization.Id);
+
+        if (provider is not
+            {
+                Type: ProviderType.BusinessUnit,
+                Status: ProviderStatusType.Pending
+            })
+        {
+            Fail("Linked provider is not a pending business unit.");
+        }
+
+        var providerUser = await providerUserRepository.GetByProviderUserAsync(provider.Id, user.Id);
+
+        if (providerUser is not
+            {
+                Type: ProviderUserType.ProviderAdmin,
+                Status: ProviderUserStatusType.Invited
+            })
+        {
+            Fail("Provider admin has not been invited.");
+        }
+
+        var providerOrganization = await providerOrganizationRepository.GetByOrganizationId(organization.Id);
+
+        return (subscription, provider, providerOrganization!, providerUser);
+
+        [DoesNotReturn]
+        void Fail(string scopedError)
+        {
+            logger.LogError("Could not finalize business unit conversion for organization ({OrganizationID}): {Error}",
+                organization.Id, scopedError);
+            throw new BillingException();
+        }
+    }
+
+    private async Task<List<string>?> ValidateInitiationAsync(
+        Organization organization,
+        User? user)
+    {
+        var problems = new List<string>();
+
+        if (organization.PlanType.GetProductTier() != ProductTierType.Enterprise)
+        {
+            problems.Add("Organization must be on an enterprise plan.");
+        }
+
+        var subscription = await subscriberService.GetSubscription(organization);
+
+        if (subscription is not
+            {
+                Status:
+                StripeConstants.SubscriptionStatus.Active or
+                StripeConstants.SubscriptionStatus.Trialing or
+                StripeConstants.SubscriptionStatus.PastDue
+            })
+        {
+            problems.Add("Organization must have a valid subscription.");
+        }
+
+        var providerOrganization = await providerOrganizationRepository.GetByOrganizationId(organization.Id);
+
+        if (providerOrganization != null)
+        {
+            problems.Add("Organization is already linked to a provider.");
+        }
+
+        if (user == null)
+        {
+            problems.Add("Provider admin must be a Bitwarden user.");
+        }
+        else
+        {
+            var organizationUser =
+                await organizationUserRepository.GetByOrganizationAsync(organization.Id, user.Id);
+
+            if (organizationUser is not
+                {
+                    Status: OrganizationUserStatusType.Confirmed
+                })
+            {
+                problems.Add("Provider admin must be a confirmed member of the organization being converted.");
+            }
+        }
+
+        return problems.Count == 0 ? null : problems;
+    }
+
+    #endregion
+}

bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs

@@ -791,7 +791,7 @@ public class ProviderBillingService(
         Provider provider,
         Organization organization)
     {
-        if (provider.Type == ProviderType.MultiOrganizationEnterprise)
+        if (provider.Type == ProviderType.BusinessUnit)
         {
             return (await providerPlanRepository.GetByProviderId(provider.Id)).First().PlanType;
         }

bitwarden_license/src/Commercial.Core/Billing/ProviderPriceAdapter.cs

@@ -51,7 +51,7 @@ public static class ProviderPriceAdapter
     /// <param name="subscription">The provider's subscription.</param>
     /// <param name="planType">The plan type correlating to the desired Stripe price ID.</param>
     /// <returns>A Stripe <see cref="Stripe.Price"/> ID.</returns>
-    /// <exception cref="BillingException">Thrown when the provider's type is not <see cref="ProviderType.Msp"/> or <see cref="ProviderType.MultiOrganizationEnterprise"/>.</exception>
+    /// <exception cref="BillingException">Thrown when the provider's type is not <see cref="ProviderType.Msp"/> or <see cref="ProviderType.BusinessUnit"/>.</exception>
     /// <exception cref="BillingException">Thrown when the provided <see cref="planType"/> does not relate to a Stripe price ID.</exception>
     public static string GetPriceId(
         Provider provider,
@@ -78,7 +78,7 @@ public static class ProviderPriceAdapter
                     PlanType.EnterpriseMonthly => MSP.Active.Enterprise,
                     _ => throw invalidPlanType
                 },
-            ProviderType.MultiOrganizationEnterprise => BusinessUnit.Legacy.List.Intersect(priceIds).Any()
+            ProviderType.BusinessUnit => BusinessUnit.Legacy.List.Intersect(priceIds).Any()
                 ? planType switch
                 {
                     PlanType.EnterpriseAnnually => BusinessUnit.Legacy.Annually,
@@ -103,7 +103,7 @@ public static class ProviderPriceAdapter
     /// <param name="provider">The provider to get the Stripe price ID for.</param>
     /// <param name="planType">The plan type correlating to the desired Stripe price ID.</param>
     /// <returns>A Stripe <see cref="Stripe.Price"/> ID.</returns>
-    /// <exception cref="BillingException">Thrown when the provider's type is not <see cref="ProviderType.Msp"/> or <see cref="ProviderType.MultiOrganizationEnterprise"/>.</exception>
+    /// <exception cref="BillingException">Thrown when the provider's type is not <see cref="ProviderType.Msp"/> or <see cref="ProviderType.BusinessUnit"/>.</exception>
     /// <exception cref="BillingException">Thrown when the provided <see cref="planType"/> does not relate to a Stripe price ID.</exception>
     public static string GetActivePriceId(
         Provider provider,
@@ -120,7 +120,7 @@ public static class ProviderPriceAdapter
                 PlanType.EnterpriseMonthly => MSP.Active.Enterprise,
                 _ => throw invalidPlanType
             },
-            ProviderType.MultiOrganizationEnterprise => planType switch
+            ProviderType.BusinessUnit => planType switch
             {
                 PlanType.EnterpriseAnnually => BusinessUnit.Active.Annually,
                 PlanType.EnterpriseMonthly => BusinessUnit.Active.Monthly,

bitwarden_license/src/Commercial.Core/SecretsManager/Queries/Projects/MaxProjectsQuery.cs

@@ -1,9 +1,9 @@
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.SecretsManager.Queries.Projects.Interfaces;
 using Bit.Core.SecretsManager.Repositories;
-using Bit.Core.Utilities;
 
 namespace Bit.Commercial.Core.SecretsManager.Queries.Projects;
 
@@ -11,13 +11,16 @@ public class MaxProjectsQuery : IMaxProjectsQuery
 {
     private readonly IOrganizationRepository _organizationRepository;
     private readonly IProjectRepository _projectRepository;
+    private readonly IPricingClient _pricingClient;
 
     public MaxProjectsQuery(
         IOrganizationRepository organizationRepository,
-        IProjectRepository projectRepository)
+        IProjectRepository projectRepository,
+        IPricingClient pricingClient)
     {
         _organizationRepository = organizationRepository;
         _projectRepository = projectRepository;
+        _pricingClient = pricingClient;
     }
 
     public async Task<(short? max, bool? overMax)> GetByOrgIdAsync(Guid organizationId, int projectsToAdd)
@@ -28,8 +31,7 @@ public class MaxProjectsQuery : IMaxProjectsQuery
             throw new NotFoundException();
         }
 
-        // TODO: PRICING -> https://bitwarden.atlassian.net/browse/PM-17122
+        var plan = await _pricingClient.GetPlan(org.PlanType);
-        var plan = StaticStore.GetPlan(org.PlanType);
         if (plan?.SecretsManager == null)
         {
             throw new BadRequestException("Existing plan not found.");

bitwarden_license/src/Commercial.Core/Utilities/ServiceCollectionExtensions.cs

@@ -16,5 +16,6 @@ public static class ServiceCollectionExtensions
         services.AddScoped<ICreateProviderCommand, CreateProviderCommand>();
         services.AddScoped<IRemoveOrganizationFromProviderCommand, RemoveOrganizationFromProviderCommand>();
         services.AddTransient<IProviderBillingService, ProviderBillingService>();
+        services.AddTransient<IBusinessUnitConverter, BusinessUnitConverter>();
     }
 }

bitwarden_license/src/Scim/Models/ScimUserRequestModel.cs

@@ -1,8 +1,11 @@
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.Enums;
-using Bit.Core.Models.Business;
+using Bit.Core.Exceptions;
 using Bit.Core.Models.Data;
 using Bit.Core.Utilities;
+using OrganizationUserInvite = Bit.Core.Models.Business.OrganizationUserInvite;
 
 namespace Bit.Scim.Models;
 
@@ -10,7 +13,8 @@ public class ScimUserRequestModel : BaseScimUserModel
 {
     public ScimUserRequestModel()
         : base(false)
-    { }
+    {
+    }
 
     public OrganizationUserInvite ToOrganizationUserInvite(ScimProviderType scimProvider)
     {
@@ -25,6 +29,31 @@ public class ScimUserRequestModel : BaseScimUserModel
         };
     }
 
+    public InviteOrganizationUsersRequest ToRequest(
+        ScimProviderType scimProvider,
+        InviteOrganization inviteOrganization,
+        DateTimeOffset performedAt)
+    {
+        var email = EmailForInvite(scimProvider);
+
+        if (string.IsNullOrWhiteSpace(email) || !Active)
+        {
+            throw new BadRequestException();
+        }
+
+        return new InviteOrganizationUsersRequest(
+            invites:
+            [
+                new Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models.OrganizationUserInvite(
+                        email: email,
+                        externalId: ExternalIdForInvite()
+                    )
+            ],
+            inviteOrganization: inviteOrganization,
+            performedBy: Guid.Empty, // SCIM does not have a user id
+            performedAt: performedAt);
+    }
+
     private string EmailForInvite(ScimProviderType scimProvider)
     {
         var email = PrimaryEmail?.ToLowerInvariant();

bitwarden_license/src/Scim/Users/PostUserCommand.cs

@@ -1,39 +1,99 @@
-using Bit.Core.Enums;
+#nullable enable
+
+using Bit.Core;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.Billing.Pricing;
+using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Commands;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Scim.Context;
 using Bit.Scim.Models;
 using Bit.Scim.Users.Interfaces;
+using static Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors.ErrorMapper;
 
 namespace Bit.Scim.Users;
 
-public class PostUserCommand : IPostUserCommand
+public class PostUserCommand(
-{
-    private readonly IOrganizationRepository _organizationRepository;
-    private readonly IOrganizationUserRepository _organizationUserRepository;
-    private readonly IOrganizationService _organizationService;
-    private readonly IPaymentService _paymentService;
-    private readonly IScimContext _scimContext;
-
-    public PostUserCommand(
     IOrganizationRepository organizationRepository,
     IOrganizationUserRepository organizationUserRepository,
     IOrganizationService organizationService,
     IPaymentService paymentService,
-        IScimContext scimContext)
+    IScimContext scimContext,
+    IFeatureService featureService,
+    IInviteOrganizationUsersCommand inviteOrganizationUsersCommand,
+    TimeProvider timeProvider,
+    IPricingClient pricingClient)
+    : IPostUserCommand
 {
-        _organizationRepository = organizationRepository;
+    public async Task<OrganizationUserUserDetails?> PostUserAsync(Guid organizationId, ScimUserRequestModel model)
-        _organizationUserRepository = organizationUserRepository;
+    {
-        _organizationService = organizationService;
+        if (featureService.IsEnabled(FeatureFlagKeys.ScimInviteUserOptimization) is false)
-        _paymentService = paymentService;
+        {
-        _scimContext = scimContext;
+            return await InviteScimOrganizationUserAsync(model, organizationId, scimContext.RequestScimProvider);
         }
 
-    public async Task<OrganizationUserUserDetails> PostUserAsync(Guid organizationId, ScimUserRequestModel model)
+        return await InviteScimOrganizationUserAsync_vNext(model, organizationId, scimContext.RequestScimProvider);
+    }
+
+    private async Task<OrganizationUserUserDetails?> InviteScimOrganizationUserAsync_vNext(
+        ScimUserRequestModel model,
+        Guid organizationId,
+        ScimProviderType scimProvider)
+    {
+        var organization = await organizationRepository.GetByIdAsync(organizationId);
+
+        if (organization is null)
+        {
+            throw new NotFoundException();
+        }
+
+        var plan = await pricingClient.GetPlanOrThrow(organization.PlanType);
+
+        var request = model.ToRequest(
+            scimProvider: scimProvider,
+            inviteOrganization: new InviteOrganization(organization, plan),
+            performedAt: timeProvider.GetUtcNow());
+
+        var orgUsers = await organizationUserRepository
+            .GetManyDetailsByOrganizationAsync(request.InviteOrganization.OrganizationId);
+
+        if (orgUsers.Any(existingUser =>
+                request.Invites.First().Email.Equals(existingUser.Email, StringComparison.OrdinalIgnoreCase) ||
+                request.Invites.First().ExternalId.Equals(existingUser.ExternalId, StringComparison.OrdinalIgnoreCase)))
+        {
+            throw new ConflictException("User already exists.");
+        }
+
+        var result = await inviteOrganizationUsersCommand.InviteScimOrganizationUserAsync(request);
+
+        var invitedOrganizationUserId = result switch
+        {
+            Success<ScimInviteOrganizationUsersResponse> success => success.Value.InvitedUser.Id,
+            Failure<ScimInviteOrganizationUsersResponse> failure when failure.Errors
+                    .Any(x => x.Message == NoUsersToInviteError.Code) => (Guid?)null,
+            Failure<ScimInviteOrganizationUsersResponse> failure when failure.Errors.Length != 0 => throw MapToBitException(failure.Errors),
+            _ => throw new InvalidOperationException()
+        };
+
+        var organizationUser = invitedOrganizationUserId.HasValue
+            ? await organizationUserRepository.GetDetailsByIdAsync(invitedOrganizationUserId.Value)
+            : null;
+
+        return organizationUser;
+    }
+
+    private async Task<OrganizationUserUserDetails?> InviteScimOrganizationUserAsync(
+        ScimUserRequestModel model,
+        Guid organizationId,
+        ScimProviderType scimProvider)
     {
-        var scimProvider = _scimContext.RequestScimProvider;
         var invite = model.ToOrganizationUserInvite(scimProvider);
 
         var email = invite.Emails.Single();
@@ -44,7 +104,7 @@ public class PostUserCommand : IPostUserCommand
             throw new BadRequestException();
         }
 
-        var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId);
+        var orgUsers = await organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId);
         var orgUserByEmail = orgUsers.FirstOrDefault(ou => ou.Email?.ToLowerInvariant() == email);
         if (orgUserByEmail != null)
         {
@@ -57,13 +117,21 @@ public class PostUserCommand : IPostUserCommand
             throw new ConflictException();
         }
 
-        var organization = await _organizationRepository.GetByIdAsync(organizationId);
+        var organization = await organizationRepository.GetByIdAsync(organizationId);
-        var hasStandaloneSecretsManager = await _paymentService.HasSecretsManagerStandalone(organization);
+
+        if (organization == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var hasStandaloneSecretsManager = await paymentService.HasSecretsManagerStandalone(organization);
         invite.AccessSecretsManager = hasStandaloneSecretsManager;
 
-        var invitedOrgUser = await _organizationService.InviteUserAsync(organizationId, invitingUserId: null, EventSystemUser.SCIM,
+        var invitedOrgUser = await organizationService.InviteUserAsync(organizationId, invitingUserId: null,
-            invite, externalId);
+            EventSystemUser.SCIM,
-        var orgUser = await _organizationUserRepository.GetDetailsByIdAsync(invitedOrgUser.Id);
+            invite,
+            externalId);
+        var orgUser = await organizationUserRepository.GetDetailsByIdAsync(invitedOrgUser.Id);
 
         return orgUser;
     }

bitwarden_license/test/Commercial.Core.Test/AdminConsole/ProviderFeatures/CreateProviderCommandTests.cs

@@ -63,7 +63,7 @@ public class CreateProviderCommandTests
     }
 
     [Theory, BitAutoData]
-    public async Task CreateMultiOrganizationEnterpriseAsync_Success(
+    public async Task CreateBusinessUnitAsync_Success(
     Provider provider,
     User user,
     PlanType plan,
@@ -71,13 +71,13 @@ public class CreateProviderCommandTests
     SutProvider<CreateProviderCommand> sutProvider)
     {
         // Arrange
-        provider.Type = ProviderType.MultiOrganizationEnterprise;
+        provider.Type = ProviderType.BusinessUnit;
 
         var userRepository = sutProvider.GetDependency<IUserRepository>();
         userRepository.GetByEmailAsync(user.Email).Returns(user);
 
         // Act
-        await sutProvider.Sut.CreateMultiOrganizationEnterpriseAsync(provider, user.Email, plan, minimumSeats);
+        await sutProvider.Sut.CreateBusinessUnitAsync(provider, user.Email, plan, minimumSeats);
 
         // Assert
         await sutProvider.GetDependency<IProviderRepository>().ReceivedWithAnyArgs().CreateAsync(provider);
@@ -85,7 +85,7 @@ public class CreateProviderCommandTests
     }
 
     [Theory, BitAutoData]
-    public async Task CreateMultiOrganizationEnterpriseAsync_UserIdIsInvalid_Throws(
+    public async Task CreateBusinessUnitAsync_UserIdIsInvalid_Throws(
         Provider provider,
         SutProvider<CreateProviderCommand> sutProvider)
     {
@@ -94,7 +94,7 @@ public class CreateProviderCommandTests
 
         // Act
         var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.CreateMultiOrganizationEnterpriseAsync(provider, default, default, default));
+            () => sutProvider.Sut.CreateBusinessUnitAsync(provider, default, default, default));
 
         // Assert
         Assert.Contains("Invalid owner.", exception.Message);

bitwarden_license/test/Commercial.Core.Test/Billing/BusinessUnitConverterTests.cs

@@ -0,0 +1,501 @@
+#nullable enable
+using System.Text;
+using Bit.Commercial.Core.Billing;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Entities.Provider;
+using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Billing;
+using Bit.Core.Billing.Constants;
+using Bit.Core.Billing.Entities;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Pricing;
+using Bit.Core.Billing.Repositories;
+using Bit.Core.Billing.Services;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+using Bit.Core.Utilities;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.Extensions.Logging;
+using NSubstitute;
+using Stripe;
+using Xunit;
+
+namespace Bit.Commercial.Core.Test.Billing;
+
+public class BusinessUnitConverterTests
+{
+    private readonly IDataProtectionProvider _dataProtectionProvider = Substitute.For<IDataProtectionProvider>();
+    private readonly GlobalSettings _globalSettings = new();
+    private readonly ILogger<BusinessUnitConverter> _logger = Substitute.For<ILogger<BusinessUnitConverter>>();
+    private readonly IMailService _mailService = Substitute.For<IMailService>();
+    private readonly IOrganizationRepository _organizationRepository = Substitute.For<IOrganizationRepository>();
+    private readonly IOrganizationUserRepository _organizationUserRepository = Substitute.For<IOrganizationUserRepository>();
+    private readonly IPricingClient _pricingClient = Substitute.For<IPricingClient>();
+    private readonly IProviderOrganizationRepository _providerOrganizationRepository = Substitute.For<IProviderOrganizationRepository>();
+    private readonly IProviderPlanRepository _providerPlanRepository = Substitute.For<IProviderPlanRepository>();
+    private readonly IProviderRepository _providerRepository = Substitute.For<IProviderRepository>();
+    private readonly IProviderUserRepository _providerUserRepository = Substitute.For<IProviderUserRepository>();
+    private readonly IStripeAdapter _stripeAdapter = Substitute.For<IStripeAdapter>();
+    private readonly ISubscriberService _subscriberService = Substitute.For<ISubscriberService>();
+    private readonly IUserRepository _userRepository = Substitute.For<IUserRepository>();
+
+    private BusinessUnitConverter BuildConverter() => new(
+        _dataProtectionProvider,
+        _globalSettings,
+        _logger,
+        _mailService,
+        _organizationRepository,
+        _organizationUserRepository,
+        _pricingClient,
+        _providerOrganizationRepository,
+        _providerPlanRepository,
+        _providerRepository,
+        _providerUserRepository,
+        _stripeAdapter,
+        _subscriberService,
+        _userRepository);
+
+    #region FinalizeConversion
+
+    [Theory, BitAutoData]
+    public async Task FinalizeConversion_Succeeds_ReturnsProviderId(
+        Organization organization,
+        Guid userId,
+        string providerKey,
+        string organizationKey)
+    {
+        organization.PlanType = PlanType.EnterpriseAnnually2020;
+
+        var enterpriseAnnually2020 = StaticStore.GetPlan(PlanType.EnterpriseAnnually2020);
+
+        var subscription = new Subscription
+        {
+            Id = "subscription_id",
+            CustomerId = "customer_id",
+            Status = StripeConstants.SubscriptionStatus.Active,
+            Items = new StripeList<SubscriptionItem>
+            {
+                Data = [
+                    new SubscriptionItem
+                    {
+                        Id = "subscription_item_id",
+                        Price = new Price
+                        {
+                            Id = enterpriseAnnually2020.PasswordManager.StripeSeatPlanId
+                        }
+                    }
+                ]
+            }
+        };
+
+        _subscriberService.GetSubscription(organization).Returns(subscription);
+
+        var user = new User
+        {
+            Id = Guid.NewGuid(),
+            Email = "provider-admin@example.com"
+        };
+
+        _userRepository.GetByIdAsync(userId).Returns(user);
+
+        var token = SetupDataProtection(organization, user.Email);
+
+        var organizationUser = new OrganizationUser { Status = OrganizationUserStatusType.Confirmed };
+
+        _organizationUserRepository.GetByOrganizationAsync(organization.Id, user.Id)
+            .Returns(organizationUser);
+
+        var provider = new Provider
+        {
+            Type = ProviderType.BusinessUnit,
+            Status = ProviderStatusType.Pending
+        };
+
+        _providerRepository.GetByOrganizationIdAsync(organization.Id).Returns(provider);
+
+        var providerUser = new ProviderUser
+        {
+            Type = ProviderUserType.ProviderAdmin,
+            Status = ProviderUserStatusType.Invited
+        };
+
+        _providerUserRepository.GetByProviderUserAsync(provider.Id, user.Id).Returns(providerUser);
+
+        var providerOrganization = new ProviderOrganization();
+
+        _providerOrganizationRepository.GetByOrganizationId(organization.Id).Returns(providerOrganization);
+
+        _pricingClient.GetPlanOrThrow(PlanType.EnterpriseAnnually2020)
+            .Returns(enterpriseAnnually2020);
+
+        var enterpriseAnnually = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
+
+        _pricingClient.GetPlanOrThrow(PlanType.EnterpriseAnnually)
+            .Returns(enterpriseAnnually);
+
+        var businessUnitConverter = BuildConverter();
+
+        await businessUnitConverter.FinalizeConversion(organization, userId, token, providerKey, organizationKey);
+
+        await _stripeAdapter.Received(2).CustomerUpdateAsync(subscription.CustomerId, Arg.Any<CustomerUpdateOptions>());
+
+        var updatedPriceId = ProviderPriceAdapter.GetActivePriceId(provider, enterpriseAnnually.Type);
+
+        await _stripeAdapter.Received(1).SubscriptionUpdateAsync(subscription.Id, Arg.Is<SubscriptionUpdateOptions>(
+            arguments =>
+                arguments.Items.Count == 2 &&
+                arguments.Items[0].Id == "subscription_item_id" &&
+                arguments.Items[0].Deleted == true &&
+                arguments.Items[1].Price == updatedPriceId &&
+                arguments.Items[1].Quantity == organization.Seats));
+
+        await _organizationRepository.Received(1).ReplaceAsync(Arg.Is<Organization>(arguments =>
+            arguments.PlanType == PlanType.EnterpriseAnnually &&
+            arguments.Status == OrganizationStatusType.Managed &&
+            arguments.GatewayCustomerId == null &&
+            arguments.GatewaySubscriptionId == null));
+
+        await _providerOrganizationRepository.Received(1).ReplaceAsync(Arg.Is<ProviderOrganization>(arguments =>
+            arguments.Key == organizationKey));
+
+        await _providerRepository.Received(1).ReplaceAsync(Arg.Is<Provider>(arguments =>
+            arguments.Gateway == GatewayType.Stripe &&
+            arguments.GatewayCustomerId == subscription.CustomerId &&
+            arguments.GatewaySubscriptionId == subscription.Id &&
+            arguments.Status == ProviderStatusType.Billable));
+
+        await _providerUserRepository.Received(1).ReplaceAsync(Arg.Is<ProviderUser>(arguments =>
+            arguments.Key == providerKey &&
+            arguments.Status == ProviderUserStatusType.Confirmed));
+    }
+
+    /*
+     * Because the validation for finalization is not an applicative like initialization is,
+     * I'm just testing one specific failure here. I don't see much value in testing every single opportunity for failure.
+     */
+    [Theory, BitAutoData]
+    public async Task FinalizeConversion_ValidationFails_ThrowsBillingException(
+        Organization organization,
+        Guid userId,
+        string token,
+        string providerKey,
+        string organizationKey)
+    {
+        organization.PlanType = PlanType.EnterpriseAnnually2020;
+
+        var subscription = new Subscription
+        {
+            Status = StripeConstants.SubscriptionStatus.Canceled
+        };
+
+        _subscriberService.GetSubscription(organization).Returns(subscription);
+
+        var businessUnitConverter = BuildConverter();
+
+        await Assert.ThrowsAsync<BillingException>(() =>
+            businessUnitConverter.FinalizeConversion(organization, userId, token, providerKey, organizationKey));
+
+        await _organizationUserRepository.DidNotReceiveWithAnyArgs()
+            .GetByOrganizationAsync(Arg.Any<Guid>(), Arg.Any<Guid>());
+    }
+
+    #endregion
+
+    #region InitiateConversion
+
+    [Theory, BitAutoData]
+    public async Task InitiateConversion_Succeeds_ReturnsProviderId(
+        Organization organization,
+        string providerAdminEmail)
+    {
+        organization.PlanType = PlanType.EnterpriseAnnually;
+
+        _subscriberService.GetSubscription(organization).Returns(new Subscription
+        {
+            Status = StripeConstants.SubscriptionStatus.Active
+        });
+
+        var user = new User
+        {
+            Id = Guid.NewGuid(),
+            Email = providerAdminEmail
+        };
+
+        _userRepository.GetByEmailAsync(providerAdminEmail).Returns(user);
+
+        var organizationUser = new OrganizationUser { Status = OrganizationUserStatusType.Confirmed };
+
+        _organizationUserRepository.GetByOrganizationAsync(organization.Id, user.Id)
+            .Returns(organizationUser);
+
+        var provider = new Provider { Id = Guid.NewGuid() };
+
+        _providerRepository.CreateAsync(Arg.Is<Provider>(argument =>
+            argument.Name == organization.Name &&
+            argument.BillingEmail == organization.BillingEmail &&
+            argument.Status == ProviderStatusType.Pending &&
+            argument.Type == ProviderType.BusinessUnit)).Returns(provider);
+
+        var plan = StaticStore.GetPlan(organization.PlanType);
+
+        _pricingClient.GetPlanOrThrow(organization.PlanType).Returns(plan);
+
+        var token = SetupDataProtection(organization, providerAdminEmail);
+
+        var businessUnitConverter = BuildConverter();
+
+        var result = await businessUnitConverter.InitiateConversion(organization, providerAdminEmail);
+
+        Assert.True(result.IsT0);
+
+        var providerId = result.AsT0;
+
+        Assert.Equal(provider.Id, providerId);
+
+        await _providerOrganizationRepository.Received(1).CreateAsync(
+            Arg.Is<ProviderOrganization>(argument =>
+                argument.ProviderId == provider.Id &&
+                argument.OrganizationId == organization.Id));
+
+        await _providerPlanRepository.Received(1).CreateAsync(
+            Arg.Is<ProviderPlan>(argument =>
+                argument.ProviderId == provider.Id &&
+                argument.PlanType == PlanType.EnterpriseAnnually &&
+                argument.SeatMinimum == 0 &&
+                argument.PurchasedSeats == organization.Seats &&
+                argument.AllocatedSeats == organization.Seats));
+
+        await _providerUserRepository.Received(1).CreateAsync(
+            Arg.Is<ProviderUser>(argument =>
+                argument.ProviderId == provider.Id &&
+                argument.UserId == user.Id &&
+                argument.Email == user.Email &&
+                argument.Status == ProviderUserStatusType.Invited &&
+                argument.Type == ProviderUserType.ProviderAdmin));
+
+        await _mailService.Received(1).SendBusinessUnitConversionInviteAsync(
+            organization,
+            token,
+            user.Email);
+    }
+
+    [Theory, BitAutoData]
+    public async Task InitiateConversion_ValidationFails_ReturnsErrors(
+        Organization organization,
+        string providerAdminEmail)
+    {
+        organization.PlanType = PlanType.TeamsMonthly;
+
+        _subscriberService.GetSubscription(organization).Returns(new Subscription
+        {
+            Status = StripeConstants.SubscriptionStatus.Canceled
+        });
+
+        var user = new User
+        {
+            Id = Guid.NewGuid(),
+            Email = providerAdminEmail
+        };
+
+        _providerOrganizationRepository.GetByOrganizationId(organization.Id)
+            .Returns(new ProviderOrganization());
+
+        _userRepository.GetByEmailAsync(providerAdminEmail).Returns(user);
+
+        var organizationUser = new OrganizationUser { Status = OrganizationUserStatusType.Invited };
+
+        _organizationUserRepository.GetByOrganizationAsync(organization.Id, user.Id)
+            .Returns(organizationUser);
+
+        var businessUnitConverter = BuildConverter();
+
+        var result = await businessUnitConverter.InitiateConversion(organization, providerAdminEmail);
+
+        Assert.True(result.IsT1);
+
+        var problems = result.AsT1;
+
+        Assert.Contains("Organization must be on an enterprise plan.", problems);
+
+        Assert.Contains("Organization must have a valid subscription.", problems);
+
+        Assert.Contains("Organization is already linked to a provider.", problems);
+
+        Assert.Contains("Provider admin must be a confirmed member of the organization being converted.", problems);
+    }
+
+    #endregion
+
+    #region ResendConversionInvite
+
+    [Theory, BitAutoData]
+    public async Task ResendConversionInvite_ConversionInProgress_Succeeds(
+        Organization organization,
+        string providerAdminEmail)
+    {
+        SetupConversionInProgress(organization, providerAdminEmail);
+
+        var token = SetupDataProtection(organization, providerAdminEmail);
+
+        var businessUnitConverter = BuildConverter();
+
+        await businessUnitConverter.ResendConversionInvite(organization, providerAdminEmail);
+
+        await _mailService.Received(1).SendBusinessUnitConversionInviteAsync(
+            organization,
+            token,
+            providerAdminEmail);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ResendConversionInvite_NoConversionInProgress_DoesNothing(
+        Organization organization,
+        string providerAdminEmail)
+    {
+        SetupDataProtection(organization, providerAdminEmail);
+
+        var businessUnitConverter = BuildConverter();
+
+        await businessUnitConverter.ResendConversionInvite(organization, providerAdminEmail);
+
+        await _mailService.DidNotReceiveWithAnyArgs().SendBusinessUnitConversionInviteAsync(
+            Arg.Any<Organization>(),
+            Arg.Any<string>(),
+            Arg.Any<string>());
+    }
+
+    #endregion
+
+    #region ResetConversion
+
+    [Theory, BitAutoData]
+    public async Task ResetConversion_ConversionInProgress_Succeeds(
+        Organization organization,
+        string providerAdminEmail)
+    {
+        var (provider, providerOrganization, providerUser, providerPlan) = SetupConversionInProgress(organization, providerAdminEmail);
+
+        var businessUnitConverter = BuildConverter();
+
+        await businessUnitConverter.ResetConversion(organization, providerAdminEmail);
+
+        await _providerOrganizationRepository.Received(1)
+            .DeleteAsync(providerOrganization);
+
+        await _providerUserRepository.Received(1)
+            .DeleteAsync(providerUser);
+
+        await _providerPlanRepository.Received(1)
+            .DeleteAsync(providerPlan);
+
+        await _providerRepository.Received(1)
+            .DeleteAsync(provider);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ResetConversion_NoConversionInProgress_DoesNothing(
+        Organization organization,
+        string providerAdminEmail)
+    {
+        var businessUnitConverter = BuildConverter();
+
+        await businessUnitConverter.ResetConversion(organization, providerAdminEmail);
+
+        await _providerOrganizationRepository.DidNotReceiveWithAnyArgs()
+            .DeleteAsync(Arg.Any<ProviderOrganization>());
+
+        await _providerUserRepository.DidNotReceiveWithAnyArgs()
+            .DeleteAsync(Arg.Any<ProviderUser>());
+
+        await _providerPlanRepository.DidNotReceiveWithAnyArgs()
+            .DeleteAsync(Arg.Any<ProviderPlan>());
+
+        await _providerRepository.DidNotReceiveWithAnyArgs()
+            .DeleteAsync(Arg.Any<Provider>());
+    }
+
+    #endregion
+
+    #region Utilities
+
+    private string SetupDataProtection(
+        Organization organization,
+        string providerAdminEmail)
+    {
+        var dataProtector = new MockDataProtector(organization, providerAdminEmail);
+        _dataProtectionProvider.CreateProtector($"{nameof(BusinessUnitConverter)}DataProtector").Returns(dataProtector);
+        return dataProtector.Protect(dataProtector.Token);
+    }
+
+    private (Provider, ProviderOrganization, ProviderUser, ProviderPlan) SetupConversionInProgress(
+        Organization organization,
+        string providerAdminEmail)
+    {
+        var user = new User { Id = Guid.NewGuid() };
+
+        _userRepository.GetByEmailAsync(providerAdminEmail).Returns(user);
+
+        var provider = new Provider
+        {
+            Id = Guid.NewGuid(),
+            Type = ProviderType.BusinessUnit,
+            Status = ProviderStatusType.Pending
+        };
+
+        _providerRepository.GetByOrganizationIdAsync(organization.Id).Returns(provider);
+
+        var providerUser = new ProviderUser
+        {
+            Id = Guid.NewGuid(),
+            ProviderId = provider.Id,
+            UserId = user.Id,
+            Type = ProviderUserType.ProviderAdmin,
+            Status = ProviderUserStatusType.Invited,
+            Email = providerAdminEmail
+        };
+
+        _providerUserRepository.GetByProviderUserAsync(provider.Id, user.Id)
+            .Returns(providerUser);
+
+        var providerOrganization = new ProviderOrganization
+        {
+            Id = Guid.NewGuid(),
+            OrganizationId = organization.Id,
+            ProviderId = provider.Id
+        };
+
+        _providerOrganizationRepository.GetByOrganizationId(organization.Id)
+            .Returns(providerOrganization);
+
+        var providerPlan = new ProviderPlan
+        {
+            Id = Guid.NewGuid(),
+            ProviderId = provider.Id,
+            PlanType = PlanType.EnterpriseAnnually
+        };
+
+        _providerPlanRepository.GetByProviderId(provider.Id).Returns([providerPlan]);
+
+        return (provider, providerOrganization, providerUser, providerPlan);
+    }
+
+    #endregion
+}
+
+public class MockDataProtector(
+    Organization organization,
+    string providerAdminEmail) : IDataProtector
+{
+    public string Token = $"BusinessUnitConversionInvite {organization.Id} {providerAdminEmail} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}";
+
+    public IDataProtector CreateProtector(string purpose) => this;
+
+    public byte[] Protect(byte[] plaintext) => Encoding.UTF8.GetBytes(Token);
+
+    public byte[] Unprotect(byte[] protectedData) => Encoding.UTF8.GetBytes(Token);
+}

bitwarden_license/test/Commercial.Core.Test/Billing/ProviderBillingServiceTests.cs

@@ -116,7 +116,7 @@ public class ProviderBillingServiceTests
         SutProvider<ProviderBillingService> sutProvider)
     {
         // Arrange
-        provider.Type = ProviderType.MultiOrganizationEnterprise;
+        provider.Type = ProviderType.BusinessUnit;
 
         var providerPlanRepository = sutProvider.GetDependency<IProviderPlanRepository>();
         var existingPlan = new ProviderPlan

bitwarden_license/test/Commercial.Core.Test/Billing/ProviderPriceAdapterTests.cs

@@ -71,7 +71,7 @@ public class ProviderPriceAdapterTests
         var provider = new Provider
         {
             Id = Guid.NewGuid(),
-            Type = ProviderType.MultiOrganizationEnterprise
+            Type = ProviderType.BusinessUnit
         };
 
         var subscription = new Subscription
@@ -98,7 +98,7 @@ public class ProviderPriceAdapterTests
         var provider = new Provider
         {
             Id = Guid.NewGuid(),
-            Type = ProviderType.MultiOrganizationEnterprise
+            Type = ProviderType.BusinessUnit
         };
 
         var subscription = new Subscription
@@ -141,7 +141,7 @@ public class ProviderPriceAdapterTests
         var provider = new Provider
         {
             Id = Guid.NewGuid(),
-            Type = ProviderType.MultiOrganizationEnterprise
+            Type = ProviderType.BusinessUnit
         };
 
         var result = ProviderPriceAdapter.GetActivePriceId(provider, planType);

bitwarden_license/test/Commercial.Core.Test/SecretsManager/Queries/Projects/MaxProjectsQueryTests.cs

@@ -1,9 +1,11 @@
 using Bit.Commercial.Core.SecretsManager.Queries.Projects;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.SecretsManager.Repositories;
+using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
@@ -66,6 +68,9 @@ public class MaxProjectsQueryTests
         SutProvider<MaxProjectsQuery> sutProvider, Organization organization)
     {
         organization.PlanType = planType;
+
+        sutProvider.GetDependency<IPricingClient>().GetPlan(planType).Returns(StaticStore.GetPlan(planType));
+
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
 
         var (limit, overLimit) = await sutProvider.Sut.GetByOrgIdAsync(organization.Id, 1);
@@ -106,6 +111,9 @@ public class MaxProjectsQueryTests
         SutProvider<MaxProjectsQuery> sutProvider, Organization organization)
     {
         organization.PlanType = planType;
+
+        sutProvider.GetDependency<IPricingClient>().GetPlan(planType).Returns(StaticStore.GetPlan(planType));
+
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
         sutProvider.GetDependency<IProjectRepository>().GetProjectCountByOrganizationIdAsync(organization.Id)
             .Returns(projects);

bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/UsersControllerTests.cs

@@ -1,9 +1,12 @@
 using System.Text.Json;
+using Bit.Core;
 using Bit.Core.Enums;
+using Bit.Core.Services;
 using Bit.Scim.IntegrationTest.Factories;
 using Bit.Scim.Models;
 using Bit.Scim.Utilities;
 using Bit.Test.Common.Helpers;
+using NSubstitute;
 using Xunit;
 
 namespace Bit.Scim.IntegrationTest.Controllers.v2;
@@ -276,9 +279,18 @@ public class UsersControllerTests : IClassFixture<ScimApplicationFactory>, IAsyn
         AssertHelper.AssertPropertyEqual(expectedResponse, responseModel);
     }
 
-    [Fact]
+    [Theory]
-    public async Task Post_Success()
+    [InlineData(true)]
+    [InlineData(false)]
+    public async Task Post_Success(bool isScimInviteUserOptimizationEnabled)
     {
+        var localFactory = new ScimApplicationFactory();
+        localFactory.SubstituteService((IFeatureService featureService)
+            => featureService.IsEnabled(FeatureFlagKeys.ScimInviteUserOptimization)
+                .Returns(isScimInviteUserOptimizationEnabled));
+
+        localFactory.ReinitializeDbForTests(localFactory.GetDatabaseContext());
+
         var email = "user5@example.com";
         var displayName = "Test User 5";
         var externalId = "UE";
@@ -306,7 +318,7 @@ public class UsersControllerTests : IClassFixture<ScimApplicationFactory>, IAsyn
             Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
         };
 
-        var context = await _factory.UsersPostAsync(ScimApplicationFactory.TestOrganizationId1, inputModel);
+        var context = await localFactory.UsersPostAsync(ScimApplicationFactory.TestOrganizationId1, inputModel);
 
         Assert.Equal(StatusCodes.Status201Created, context.Response.StatusCode);
 
@@ -316,7 +328,7 @@ public class UsersControllerTests : IClassFixture<ScimApplicationFactory>, IAsyn
         var responseModel = JsonSerializer.Deserialize<ScimUserResponseModel>(context.Response.Body, new JsonSerializerOptions { PropertyNamingPolicy = JsonNamingPolicy.CamelCase });
         AssertHelper.AssertPropertyEqual(expectedResponse, responseModel, "Id");
 
-        var databaseContext = _factory.GetDatabaseContext();
+        var databaseContext = localFactory.GetDatabaseContext();
         Assert.Equal(_initialUserCount + 1, databaseContext.OrganizationUsers.Count());
     }
 

bitwarden_license/test/Scim.Test/Users/PostUserCommandTests.cs

@@ -27,7 +27,7 @@ public class PostUserCommandTests
             ExternalId = externalId,
             Emails = emails,
             Active = true,
-            Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
+            Schemas = [ScimConstants.Scim2SchemaUser]
         };
 
         sutProvider.GetDependency<IOrganizationUserRepository>()
@@ -39,13 +39,16 @@ public class PostUserCommandTests
         sutProvider.GetDependency<IPaymentService>().HasSecretsManagerStandalone(organization).Returns(true);
 
         sutProvider.GetDependency<IOrganizationService>()
-            .InviteUserAsync(organizationId, invitingUserId: null, EventSystemUser.SCIM,
+            .InviteUserAsync(organizationId,
+                invitingUserId: null,
+                EventSystemUser.SCIM,
                 Arg.Is<OrganizationUserInvite>(i =>
                     i.Emails.Single().Equals(scimUserRequestModel.PrimaryEmail.ToLowerInvariant()) &&
                     i.Type == OrganizationUserType.User &&
                     !i.Collections.Any() &&
                     !i.Groups.Any() &&
-                    i.AccessSecretsManager), externalId)
+                    i.AccessSecretsManager),
+                externalId)
             .Returns(newUser);
 
         var user = await sutProvider.Sut.PostUserAsync(organizationId, scimUserRequestModel);

src/Admin/Admin.csproj

@@ -14,9 +14,6 @@
     <ProjectReference Include="..\Core\Core.csproj" />
     <ProjectReference Include="..\..\util\SqliteMigrations\SqliteMigrations.csproj" />
   </ItemGroup>
-  <ItemGroup>
-    <Folder Include="Billing\Controllers\" />
-  </ItemGroup>
 
   <Choose>
     <When Condition="!$(DefineConstants.Contains('OSS'))">

src/Admin/AdminConsole/Controllers/ProvidersController.cs

@@ -3,11 +3,13 @@ using System.Net;
 using Bit.Admin.AdminConsole.Models;
 using Bit.Admin.Enums;
 using Bit.Admin.Utilities;
+using Bit.Core;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Providers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
+using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Entities;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Extensions;
@@ -23,6 +25,7 @@ using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Stripe;
 
 namespace Bit.Admin.AdminConsole.Controllers;
 
@@ -44,6 +47,7 @@ public class ProvidersController : Controller
     private readonly IProviderPlanRepository _providerPlanRepository;
     private readonly IProviderBillingService _providerBillingService;
     private readonly IPricingClient _pricingClient;
+    private readonly IStripeAdapter _stripeAdapter;
     private readonly string _stripeUrl;
     private readonly string _braintreeMerchantUrl;
     private readonly string _braintreeMerchantId;
@@ -63,7 +67,8 @@ public class ProvidersController : Controller
         IProviderPlanRepository providerPlanRepository,
         IProviderBillingService providerBillingService,
         IWebHostEnvironment webHostEnvironment,
-        IPricingClient pricingClient)
+        IPricingClient pricingClient,
+        IStripeAdapter stripeAdapter)
     {
         _organizationRepository = organizationRepository;
         _organizationService = organizationService;
@@ -79,6 +84,7 @@ public class ProvidersController : Controller
         _providerPlanRepository = providerPlanRepository;
         _providerBillingService = providerBillingService;
         _pricingClient = pricingClient;
+        _stripeAdapter = stripeAdapter;
         _stripeUrl = webHostEnvironment.GetStripeUrl();
         _braintreeMerchantUrl = webHostEnvironment.GetBraintreeMerchantUrl();
         _braintreeMerchantId = globalSettings.Braintree.MerchantId;
@@ -133,10 +139,10 @@ public class ProvidersController : Controller
         return View(new CreateResellerProviderModel());
     }
 
-    [HttpGet("providers/create/multi-organization-enterprise")]
+    [HttpGet("providers/create/business-unit")]
-    public IActionResult CreateMultiOrganizationEnterprise(int enterpriseMinimumSeats, string ownerEmail = null)
+    public IActionResult CreateBusinessUnit(int enterpriseMinimumSeats, string ownerEmail = null)
     {
-        return View(new CreateMultiOrganizationEnterpriseProviderModel
+        return View(new CreateBusinessUnitProviderModel
         {
             OwnerEmail = ownerEmail,
             EnterpriseSeatMinimum = enterpriseMinimumSeats
@@ -157,7 +163,7 @@ public class ProvidersController : Controller
         {
             ProviderType.Msp => RedirectToAction("CreateMsp"),
             ProviderType.Reseller => RedirectToAction("CreateReseller"),
-            ProviderType.MultiOrganizationEnterprise => RedirectToAction("CreateMultiOrganizationEnterprise"),
+            ProviderType.BusinessUnit => RedirectToAction("CreateBusinessUnit"),
             _ => View(model)
         };
     }
@@ -198,10 +204,10 @@ public class ProvidersController : Controller
         return RedirectToAction("Edit", new { id = provider.Id });
     }
 
-    [HttpPost("providers/create/multi-organization-enterprise")]
+    [HttpPost("providers/create/business-unit")]
     [ValidateAntiForgeryToken]
     [RequirePermission(Permission.Provider_Create)]
-    public async Task<IActionResult> CreateMultiOrganizationEnterprise(CreateMultiOrganizationEnterpriseProviderModel model)
+    public async Task<IActionResult> CreateBusinessUnit(CreateBusinessUnitProviderModel model)
     {
         if (!ModelState.IsValid)
         {
@@ -209,7 +215,7 @@ public class ProvidersController : Controller
         }
         var provider = model.ToProvider();
 
-        await _createProviderCommand.CreateMultiOrganizationEnterpriseAsync(
+        await _createProviderCommand.CreateBusinessUnitAsync(
             provider,
             model.OwnerEmail,
             model.Plan.Value,
@@ -306,8 +312,25 @@ public class ProvidersController : Controller
                         (Plan: PlanType.EnterpriseMonthly, SeatsMinimum: model.EnterpriseMonthlySeatMinimum)
                     ]);
                 await _providerBillingService.UpdateSeatMinimums(updateMspSeatMinimumsCommand);
+
+                if (_featureService.IsEnabled(FeatureFlagKeys.PM199566_UpdateMSPToChargeAutomatically))
+                {
+                    var customer = await _stripeAdapter.CustomerGetAsync(provider.GatewayCustomerId);
+
+                    if (model.PayByInvoice != customer.ApprovedToPayByInvoice())
+                    {
+                        var approvedToPayByInvoice = model.PayByInvoice ? "1" : "0";
+                        await _stripeAdapter.CustomerUpdateAsync(customer.Id, new CustomerUpdateOptions
+                        {
+                            Metadata = new Dictionary<string, string>
+                            {
+                                [StripeConstants.MetadataKeys.InvoiceApproved] = approvedToPayByInvoice
+                            }
+                        });
+                    }
+                }
                 break;
-            case ProviderType.MultiOrganizationEnterprise:
+            case ProviderType.BusinessUnit:
                 {
                     var existingMoePlan = providerPlans.Single();
 
@@ -345,14 +368,18 @@ public class ProvidersController : Controller
 
         if (!provider.IsBillable())
         {
-            return new ProviderEditModel(provider, users, providerOrganizations, new List<ProviderPlan>());
+            return new ProviderEditModel(provider, users, providerOrganizations, new List<ProviderPlan>(), false);
         }
 
         var providerPlans = await _providerPlanRepository.GetByProviderId(id);
 
+        var payByInvoice =
+            _featureService.IsEnabled(FeatureFlagKeys.PM199566_UpdateMSPToChargeAutomatically) &&
+            (await _stripeAdapter.CustomerGetAsync(provider.GatewayCustomerId)).ApprovedToPayByInvoice();
+
         return new ProviderEditModel(
             provider, users, providerOrganizations,
-            providerPlans.ToList(), GetGatewayCustomerUrl(provider), GetGatewaySubscriptionUrl(provider));
+            providerPlans.ToList(), payByInvoice, GetGatewayCustomerUrl(provider), GetGatewaySubscriptionUrl(provider));
     }
 
     [RequirePermission(Permission.Provider_ResendEmailInvite)]

src/Admin/AdminConsole/Models/CreateBusinessUnitProviderModel.cs

@@ -6,7 +6,7 @@ using Bit.SharedWeb.Utilities;
 
 namespace Bit.Admin.AdminConsole.Models;
 
-public class CreateMultiOrganizationEnterpriseProviderModel : IValidatableObject
+public class CreateBusinessUnitProviderModel : IValidatableObject
 {
     [Display(Name = "Owner Email")]
     public string OwnerEmail { get; set; }
@@ -22,7 +22,7 @@ public class CreateMultiOrganizationEnterpriseProviderModel : IValidatableObject
     {
         return new Provider
         {
-            Type = ProviderType.MultiOrganizationEnterprise
+            Type = ProviderType.BusinessUnit
         };
     }
 
@@ -30,17 +30,17 @@ public class CreateMultiOrganizationEnterpriseProviderModel : IValidatableObject
     {
         if (string.IsNullOrWhiteSpace(OwnerEmail))
         {
-            var ownerEmailDisplayName = nameof(OwnerEmail).GetDisplayAttribute<CreateMultiOrganizationEnterpriseProviderModel>()?.GetName() ?? nameof(OwnerEmail);
+            var ownerEmailDisplayName = nameof(OwnerEmail).GetDisplayAttribute<CreateBusinessUnitProviderModel>()?.GetName() ?? nameof(OwnerEmail);
             yield return new ValidationResult($"The {ownerEmailDisplayName} field is required.");
         }
         if (EnterpriseSeatMinimum < 0)
         {
-            var enterpriseSeatMinimumDisplayName = nameof(EnterpriseSeatMinimum).GetDisplayAttribute<CreateMultiOrganizationEnterpriseProviderModel>()?.GetName() ?? nameof(EnterpriseSeatMinimum);
+            var enterpriseSeatMinimumDisplayName = nameof(EnterpriseSeatMinimum).GetDisplayAttribute<CreateBusinessUnitProviderModel>()?.GetName() ?? nameof(EnterpriseSeatMinimum);
             yield return new ValidationResult($"The {enterpriseSeatMinimumDisplayName} field can not be negative.");
         }
         if (Plan != PlanType.EnterpriseAnnually && Plan != PlanType.EnterpriseMonthly)
         {
-            var planDisplayName = nameof(Plan).GetDisplayAttribute<CreateMultiOrganizationEnterpriseProviderModel>()?.GetName() ?? nameof(Plan);
+            var planDisplayName = nameof(Plan).GetDisplayAttribute<CreateBusinessUnitProviderModel>()?.GetName() ?? nameof(Plan);
             yield return new ValidationResult($"The {planDisplayName} field must be set to Enterprise Annually or Enterprise Monthly.");
         }
     }

src/Admin/AdminConsole/Models/OrganizationEditModel.cs

@@ -86,6 +86,7 @@ public class OrganizationEditModel : OrganizationViewModel
         UseApi = org.UseApi;
         UseSecretsManager = org.UseSecretsManager;
         UseRiskInsights = org.UseRiskInsights;
+        UseAdminSponsoredFamilies = org.UseAdminSponsoredFamilies;
         UseResetPassword = org.UseResetPassword;
         SelfHost = org.SelfHost;
         UsersGetPremium = org.UsersGetPremium;
@@ -154,6 +155,8 @@ public class OrganizationEditModel : OrganizationViewModel
     public new bool UseSecretsManager { get; set; }
     [Display(Name = "Risk Insights")]
     public new bool UseRiskInsights { get; set; }
+    [Display(Name = "Admin Sponsored Families")]
+    public bool UseAdminSponsoredFamilies { get; set; }
     [Display(Name = "Self Host")]
     public bool SelfHost { get; set; }
     [Display(Name = "Users Get Premium")]
@@ -295,6 +298,7 @@ public class OrganizationEditModel : OrganizationViewModel
         existingOrganization.UseApi = UseApi;
         existingOrganization.UseSecretsManager = UseSecretsManager;
         existingOrganization.UseRiskInsights = UseRiskInsights;
+        existingOrganization.UseAdminSponsoredFamilies = UseAdminSponsoredFamilies;
         existingOrganization.UseResetPassword = UseResetPassword;
         existingOrganization.SelfHost = SelfHost;
         existingOrganization.UsersGetPremium = UsersGetPremium;

src/Admin/AdminConsole/Models/ProviderEditModel.cs

@@ -18,6 +18,7 @@ public class ProviderEditModel : ProviderViewModel, IValidatableObject
         IEnumerable<ProviderUserUserDetails> providerUsers,
         IEnumerable<ProviderOrganizationOrganizationDetails> organizations,
         IReadOnlyCollection<ProviderPlan> providerPlans,
+        bool payByInvoice,
         string gatewayCustomerUrl = null,
         string gatewaySubscriptionUrl = null) : base(provider, providerUsers, organizations, providerPlans)
     {
@@ -33,8 +34,9 @@ public class ProviderEditModel : ProviderViewModel, IValidatableObject
         GatewayCustomerUrl = gatewayCustomerUrl;
         GatewaySubscriptionUrl = gatewaySubscriptionUrl;
         Type = provider.Type;
+        PayByInvoice = payByInvoice;
 
-        if (Type == ProviderType.MultiOrganizationEnterprise)
+        if (Type == ProviderType.BusinessUnit)
         {
             var plan = providerPlans.SingleOrDefault();
             EnterpriseMinimumSeats = plan?.SeatMinimum ?? 0;
@@ -62,6 +64,8 @@ public class ProviderEditModel : ProviderViewModel, IValidatableObject
     public string GatewaySubscriptionId { get; set; }
     public string GatewayCustomerUrl { get; }
     public string GatewaySubscriptionUrl { get; }
+    [Display(Name = "Pay By Invoice")]
+    public bool PayByInvoice { get; set; }
     [Display(Name = "Provider Type")]
     public ProviderType Type { get; set; }
 
@@ -100,7 +104,7 @@ public class ProviderEditModel : ProviderViewModel, IValidatableObject
                     yield return new ValidationResult($"The {billingEmailDisplayName} field is required.");
                 }
                 break;
-            case ProviderType.MultiOrganizationEnterprise:
+            case ProviderType.BusinessUnit:
                 if (Plan == null)
                 {
                     var displayName = nameof(Plan).GetDisplayAttribute<CreateProviderModel>()?.GetName() ?? nameof(Plan);

src/Admin/AdminConsole/Models/ProviderViewModel.cs

@@ -40,7 +40,7 @@ public class ProviderViewModel
                 ProviderPlanViewModels.Add(new ProviderPlanViewModel("Enterprise (Monthly) Subscription", enterpriseProviderPlan, usedEnterpriseSeats));
             }
         }
-        else if (Provider.Type == ProviderType.MultiOrganizationEnterprise)
+        else if (Provider.Type == ProviderType.BusinessUnit)
         {
             var usedEnterpriseSeats = ProviderOrganizations.Where(po => po.PlanType == PlanType.EnterpriseMonthly)
                 .Sum(po => po.OccupiedSeats).GetValueOrDefault(0);

src/Admin/AdminConsole/Views/Organizations/Edit.cshtml

@@ -1,8 +1,13 @@
 @using Bit.Admin.Enums;
 @using Bit.Admin.Models
+@using Bit.Core
+@using Bit.Core.AdminConsole.Enums.Provider
 @using Bit.Core.Billing.Enums
-@using Bit.Core.Enums
+@using Bit.Core.Billing.Extensions
+@using Bit.Core.Services
+@using Microsoft.AspNetCore.Mvc.TagHelpers
 @inject Bit.Admin.Services.IAccessControlService AccessControlService
+@inject IFeatureService FeatureService
 @model OrganizationEditModel
 @{
     ViewData["Title"] = (Model.Provider != null ? "Client " : string.Empty) + "Organization: " + Model.Name;
@@ -13,6 +18,13 @@
     var canRequestDelete = AccessControlService.UserHasPermission(Permission.Org_RequestDelete);
     var canDelete = AccessControlService.UserHasPermission(Permission.Org_Delete);
     var canUnlinkFromProvider = AccessControlService.UserHasPermission(Permission.Provider_Edit);
+
+    var canConvertToBusinessUnit =
+        FeatureService.IsEnabled(FeatureFlagKeys.PM18770_EnableOrganizationBusinessUnitConversion) &&
+        AccessControlService.UserHasPermission(Permission.Org_Billing_ConvertToBusinessUnit) &&
+        Model.Organization.PlanType.GetProductTier() == ProductTierType.Enterprise &&
+        !string.IsNullOrEmpty(Model.Organization.GatewaySubscriptionId) &&
+        Model.Provider is null or { Type: ProviderType.BusinessUnit, Status: ProviderStatusType.Pending };
 }
 
 @section Scripts {
@@ -114,6 +126,15 @@
                 Enterprise Trial
             </button>
         }
+        @if (canConvertToBusinessUnit)
+        {
+            <a asp-controller="BusinessUnitConversion"
+               asp-action="Index"
+               asp-route-organizationId="@Model.Organization.Id"
+               class="btn btn-secondary me-2">
+                Convert to Business Unit
+            </a>
+        }
         @if (canUnlinkFromProvider && Model.Provider is not null)
         {
             <button class="btn btn-outline-danger me-2"

src/Admin/AdminConsole/Views/Providers/CreateBusinessUnit.cshtml

@@ -1,15 +1,15 @@
 @using Bit.Core.Billing.Enums
 @using Microsoft.AspNetCore.Mvc.TagHelpers
 
-@model CreateMultiOrganizationEnterpriseProviderModel
+@model CreateBusinessUnitProviderModel
 
 @{
-    ViewData["Title"] = "Create Multi-organization Enterprise Provider";
+    ViewData["Title"] = "Create Business Unit Provider";
 }
 
-<h1 class="mb-4">Create Multi-organization Enterprise Provider</h1>
+<h1 class="mb-4">Create Business Unit Provider</h1>
 <div>
-    <form method="post" asp-action="CreateMultiOrganizationEnterprise">
+    <form method="post" asp-action="CreateBusinessUnit">
         <div asp-validation-summary="All" class="alert alert-danger"></div>
         <div class="mb-3">
             <label asp-for="OwnerEmail" class="form-label"></label>
@@ -19,14 +19,14 @@
             <div class="col-sm">
                 <div class="mb-3">
                     @{
-                        var multiOrgPlans = new List<PlanType>
+                        var businessUnitPlanTypes = new List<PlanType>
                         {
                             PlanType.EnterpriseAnnually,
                             PlanType.EnterpriseMonthly
                         };
                     }
                     <label asp-for="Plan" class="form-label"></label>
-                    <select class="form-select" asp-for="Plan" asp-items="Html.GetEnumSelectList(multiOrgPlans)">
+                    <select class="form-select" asp-for="Plan" asp-items="Html.GetEnumSelectList(businessUnitPlanTypes)">
                         <option value="">--</option>
                     </select>
                 </div>

src/Admin/AdminConsole/Views/Providers/Edit.cshtml

@@ -74,20 +74,20 @@
                 </div>
                 break;
             }
-            case ProviderType.MultiOrganizationEnterprise:
+            case ProviderType.BusinessUnit:
             {
                 <div class="row">
                     <div class="col-sm">
                         <div class="mb-3">
                             @{
-                                var multiOrgPlans = new List<PlanType>
+                                var businessUnitPlanTypes = new List<PlanType>
                                 {
                                     PlanType.EnterpriseAnnually,
                                     PlanType.EnterpriseMonthly
                                 };
                             }
                             <label asp-for="Plan" class="form-label"></label>
-                            <select class="form-control" asp-for="Plan" asp-items="Html.GetEnumSelectList(multiOrgPlans)">
+                            <select class="form-control" asp-for="Plan" asp-items="Html.GetEnumSelectList(businessUnitPlanTypes)">
                                 <option value="">--</option>
                             </select>
                         </div>
@@ -136,6 +136,17 @@
                 </div>
             </div>
         </div>
+        @if (FeatureService.IsEnabled(FeatureFlagKeys.PM199566_UpdateMSPToChargeAutomatically) && Model.Provider.Type == ProviderType.Msp && Model.Provider.IsBillable())
+        {
+            <div class="row">
+                <div class="col-sm">
+                    <div class="form-check mb-3">
+                        <input type="checkbox" class="form-check-input" asp-for="PayByInvoice">
+                        <label class="form-check-label" asp-for="PayByInvoice"></label>
+                    </div>
+                </div>
+            </div>
+        }
     }
 </form>
 @await Html.PartialAsync("Organizations", Model)

src/Admin/Billing/Controllers/BusinessUnitConversionController.cs

@@ -0,0 +1,185 @@
+#nullable enable
+using Bit.Admin.Billing.Models;
+using Bit.Admin.Enums;
+using Bit.Admin.Utilities;
+using Bit.Core;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Entities.Provider;
+using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Billing.Services;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Utilities;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Admin.Billing.Controllers;
+
+[Authorize]
+[Route("organizations/billing/{organizationId:guid}/business-unit")]
+[RequireFeature(FeatureFlagKeys.PM18770_EnableOrganizationBusinessUnitConversion)]
+public class BusinessUnitConversionController(
+    IBusinessUnitConverter businessUnitConverter,
+    IOrganizationRepository organizationRepository,
+    IProviderRepository providerRepository,
+    IProviderUserRepository providerUserRepository) : Controller
+{
+    [HttpGet]
+    [RequirePermission(Permission.Org_Billing_ConvertToBusinessUnit)]
+    [SelfHosted(NotSelfHostedOnly = true)]
+    public async Task<IActionResult> IndexAsync([FromRoute] Guid organizationId)
+    {
+        var organization = await organizationRepository.GetByIdAsync(organizationId);
+
+        if (organization == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var model = new BusinessUnitConversionModel { Organization = organization };
+
+        var invitedProviderAdmin = await GetInvitedProviderAdminAsync(organization);
+
+        if (invitedProviderAdmin != null)
+        {
+            model.ProviderAdminEmail = invitedProviderAdmin.Email;
+            model.ProviderId = invitedProviderAdmin.ProviderId;
+        }
+
+        var success = ReadSuccessMessage();
+
+        if (!string.IsNullOrEmpty(success))
+        {
+            model.Success = success;
+        }
+
+        var errors = ReadErrorMessages();
+
+        if (errors is { Count: > 0 })
+        {
+            model.Errors = errors;
+        }
+
+        return View(model);
+    }
+
+    [HttpPost]
+    [RequirePermission(Permission.Org_Billing_ConvertToBusinessUnit)]
+    [SelfHosted(NotSelfHostedOnly = true)]
+    public async Task<IActionResult> InitiateAsync(
+        [FromRoute] Guid organizationId,
+        BusinessUnitConversionModel model)
+    {
+        var organization = await organizationRepository.GetByIdAsync(organizationId);
+
+        if (organization == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var result = await businessUnitConverter.InitiateConversion(
+            organization,
+            model.ProviderAdminEmail!);
+
+        return result.Match(
+            providerId => RedirectToAction("Edit", "Providers", new { id = providerId }),
+            errors =>
+            {
+                PersistErrorMessages(errors);
+                return RedirectToAction("Index", new { organizationId });
+            });
+    }
+
+    [HttpPost("reset")]
+    [RequirePermission(Permission.Org_Billing_ConvertToBusinessUnit)]
+    [SelfHosted(NotSelfHostedOnly = true)]
+    public async Task<IActionResult> ResetAsync(
+        [FromRoute] Guid organizationId,
+        BusinessUnitConversionModel model)
+    {
+        var organization = await organizationRepository.GetByIdAsync(organizationId);
+
+        if (organization == null)
+        {
+            throw new NotFoundException();
+        }
+
+        await businessUnitConverter.ResetConversion(organization, model.ProviderAdminEmail!);
+
+        PersistSuccessMessage("Business unit conversion was successfully reset.");
+
+        return RedirectToAction("Index", new { organizationId });
+    }
+
+    [HttpPost("resend-invite")]
+    [RequirePermission(Permission.Org_Billing_ConvertToBusinessUnit)]
+    [SelfHosted(NotSelfHostedOnly = true)]
+    public async Task<IActionResult> ResendInviteAsync(
+        [FromRoute] Guid organizationId,
+        BusinessUnitConversionModel model)
+    {
+        var organization = await organizationRepository.GetByIdAsync(organizationId);
+
+        if (organization == null)
+        {
+            throw new NotFoundException();
+        }
+
+        await businessUnitConverter.ResendConversionInvite(organization, model.ProviderAdminEmail!);
+
+        PersistSuccessMessage($"Invite was successfully resent to {model.ProviderAdminEmail}.");
+
+        return RedirectToAction("Index", new { organizationId });
+    }
+
+    private async Task<ProviderUser?> GetInvitedProviderAdminAsync(
+        Organization organization)
+    {
+        var provider = await providerRepository.GetByOrganizationIdAsync(organization.Id);
+
+        if (provider is not
+            {
+                Type: ProviderType.BusinessUnit,
+                Status: ProviderStatusType.Pending
+            })
+        {
+            return null;
+        }
+
+        var providerUsers =
+            await providerUserRepository.GetManyByProviderAsync(provider.Id, ProviderUserType.ProviderAdmin);
+
+        if (providerUsers.Count != 1)
+        {
+            return null;
+        }
+
+        var providerUser = providerUsers.First();
+
+        return providerUser is
+        {
+            Type: ProviderUserType.ProviderAdmin,
+            Status: ProviderUserStatusType.Invited,
+            UserId: not null
+        } ? providerUser : null;
+    }
+
+    private const string _errors = "errors";
+    private const string _success = "Success";
+
+    private void PersistSuccessMessage(string message) => TempData[_success] = message;
+    private void PersistErrorMessages(List<string> errors)
+    {
+        var input = string.Join("|", errors);
+        TempData[_errors] = input;
+    }
+    private string? ReadSuccessMessage() => ReadTempData<string>(_success);
+    private List<string>? ReadErrorMessages()
+    {
+        var output = ReadTempData<string>(_errors);
+        return string.IsNullOrEmpty(output) ? null : output.Split('|').ToList();
+    }
+
+    private T? ReadTempData<T>(string key) => TempData.TryGetValue(key, out var obj) && obj is T value ? value : default;
+}

src/Admin/Billing/Models/BusinessUnitConversionModel.cs

@@ -0,0 +1,25 @@
+#nullable enable
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.AdminConsole.Entities;
+using Microsoft.AspNetCore.Mvc.ModelBinding;
+
+namespace Bit.Admin.Billing.Models;
+
+public class BusinessUnitConversionModel
+{
+    [Required]
+    [EmailAddress]
+    [Display(Name = "Provider Admin Email")]
+    public string? ProviderAdminEmail { get; set; }
+
+    [BindNever]
+    public required Organization Organization { get; set; }
+
+    [BindNever]
+    public Guid? ProviderId { get; set; }
+
+    [BindNever]
+    public string? Success { get; set; }
+
+    [BindNever] public List<string>? Errors { get; set; } = [];
+}

src/Admin/Billing/Views/BusinessUnitConversion/Index.cshtml

@@ -0,0 +1,75 @@
+@model Bit.Admin.Billing.Models.BusinessUnitConversionModel
+
+@{
+    ViewData["Title"] = "Convert Organization to Business Unit";
+}
+
+@if (!string.IsNullOrEmpty(Model.ProviderAdminEmail))
+{
+    <h1>Convert @Model.Organization.Name to Business Unit</h1>
+    @if (!string.IsNullOrEmpty(Model.Success))
+    {
+        <div class="alert alert-success alert-dismissible fade show mb-3" role="alert">
+            @Model.Success
+            <button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
+        </div>
+    }
+    @if (Model.Errors?.Any() ?? false)
+    {
+        @foreach (var error in Model.Errors)
+        {
+            <div class="alert alert-danger alert-dismissible fade show mb-3" role="alert">
+                @error
+                <button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
+            </div>
+        }
+    }
+    <p>This organization has a business unit conversion in progress.</p>
+
+    <div class="mb-3">
+        <label asp-for="ProviderAdminEmail" class="form-label"></label>
+        <input type="email" class="form-control" asp-for="ProviderAdminEmail" disabled></input>
+    </div>
+
+    <div class="d-flex gap-2">
+        <form method="post" asp-controller="BusinessUnitConversion" asp-action="ResendInvite" asp-route-organizationId="@Model.Organization.Id">
+            <input type="hidden" asp-for="ProviderAdminEmail" />
+            <button type="submit" class="btn btn-primary mb-2">Resend Invite</button>
+        </form>
+        <form method="post" asp-controller="BusinessUnitConversion" asp-action="Reset" asp-route-organizationId="@Model.Organization.Id">
+            <input type="hidden" asp-for="ProviderAdminEmail" />
+            <button type="submit" class="btn btn-danger mb-2">Reset Conversion</button>
+        </form>
+        @if (Model.ProviderId.HasValue)
+        {
+            <a asp-controller="Providers"
+               asp-action="Edit"
+               asp-route-id="@Model.ProviderId"
+               class="btn btn-secondary mb-2">
+                Go to Provider
+            </a>
+        }
+    </div>
+}
+else
+{
+    <h1>Convert @Model.Organization.Name to Business Unit</h1>
+    @if (Model.Errors?.Any() ?? false)
+    {
+        @foreach (var error in Model.Errors)
+        {
+            <div class="alert alert-danger alert-dismissible fade show mb-3" role="alert">
+                @error
+                <button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
+            </div>
+        }
+    }
+    <form method="post" asp-controller="BusinessUnitConversion" asp-action="Initiate" asp-route-organizationId="@Model.Organization.Id">
+        <div asp-validation-summary="All" class="alert alert-danger"></div>
+        <div class="mb-3">
+            <label asp-for="ProviderAdminEmail" class="form-label"></label>
+            <input type="email" class="form-control" asp-for="ProviderAdminEmail" />
+        </div>
+        <button type="submit" class="btn btn-primary mb-2">Convert</button>
+    </form>
+}

src/Admin/Controllers/UsersController.cs

@@ -184,7 +184,7 @@ public class UsersController : Controller
     private async Task<bool?> AccountDeprovisioningEnabled(Guid userId)
     {
         return _featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
-            ? await _userService.IsManagedByAnyOrganizationAsync(userId)
+            ? await _userService.IsClaimedByAnyOrganizationAsync(userId)
             : null;
     }
 }

src/Admin/Enums/Permissions.cs

@@ -38,6 +38,7 @@ public enum Permission
     Org_Billing_View,
     Org_Billing_Edit,
     Org_Billing_LaunchGateway,
+    Org_Billing_ConvertToBusinessUnit,
 
     Provider_List_View,
     Provider_Create,

src/Admin/Utilities/RolePermissionMapping.cs

@@ -42,6 +42,7 @@ public static class RolePermissionMapping
                 Permission.Org_Billing_View,
                 Permission.Org_Billing_Edit,
                 Permission.Org_Billing_LaunchGateway,
+                Permission.Org_Billing_ConvertToBusinessUnit,
                 Permission.Provider_List_View,
                 Permission.Provider_Create,
                 Permission.Provider_View,
@@ -90,6 +91,7 @@ public static class RolePermissionMapping
                 Permission.Org_Billing_View,
                 Permission.Org_Billing_Edit,
                 Permission.Org_Billing_LaunchGateway,
+                Permission.Org_Billing_ConvertToBusinessUnit,
                 Permission.Org_InitiateTrial,
                 Permission.Provider_List_View,
                 Permission.Provider_Create,
@@ -166,6 +168,7 @@ public static class RolePermissionMapping
                 Permission.Org_Billing_View,
                 Permission.Org_Billing_Edit,
                 Permission.Org_Billing_LaunchGateway,
+                Permission.Org_Billing_ConvertToBusinessUnit,
                 Permission.Org_RequestDelete,
                 Permission.Provider_Edit,
                 Permission.Provider_View,

src/Api/AdminConsole/Authorization/AuthorizeAttribute.cs

@@ -0,0 +1,21 @@
+#nullable enable
+
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Api.AdminConsole.Authorization;
+
+/// <summary>
+/// An attribute which requires authorization using the specified requirement.
+/// This uses the standard ASP.NET authorization middleware.
+/// </summary>
+/// <typeparam name="T">The IAuthorizationRequirement that will be used to authorize the user.</typeparam>
+public class AuthorizeAttribute<T>
+    : AuthorizeAttribute, IAuthorizationRequirementData
+    where T : IAuthorizationRequirement, new()
+{
+    public IEnumerable<IAuthorizationRequirement> GetRequirements()
+    {
+        var requirement = new T();
+        return [requirement];
+    }
+}

src/Api/AdminConsole/Authorization/HttpContextExtensions.cs

@@ -0,0 +1,79 @@
+#nullable enable
+
+using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.AdminConsole.Models.Data.Provider;
+using Bit.Core.AdminConsole.Repositories;
+
+namespace Bit.Api.AdminConsole.Authorization;
+
+public static class HttpContextExtensions
+{
+    public const string NoOrgIdError =
+        "A route decorated with with '[Authorize<Requirement>]' must include a route value named 'orgId' either through the [Controller] attribute or through a '[Http*]' attribute.";
+
+    /// <summary>
+    /// Returns the result of the callback, caching it in HttpContext.Features for the lifetime of the request.
+    /// Subsequent calls will retrieve the cached value.
+    /// Results are stored by type and therefore must be of a unique type.
+    /// </summary>
+    public static async Task<T> WithFeaturesCacheAsync<T>(this HttpContext httpContext, Func<Task<T>> callback)
+    {
+        var cachedResult = httpContext.Features.Get<T>();
+        if (cachedResult != null)
+        {
+            return cachedResult;
+        }
+
+        var result = await callback();
+        httpContext.Features.Set(result);
+
+        return result;
+    }
+
+    /// <summary>
+    /// Returns true if the user is a ProviderUser for a Provider which manages the specified organization, otherwise false.
+    /// </summary>
+    /// <remarks>
+    /// This data is fetched from the database and cached as a HttpContext Feature for the lifetime of the request.
+    /// </remarks>
+    public static async Task<bool> IsProviderUserForOrgAsync(
+        this HttpContext httpContext,
+        IProviderUserRepository providerUserRepository,
+        Guid userId,
+        Guid organizationId)
+    {
+        var organizations = await httpContext.GetProviderUserOrganizationsAsync(providerUserRepository, userId);
+        return organizations.Any(o => o.OrganizationId == organizationId);
+    }
+
+    /// <summary>
+    /// Returns the ProviderUserOrganizations for a user. These are the organizations the ProviderUser manages via their Provider, if any.
+    /// </summary>
+    /// <remarks>
+    /// This data is fetched from the database and cached as a HttpContext Feature for the lifetime of the request.
+    /// </remarks>
+    private static async Task<IEnumerable<ProviderUserOrganizationDetails>> GetProviderUserOrganizationsAsync(
+        this HttpContext httpContext,
+        IProviderUserRepository providerUserRepository,
+        Guid userId)
+        => await httpContext.WithFeaturesCacheAsync(() =>
+            providerUserRepository.GetManyOrganizationDetailsByUserAsync(userId, ProviderUserStatusType.Confirmed));
+
+
+    /// <summary>
+    /// Parses the {orgId} route parameter into a Guid, or throws if the {orgId} is not present or not a valid guid.
+    /// </summary>
+    /// <param name="httpContext"></param>
+    /// <returns></returns>
+    /// <exception cref="InvalidOperationException"></exception>
+    public static Guid GetOrganizationId(this HttpContext httpContext)
+    {
+        httpContext.GetRouteData().Values.TryGetValue("orgId", out var orgIdParam);
+        if (orgIdParam == null || !Guid.TryParse(orgIdParam.ToString(), out var orgId))
+        {
+            throw new InvalidOperationException(NoOrgIdError);
+        }
+
+        return orgId;
+    }
+}

src/Api/AdminConsole/Authorization/IOrganizationRequirement.cs

@@ -0,0 +1,31 @@
+#nullable enable
+
+using Bit.Core.Context;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Api.AdminConsole.Authorization;
+
+/// <summary>
+/// A requirement that implements this interface will be handled by <see cref="OrganizationRequirementHandler"/>,
+/// which calls AuthorizeAsync with the organization details from the route.
+/// This is used for simple role-based checks.
+/// This may only be used on endpoints with {orgId} in their path.
+/// </summary>
+public interface IOrganizationRequirement : IAuthorizationRequirement
+{
+    /// <summary>
+    /// Whether to authorize a request that has this requirement.
+    /// </summary>
+    /// <param name="organizationClaims">
+    /// The CurrentContextOrganization for the user if they are a member of the organization.
+    /// This is null if they are not a member.
+    /// </param>
+    /// <param name="isProviderUserForOrg">
+    /// A callback that returns true if the user is a ProviderUser that manages the organization, otherwise false.
+    /// This requires a database query, call it last.
+    /// </param>
+    /// <returns>True if the requirement has been satisfied, otherwise false.</returns>
+    public Task<bool> AuthorizeAsync(
+        CurrentContextOrganization? organizationClaims,
+        Func<Task<bool>> isProviderUserForOrg);
+}

src/Api/AdminConsole/Authorization/OrganizationClaimsExtensions.cs

@@ -0,0 +1,119 @@
+#nullable enable
+
+using System.Security.Claims;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Identity;
+using Bit.Core.Models.Data;
+
+namespace Bit.Api.AdminConsole.Authorization;
+
+public static class OrganizationClaimsExtensions
+{
+    /// <summary>
+    /// Parses a user's claims and returns an object representing their claims for the specified organization.
+    /// </summary>
+    /// <param name="user">The user who has the claims.</param>
+    /// <param name="organizationId">The organizationId to look for in the claims.</param>
+    /// <returns>
+    /// A <see cref="CurrentContextOrganization"/> representing the user's claims for that organization, or null
+    /// if the user does not have any claims for that organization.
+    /// </returns>
+    public static CurrentContextOrganization? GetCurrentContextOrganization(this ClaimsPrincipal user, Guid organizationId)
+    {
+        var hasClaim = GetClaimsParser(user, organizationId);
+
+        var role = GetRoleFromClaims(hasClaim);
+        if (!role.HasValue)
+        {
+            // Not an organization member
+            return null;
+        }
+
+        return new CurrentContextOrganization
+        {
+            Id = organizationId,
+            Type = role.Value,
+            AccessSecretsManager = hasClaim(Claims.SecretsManagerAccess),
+            Permissions = role == OrganizationUserType.Custom
+                ? GetPermissionsFromClaims(hasClaim)
+                : new Permissions()
+        };
+    }
+
+    /// <summary>
+    /// Returns a function for evaluating claims for the specified user and organizationId.
+    /// The function returns true if the claim type exists and false otherwise.
+    /// </summary>
+    private static Func<string, bool> GetClaimsParser(ClaimsPrincipal user, Guid organizationId)
+    {
+        // Group claims by ClaimType
+        var claimsDict = user.Claims
+            .GroupBy(c => c.Type)
+            .ToDictionary(
+                c => c.Key,
+                c => c.ToList());
+
+        return claimType
+            => claimsDict.TryGetValue(claimType, out var claims) &&
+               claims
+                   .ParseGuids()
+                   .Any(v => v == organizationId);
+    }
+
+    /// <summary>
+    /// Parses the provided claims into proper Guids, or ignore them if they are not valid guids.
+    /// </summary>
+    private static IEnumerable<Guid> ParseGuids(this IEnumerable<Claim> claims)
+    {
+        foreach (var claim in claims)
+        {
+            if (Guid.TryParse(claim.Value, out var guid))
+            {
+                yield return guid;
+            }
+        }
+    }
+
+    private static OrganizationUserType? GetRoleFromClaims(Func<string, bool> hasClaim)
+    {
+        if (hasClaim(Claims.OrganizationOwner))
+        {
+            return OrganizationUserType.Owner;
+        }
+
+        if (hasClaim(Claims.OrganizationAdmin))
+        {
+            return OrganizationUserType.Admin;
+        }
+
+        if (hasClaim(Claims.OrganizationCustom))
+        {
+            return OrganizationUserType.Custom;
+        }
+
+        if (hasClaim(Claims.OrganizationUser))
+        {
+            return OrganizationUserType.User;
+        }
+
+        return null;
+    }
+
+    private static Permissions GetPermissionsFromClaims(Func<string, bool> hasClaim)
+    => new()
+    {
+        AccessEventLogs = hasClaim(Claims.CustomPermissions.AccessEventLogs),
+        AccessImportExport = hasClaim(Claims.CustomPermissions.AccessImportExport),
+        AccessReports = hasClaim(Claims.CustomPermissions.AccessReports),
+        CreateNewCollections = hasClaim(Claims.CustomPermissions.CreateNewCollections),
+        EditAnyCollection = hasClaim(Claims.CustomPermissions.EditAnyCollection),
+        DeleteAnyCollection = hasClaim(Claims.CustomPermissions.DeleteAnyCollection),
+        ManageGroups = hasClaim(Claims.CustomPermissions.ManageGroups),
+        ManagePolicies = hasClaim(Claims.CustomPermissions.ManagePolicies),
+        ManageSso = hasClaim(Claims.CustomPermissions.ManageSso),
+        ManageUsers = hasClaim(Claims.CustomPermissions.ManageUsers),
+        ManageResetPassword = hasClaim(Claims.CustomPermissions.ManageResetPassword),
+        ManageScim = hasClaim(Claims.CustomPermissions.ManageScim),
+    };
+}

src/Api/AdminConsole/Authorization/OrganizationRequirementHandler.cs

@@ -0,0 +1,49 @@
+#nullable enable
+
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Services;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Api.AdminConsole.Authorization;
+
+/// <summary>
+/// Handles any requirement that implements <see cref="IOrganizationRequirement"/>.
+/// Retrieves the Organization ID from the route and then passes it to the requirement's AuthorizeAsync callback to
+/// determine whether the action is authorized.
+/// </summary>
+public class OrganizationRequirementHandler(
+    IHttpContextAccessor httpContextAccessor,
+    IProviderUserRepository providerUserRepository,
+    IUserService userService)
+    : AuthorizationHandler<IOrganizationRequirement>
+{
+    public const string NoHttpContextError = "This method should only be called in the context of an HTTP Request.";
+    public const string NoUserIdError = "This method should only be called on the private api with a logged in user.";
+
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, IOrganizationRequirement requirement)
+    {
+        var httpContext = httpContextAccessor.HttpContext;
+        if (httpContext == null)
+        {
+            throw new InvalidOperationException(NoHttpContextError);
+        }
+
+        var organizationId = httpContext.GetOrganizationId();
+        var organizationClaims = httpContext.User.GetCurrentContextOrganization(organizationId);
+
+        var userId = userService.GetProperUserId(httpContext.User);
+        if (userId == null)
+        {
+            throw new InvalidOperationException(NoUserIdError);
+        }
+
+        Task<bool> IsProviderUserForOrg() => httpContext.IsProviderUserForOrgAsync(providerUserRepository, userId.Value, organizationId);
+
+        var authorized = await requirement.AuthorizeAsync(organizationClaims, IsProviderUserForOrg);
+
+        if (authorized)
+        {
+            context.Succeed(requirement);
+        }
+    }
+}

src/Api/AdminConsole/Authorization/Requirements/ManageUsersRequirement.cs

@@ -0,0 +1,20 @@
+#nullable enable
+
+using Bit.Core.Context;
+using Bit.Core.Enums;
+
+namespace Bit.Api.AdminConsole.Authorization.Requirements;
+
+public class ManageUsersRequirement : IOrganizationRequirement
+{
+    public async Task<bool> AuthorizeAsync(
+        CurrentContextOrganization? organizationClaims,
+        Func<Task<bool>> isProviderUserForOrg)
+        => organizationClaims switch
+        {
+            { Type: OrganizationUserType.Owner } => true,
+            { Type: OrganizationUserType.Admin } => true,
+            { Permissions.ManageUsers: true } => true,
+            _ => await isProviderUserForOrg()
+        };
+}

src/Api/AdminConsole/Authorization/Requirements/MemberOrProviderRequirement.cs

@@ -0,0 +1,16 @@
+#nullable enable
+
+using Bit.Core.Context;
+
+namespace Bit.Api.AdminConsole.Authorization.Requirements;
+
+/// <summary>
+/// Requires that the user is a member of the organization or a provider for the organization.
+/// </summary>
+public class MemberOrProviderRequirement : IOrganizationRequirement
+{
+    public async Task<bool> AuthorizeAsync(
+        CurrentContextOrganization? organizationClaims,
+        Func<Task<bool>> isProviderUserForOrg)
+        => organizationClaims is not null || await isProviderUserForOrg();
+}

src/Api/AdminConsole/Controllers/OrganizationUsersController.cs

@@ -56,8 +56,8 @@ public class OrganizationUsersController : Controller
     private readonly IOrganizationUserUserDetailsQuery _organizationUserUserDetailsQuery;
     private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
-    private readonly IDeleteManagedOrganizationUserAccountCommand _deleteManagedOrganizationUserAccountCommand;
+    private readonly IDeleteClaimedOrganizationUserAccountCommand _deleteClaimedOrganizationUserAccountCommand;
-    private readonly IGetOrganizationUsersManagementStatusQuery _getOrganizationUsersManagementStatusQuery;
+    private readonly IGetOrganizationUsersClaimedStatusQuery _getOrganizationUsersClaimedStatusQuery;
     private readonly IPolicyRequirementQuery _policyRequirementQuery;
     private readonly IFeatureService _featureService;
     private readonly IPricingClient _pricingClient;
@@ -83,8 +83,8 @@ public class OrganizationUsersController : Controller
         IOrganizationUserUserDetailsQuery organizationUserUserDetailsQuery,
         ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
         IRemoveOrganizationUserCommand removeOrganizationUserCommand,
-        IDeleteManagedOrganizationUserAccountCommand deleteManagedOrganizationUserAccountCommand,
+        IDeleteClaimedOrganizationUserAccountCommand deleteClaimedOrganizationUserAccountCommand,
-        IGetOrganizationUsersManagementStatusQuery getOrganizationUsersManagementStatusQuery,
+        IGetOrganizationUsersClaimedStatusQuery getOrganizationUsersClaimedStatusQuery,
         IPolicyRequirementQuery policyRequirementQuery,
         IFeatureService featureService,
         IPricingClient pricingClient,
@@ -109,8 +109,8 @@ public class OrganizationUsersController : Controller
         _organizationUserUserDetailsQuery = organizationUserUserDetailsQuery;
         _twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
         _removeOrganizationUserCommand = removeOrganizationUserCommand;
-        _deleteManagedOrganizationUserAccountCommand = deleteManagedOrganizationUserAccountCommand;
+        _deleteClaimedOrganizationUserAccountCommand = deleteClaimedOrganizationUserAccountCommand;
-        _getOrganizationUsersManagementStatusQuery = getOrganizationUsersManagementStatusQuery;
+        _getOrganizationUsersClaimedStatusQuery = getOrganizationUsersClaimedStatusQuery;
         _policyRequirementQuery = policyRequirementQuery;
         _featureService = featureService;
         _pricingClient = pricingClient;
@@ -127,11 +127,11 @@ public class OrganizationUsersController : Controller
             throw new NotFoundException();
         }
 
-        var managedByOrganization = await GetManagedByOrganizationStatusAsync(
+        var claimedByOrganizationStatus = await GetClaimedByOrganizationStatusAsync(
             organizationUser.OrganizationId,
             [organizationUser.Id]);
 
-        var response = new OrganizationUserDetailsResponseModel(organizationUser, managedByOrganization[organizationUser.Id], collections);
+        var response = new OrganizationUserDetailsResponseModel(organizationUser, claimedByOrganizationStatus[organizationUser.Id], collections);
 
         if (includeGroups)
         {
@@ -175,13 +175,13 @@ public class OrganizationUsersController : Controller
             }
         );
         var organizationUsersTwoFactorEnabled = await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(organizationUsers);
-        var organizationUsersManagementStatus = await GetManagedByOrganizationStatusAsync(orgId, organizationUsers.Select(o => o.Id));
+        var organizationUsersClaimedStatus = await GetClaimedByOrganizationStatusAsync(orgId, organizationUsers.Select(o => o.Id));
         var responses = organizationUsers
             .Select(o =>
             {
                 var userTwoFactorEnabled = organizationUsersTwoFactorEnabled.FirstOrDefault(u => u.user.Id == o.Id).twoFactorIsEnabled;
-                var managedByOrganization = organizationUsersManagementStatus[o.Id];
+                var claimedByOrganization = organizationUsersClaimedStatus[o.Id];
-                var orgUser = new OrganizationUserUserDetailsResponseModel(o, userTwoFactorEnabled, managedByOrganization);
+                var orgUser = new OrganizationUserUserDetailsResponseModel(o, userTwoFactorEnabled, claimedByOrganization);
 
                 return orgUser;
             });
@@ -313,7 +313,7 @@ public class OrganizationUsersController : Controller
             throw new UnauthorizedAccessException();
         }
 
-        await _organizationService.InitPendingOrganization(user.Id, orgId, organizationUserId, model.Keys.PublicKey, model.Keys.EncryptedPrivateKey, model.CollectionName);
+        await _organizationService.InitPendingOrganization(user, orgId, organizationUserId, model.Keys.PublicKey, model.Keys.EncryptedPrivateKey, model.CollectionName, model.Token);
         await _acceptOrgUserCommand.AcceptOrgUserByEmailTokenAsync(organizationUserId, user, model.Token, _userService);
         await _confirmOrganizationUserCommand.ConfirmUserAsync(orgId, organizationUserId, model.Key, user.Id);
     }
@@ -591,7 +591,7 @@ public class OrganizationUsersController : Controller
             throw new UnauthorizedAccessException();
         }
 
-        await _deleteManagedOrganizationUserAccountCommand.DeleteUserAsync(orgId, id, currentUser.Id);
+        await _deleteClaimedOrganizationUserAccountCommand.DeleteUserAsync(orgId, id, currentUser.Id);
     }
 
     [RequireFeature(FeatureFlagKeys.AccountDeprovisioning)]
@@ -610,7 +610,7 @@ public class OrganizationUsersController : Controller
             throw new UnauthorizedAccessException();
         }
 
-        var results = await _deleteManagedOrganizationUserAccountCommand.DeleteManyUsersAsync(orgId, model.Ids, currentUser.Id);
+        var results = await _deleteClaimedOrganizationUserAccountCommand.DeleteManyUsersAsync(orgId, model.Ids, currentUser.Id);
 
         return new ListResponseModel<OrganizationUserBulkResponseModel>(results.Select(r =>
             new OrganizationUserBulkResponseModel(r.OrganizationUserId, r.ErrorMessage)));
@@ -717,14 +717,14 @@ public class OrganizationUsersController : Controller
             new OrganizationUserBulkResponseModel(r.Item1.Id, r.Item2)));
     }
 
-    private async Task<IDictionary<Guid, bool>> GetManagedByOrganizationStatusAsync(Guid orgId, IEnumerable<Guid> userIds)
+    private async Task<IDictionary<Guid, bool>> GetClaimedByOrganizationStatusAsync(Guid orgId, IEnumerable<Guid> userIds)
     {
         if (!_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning))
         {
             return userIds.ToDictionary(kvp => kvp, kvp => false);
         }
 
-        var usersOrganizationManagementStatus = await _getOrganizationUsersManagementStatusQuery.GetUsersOrganizationManagementStatusAsync(orgId, userIds);
+        var usersOrganizationClaimedStatus = await _getOrganizationUsersClaimedStatusQuery.GetUsersOrganizationClaimedStatusAsync(orgId, userIds);
-        return usersOrganizationManagementStatus;
+        return usersOrganizationClaimedStatus;
     }
 }

src/Api/AdminConsole/Controllers/OrganizationsController.cs

@@ -65,6 +65,7 @@ public class OrganizationsController : Controller
     private readonly IOrganizationDeleteCommand _organizationDeleteCommand;
     private readonly IPolicyRequirementQuery _policyRequirementQuery;
     private readonly IPricingClient _pricingClient;
+    private readonly IOrganizationUpdateKeysCommand _organizationUpdateKeysCommand;
 
     public OrganizationsController(
         IOrganizationRepository organizationRepository,
@@ -88,7 +89,8 @@ public class OrganizationsController : Controller
         ICloudOrganizationSignUpCommand cloudOrganizationSignUpCommand,
         IOrganizationDeleteCommand organizationDeleteCommand,
         IPolicyRequirementQuery policyRequirementQuery,
-        IPricingClient pricingClient)
+        IPricingClient pricingClient,
+        IOrganizationUpdateKeysCommand organizationUpdateKeysCommand)
     {
         _organizationRepository = organizationRepository;
         _organizationUserRepository = organizationUserRepository;
@@ -112,6 +114,7 @@ public class OrganizationsController : Controller
         _organizationDeleteCommand = organizationDeleteCommand;
         _policyRequirementQuery = policyRequirementQuery;
         _pricingClient = pricingClient;
+        _organizationUpdateKeysCommand = organizationUpdateKeysCommand;
     }
 
     [HttpGet("{id}")]
@@ -140,10 +143,10 @@ public class OrganizationsController : Controller
         var organizations = await _organizationUserRepository.GetManyDetailsByUserAsync(userId,
             OrganizationUserStatusType.Confirmed);
 
-        var organizationManagingActiveUser = await _userService.GetOrganizationsManagingUserAsync(userId);
+        var organizationsClaimingActiveUser = await _userService.GetOrganizationsClaimingUserAsync(userId);
-        var organizationIdsManagingActiveUser = organizationManagingActiveUser.Select(o => o.Id);
+        var organizationIdsClaimingActiveUser = organizationsClaimingActiveUser.Select(o => o.Id);
 
-        var responses = organizations.Select(o => new ProfileOrganizationResponseModel(o, organizationIdsManagingActiveUser));
+        var responses = organizations.Select(o => new ProfileOrganizationResponseModel(o, organizationIdsClaimingActiveUser));
         return new ListResponseModel<ProfileOrganizationResponseModel>(responses);
     }
 
@@ -277,9 +280,9 @@ public class OrganizationsController : Controller
         }
 
         if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
-            && (await _userService.GetOrganizationsManagingUserAsync(user.Id)).Any(x => x.Id == id))
+            && (await _userService.GetOrganizationsClaimingUserAsync(user.Id)).Any(x => x.Id == id))
         {
-            throw new BadRequestException("Managed user account cannot leave managing organization. Contact your organization administrator for additional details.");
+            throw new BadRequestException("Claimed user account cannot leave claiming organization. Contact your organization administrator for additional details.");
         }
 
         await _removeOrganizationUserCommand.UserLeaveAsync(id, user.Id);
@@ -490,7 +493,7 @@ public class OrganizationsController : Controller
     }
 
     [HttpPost("{id}/keys")]
-    public async Task<OrganizationKeysResponseModel> PostKeys(string id, [FromBody] OrganizationKeysRequestModel model)
+    public async Task<OrganizationKeysResponseModel> PostKeys(Guid id, [FromBody] OrganizationKeysRequestModel model)
     {
         var user = await _userService.GetUserByPrincipalAsync(User);
         if (user == null)
@@ -498,7 +501,7 @@ public class OrganizationsController : Controller
             throw new UnauthorizedAccessException();
         }
 
-        var org = await _organizationService.UpdateOrganizationKeysAsync(new Guid(id), model.PublicKey,
+        var org = await _organizationUpdateKeysCommand.UpdateOrganizationKeysAsync(id, model.PublicKey,
             model.EncryptedPrivateKey);
         return new OrganizationKeysResponseModel(org);
     }

src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs

@@ -64,6 +64,7 @@ public class OrganizationResponseModel : ResponseModel
         LimitItemDeletion = organization.LimitItemDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
         UseRiskInsights = organization.UseRiskInsights;
+        UseAdminSponsoredFamilies = organization.UseAdminSponsoredFamilies;
     }
 
     public Guid Id { get; set; }
@@ -110,6 +111,7 @@ public class OrganizationResponseModel : ResponseModel
     public bool LimitItemDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
     public bool UseRiskInsights { get; set; }
+    public bool UseAdminSponsoredFamilies { get; set; }
 }
 
 public class OrganizationSubscriptionResponseModel : OrganizationResponseModel

src/Api/AdminConsole/Models/Response/Organizations/OrganizationUserResponseModel.cs

@@ -66,24 +66,34 @@ public class OrganizationUserDetailsResponseModel : OrganizationUserResponseMode
 {
     public OrganizationUserDetailsResponseModel(
         OrganizationUser organizationUser,
-        bool managedByOrganization,
+        bool claimedByOrganization,
+        string ssoExternalId,
         IEnumerable<CollectionAccessSelection> collections)
         : base(organizationUser, "organizationUserDetails")
     {
-        ManagedByOrganization = managedByOrganization;
+        ClaimedByOrganization = claimedByOrganization;
+        SsoExternalId = ssoExternalId;
         Collections = collections.Select(c => new SelectionReadOnlyResponseModel(c));
     }
 
     public OrganizationUserDetailsResponseModel(OrganizationUserUserDetails organizationUser,
-        bool managedByOrganization,
+        bool claimedByOrganization,
         IEnumerable<CollectionAccessSelection> collections)
         : base(organizationUser, "organizationUserDetails")
     {
-        ManagedByOrganization = managedByOrganization;
+        ClaimedByOrganization = claimedByOrganization;
+        SsoExternalId = organizationUser.SsoExternalId;
         Collections = collections.Select(c => new SelectionReadOnlyResponseModel(c));
     }
 
-    public bool ManagedByOrganization { get; set; }
+    [Obsolete("Please use ClaimedByOrganization instead. This property will be removed in a future version.")]
+    public bool ManagedByOrganization
+    {
+        get => ClaimedByOrganization;
+        set => ClaimedByOrganization = value;
+    }
+    public bool ClaimedByOrganization { get; set; }
+    public string SsoExternalId { get; set; }
 
     public IEnumerable<SelectionReadOnlyResponseModel> Collections { get; set; }
 
@@ -117,7 +127,7 @@ public class OrganizationUserUserMiniDetailsResponseModel : ResponseModel
 public class OrganizationUserUserDetailsResponseModel : OrganizationUserResponseModel
 {
     public OrganizationUserUserDetailsResponseModel(OrganizationUserUserDetails organizationUser,
-        bool twoFactorEnabled, bool managedByOrganization, string obj = "organizationUserUserDetails")
+        bool twoFactorEnabled, bool claimedByOrganization, string obj = "organizationUserUserDetails")
         : base(organizationUser, obj)
     {
         if (organizationUser == null)
@@ -134,7 +144,7 @@ public class OrganizationUserUserDetailsResponseModel : OrganizationUserResponse
         Groups = organizationUser.Groups;
         // Prevent reset password when using key connector.
         ResetPasswordEnrolled = ResetPasswordEnrolled && !organizationUser.UsesKeyConnector;
-        ManagedByOrganization = managedByOrganization;
+        ClaimedByOrganization = claimedByOrganization;
     }
 
     public string Name { get; set; }
@@ -142,11 +152,17 @@ public class OrganizationUserUserDetailsResponseModel : OrganizationUserResponse
     public string AvatarColor { get; set; }
     public bool TwoFactorEnabled { get; set; }
     public bool SsoBound { get; set; }
+    [Obsolete("Please use ClaimedByOrganization instead. This property will be removed in a future version.")]
+    public bool ManagedByOrganization
+    {
+        get => ClaimedByOrganization;
+        set => ClaimedByOrganization = value;
+    }
     /// <summary>
-    /// Indicates if the organization manages the user. If a user is "managed" by an organization,
+    /// Indicates if the organization claimed the user. If a user is "claimed" by an organization,
     /// the organization has greater control over their account, and some user actions are restricted.
     /// </summary>
-    public bool ManagedByOrganization { get; set; }
+    public bool ClaimedByOrganization { get; set; }
     public IEnumerable<SelectionReadOnlyResponseModel> Collections { get; set; }
     public IEnumerable<Guid> Groups { get; set; }
 }

src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs

@@ -18,7 +18,7 @@ public class ProfileOrganizationResponseModel : ResponseModel
 
     public ProfileOrganizationResponseModel(
         OrganizationUserOrganizationDetails organization,
-        IEnumerable<Guid> organizationIdsManagingUser)
+        IEnumerable<Guid> organizationIdsClaimingUser)
         : this("profileOrganization")
     {
         Id = organization.OrganizationId;
@@ -51,7 +51,7 @@ public class ProfileOrganizationResponseModel : ResponseModel
         SsoBound = !string.IsNullOrWhiteSpace(organization.SsoExternalId);
         Identifier = organization.Identifier;
         Permissions = CoreHelpers.LoadClassFromJsonData<Permissions>(organization.Permissions);
-        ResetPasswordEnrolled = organization.ResetPasswordKey != null;
+        ResetPasswordEnrolled = !string.IsNullOrWhiteSpace(organization.ResetPasswordKey);
         UserId = organization.UserId;
         OrganizationUserId = organization.OrganizationUserId;
         ProviderId = organization.ProviderId;
@@ -70,8 +70,9 @@ public class ProfileOrganizationResponseModel : ResponseModel
         LimitCollectionDeletion = organization.LimitCollectionDeletion;
         LimitItemDeletion = organization.LimitItemDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
-        UserIsManagedByOrganization = organizationIdsManagingUser.Contains(organization.OrganizationId);
+        UserIsClaimedByOrganization = organizationIdsClaimingUser.Contains(organization.OrganizationId);
         UseRiskInsights = organization.UseRiskInsights;
+        UseAdminSponsoredFamilies = organization.UseAdminSponsoredFamilies;
 
         if (organization.SsoConfig != null)
         {
@@ -133,15 +134,27 @@ public class ProfileOrganizationResponseModel : ResponseModel
     public bool LimitItemDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
     /// <summary>
-    /// Indicates if the organization manages the user.
+    /// Obsolete.
+    ///
+    /// See <see cref="UserIsClaimedByOrganization"/>
+    /// </summary>
+    [Obsolete("Please use UserIsClaimedByOrganization instead. This property will be removed in a future version.")]
+    public bool UserIsManagedByOrganization
+    {
+        get => UserIsClaimedByOrganization;
+        set => UserIsClaimedByOrganization = value;
+    }
+    /// <summary>
+    /// Indicates if the organization claims the user.
     /// </summary>
     /// <remarks>
-    /// An organization manages a user if the user's email domain is verified by the organization and the user is a member of it.
+    /// An organization claims a user if the user's email domain is verified by the organization and the user is a member of it.
     /// The organization must be enabled and able to have verified domains.
     /// </remarks>
     /// <returns>
     /// False if the Account Deprovisioning feature flag is disabled.
     /// </returns>
-    public bool UserIsManagedByOrganization { get; set; }
+    public bool UserIsClaimedByOrganization { get; set; }
     public bool UseRiskInsights { get; set; }
+    public bool UseAdminSponsoredFamilies { get; set; }
 }

src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs

@@ -50,5 +50,6 @@ public class ProfileProviderOrganizationResponseModel : ProfileOrganizationRespo
         LimitItemDeletion = organization.LimitItemDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
         UseRiskInsights = organization.UseRiskInsights;
+        UseAdminSponsoredFamilies = organization.UseAdminSponsoredFamilies;
     }
 }

src/Api/AdminConsole/Models/Response/Providers/ProfileProviderResponseModel.cs

@@ -22,6 +22,7 @@ public class ProfileProviderResponseModel : ResponseModel
         UserId = provider.UserId;
         UseEvents = provider.UseEvents;
         ProviderStatus = provider.ProviderStatus;
+        ProviderType = provider.ProviderType;
     }
 
     public Guid Id { get; set; }
@@ -35,4 +36,5 @@ public class ProfileProviderResponseModel : ResponseModel
     public Guid? UserId { get; set; }
     public bool UseEvents { get; set; }
     public ProviderStatusType ProviderStatus { get; set; }
+    public ProviderType ProviderType { get; set; }
 }

src/Api/AdminConsole/Public/Models/Response/MemberResponseModel.cs

@@ -30,7 +30,7 @@ public class MemberResponseModel : MemberBaseModel, IResponseModel
         Email = user.Email;
         Status = user.Status;
         Collections = collections?.Select(c => new AssociationWithPermissionsResponseModel(c));
-        ResetPasswordEnrolled = user.ResetPasswordKey != null;
+        ResetPasswordEnrolled = !string.IsNullOrWhiteSpace(user.ResetPasswordKey);
     }
 
     [SetsRequiredMembers]
@@ -49,7 +49,7 @@ public class MemberResponseModel : MemberBaseModel, IResponseModel
         TwoFactorEnabled = twoFactorEnabled;
         Status = user.Status;
         Collections = collections?.Select(c => new AssociationWithPermissionsResponseModel(c));
-        ResetPasswordEnrolled = user.ResetPasswordKey != null;
+        ResetPasswordEnrolled = !string.IsNullOrWhiteSpace(user.ResetPasswordKey);
         SsoExternalId = user.SsoExternalId;
     }
 

src/Api/Auth/Controllers/AccountsController.cs

@@ -124,11 +124,11 @@ public class AccountsController : Controller
             throw new BadRequestException("MasterPasswordHash", "Invalid password.");
         }
 
-        var managedUserValidationResult = await _userService.ValidateManagedUserDomainAsync(user, model.NewEmail);
+        var claimedUserValidationResult = await _userService.ValidateClaimedUserDomainAsync(user, model.NewEmail);
 
-        if (!managedUserValidationResult.Succeeded)
+        if (!claimedUserValidationResult.Succeeded)
         {
-            throw new BadRequestException(managedUserValidationResult.Errors);
+            throw new BadRequestException(claimedUserValidationResult.Errors);
         }
 
         await _userService.InitiateEmailChangeAsync(user, model.NewEmail);
@@ -437,11 +437,11 @@ public class AccountsController : Controller
 
         var twoFactorEnabled = await _userService.TwoFactorIsEnabledAsync(user);
         var hasPremiumFromOrg = await _userService.HasPremiumFromOrganization(user);
-        var organizationIdsManagingActiveUser = await GetOrganizationIdsManagingUserAsync(user.Id);
+        var organizationIdsClaimingActiveUser = await GetOrganizationIdsClaimingUserAsync(user.Id);
 
         var response = new ProfileResponseModel(user, organizationUserDetails, providerUserDetails,
             providerUserOrganizationDetails, twoFactorEnabled,
-            hasPremiumFromOrg, organizationIdsManagingActiveUser);
+            hasPremiumFromOrg, organizationIdsClaimingActiveUser);
         return response;
     }
 
@@ -451,9 +451,9 @@ public class AccountsController : Controller
         var userId = _userService.GetProperUserId(User);
         var organizationUserDetails = await _organizationUserRepository.GetManyDetailsByUserAsync(userId.Value,
             OrganizationUserStatusType.Confirmed);
-        var organizationIdsManagingActiveUser = await GetOrganizationIdsManagingUserAsync(userId.Value);
+        var organizationIdsClaimingUser = await GetOrganizationIdsClaimingUserAsync(userId.Value);
 
-        var responseData = organizationUserDetails.Select(o => new ProfileOrganizationResponseModel(o, organizationIdsManagingActiveUser));
+        var responseData = organizationUserDetails.Select(o => new ProfileOrganizationResponseModel(o, organizationIdsClaimingUser));
         return new ListResponseModel<ProfileOrganizationResponseModel>(responseData);
     }
 
@@ -471,9 +471,9 @@ public class AccountsController : Controller
 
         var twoFactorEnabled = await _userService.TwoFactorIsEnabledAsync(user);
         var hasPremiumFromOrg = await _userService.HasPremiumFromOrganization(user);
-        var organizationIdsManagingActiveUser = await GetOrganizationIdsManagingUserAsync(user.Id);
+        var organizationIdsClaimingActiveUser = await GetOrganizationIdsClaimingUserAsync(user.Id);
 
-        var response = new ProfileResponseModel(user, null, null, null, twoFactorEnabled, hasPremiumFromOrg, organizationIdsManagingActiveUser);
+        var response = new ProfileResponseModel(user, null, null, null, twoFactorEnabled, hasPremiumFromOrg, organizationIdsClaimingActiveUser);
         return response;
     }
 
@@ -490,9 +490,9 @@ public class AccountsController : Controller
 
         var userTwoFactorEnabled = await _userService.TwoFactorIsEnabledAsync(user);
         var userHasPremiumFromOrganization = await _userService.HasPremiumFromOrganization(user);
-        var organizationIdsManagingActiveUser = await GetOrganizationIdsManagingUserAsync(user.Id);
+        var organizationIdsClaimingActiveUser = await GetOrganizationIdsClaimingUserAsync(user.Id);
 
-        var response = new ProfileResponseModel(user, null, null, null, userTwoFactorEnabled, userHasPremiumFromOrganization, organizationIdsManagingActiveUser);
+        var response = new ProfileResponseModel(user, null, null, null, userTwoFactorEnabled, userHasPremiumFromOrganization, organizationIdsClaimingActiveUser);
         return response;
     }
 
@@ -560,9 +560,9 @@ public class AccountsController : Controller
         }
         else
         {
-            // If Account Deprovisioning is enabled, we need to check if the user is managed by any organization.
+            // If Account Deprovisioning is enabled, we need to check if the user is claimed by any organization.
             if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
-                && await _userService.IsManagedByAnyOrganizationAsync(user.Id))
+                && await _userService.IsClaimedByAnyOrganizationAsync(user.Id))
             {
                 throw new BadRequestException("Cannot delete accounts owned by an organization. Contact your organization administrator for additional details.");
             }
@@ -763,9 +763,9 @@ public class AccountsController : Controller
         await _userService.SaveUserAsync(user);
     }
 
-    private async Task<IEnumerable<Guid>> GetOrganizationIdsManagingUserAsync(Guid userId)
+    private async Task<IEnumerable<Guid>> GetOrganizationIdsClaimingUserAsync(Guid userId)
     {
-        var organizationManagingUser = await _userService.GetOrganizationsManagingUserAsync(userId);
+        var organizationsClaimingUser = await _userService.GetOrganizationsClaimingUserAsync(userId);
-        return organizationManagingUser.Select(o => o.Id);
+        return organizationsClaimingUser.Select(o => o.Id);
     }
 }

src/Api/Auth/Models/Request/UntrustDevicesModel.cs

@@ -0,0 +1,11 @@
+using System.ComponentModel.DataAnnotations;
+
+#nullable enable
+
+namespace Bit.Api.Auth.Models.Request;
+
+public class UntrustDevicesRequestModel
+{
+    [Required]
+    public IEnumerable<Guid> Devices { get; set; } = null!;
+}

src/Api/Billing/Controllers/AccountsController.cs

@@ -58,10 +58,10 @@ public class AccountsController(
 
         var userTwoFactorEnabled = await userService.TwoFactorIsEnabledAsync(user);
         var userHasPremiumFromOrganization = await userService.HasPremiumFromOrganization(user);
-        var organizationIdsManagingActiveUser = await GetOrganizationIdsManagingUserAsync(user.Id);
+        var organizationIdsClaimingActiveUser = await GetOrganizationIdsClaimingUserAsync(user.Id);
 
         var profile = new ProfileResponseModel(user, null, null, null, userTwoFactorEnabled,
-            userHasPremiumFromOrganization, organizationIdsManagingActiveUser);
+            userHasPremiumFromOrganization, organizationIdsClaimingActiveUser);
         return new PaymentResponseModel
         {
             UserProfile = profile,
@@ -229,9 +229,9 @@ public class AccountsController(
         await paymentService.SaveTaxInfoAsync(user, taxInfo);
     }
 
-    private async Task<IEnumerable<Guid>> GetOrganizationIdsManagingUserAsync(Guid userId)
+    private async Task<IEnumerable<Guid>> GetOrganizationIdsClaimingUserAsync(Guid userId)
     {
-        var organizationManagingUser = await userService.GetOrganizationsManagingUserAsync(userId);
+        var organizationsClaimingUser = await userService.GetOrganizationsClaimingUserAsync(userId);
-        return organizationManagingUser.Select(o => o.Id);
+        return organizationsClaimingUser.Select(o => o.Id);
     }
 }

src/Api/Billing/Controllers/OrganizationBillingController.cs

@@ -2,6 +2,7 @@
 using Bit.Api.AdminConsole.Models.Request.Organizations;
 using Bit.Api.Billing.Models.Requests;
 using Bit.Api.Billing.Models.Responses;
+using Bit.Core;
 using Bit.Core.Billing.Models;
 using Bit.Core.Billing.Models.Sales;
 using Bit.Core.Billing.Pricing;
@@ -18,7 +19,9 @@ namespace Bit.Api.Billing.Controllers;
 [Route("organizations/{organizationId:guid}/billing")]
 [Authorize("Application")]
 public class OrganizationBillingController(
+    IBusinessUnitConverter businessUnitConverter,
     ICurrentContext currentContext,
+    IFeatureService featureService,
     IOrganizationBillingService organizationBillingService,
     IOrganizationRepository organizationRepository,
     IPaymentService paymentService,
@@ -296,4 +299,40 @@ public class OrganizationBillingController(
 
         return TypedResults.Ok();
     }
+
+    [HttpPost("setup-business-unit")]
+    [SelfHosted(NotSelfHostedOnly = true)]
+    public async Task<IResult> SetupBusinessUnitAsync(
+        [FromRoute] Guid organizationId,
+        [FromBody] SetupBusinessUnitRequestBody requestBody)
+    {
+        var enableOrganizationBusinessUnitConversion =
+            featureService.IsEnabled(FeatureFlagKeys.PM18770_EnableOrganizationBusinessUnitConversion);
+
+        if (!enableOrganizationBusinessUnitConversion)
+        {
+            return Error.NotFound();
+        }
+
+        var organization = await organizationRepository.GetByIdAsync(organizationId);
+
+        if (organization == null)
+        {
+            return Error.NotFound();
+        }
+
+        if (!await currentContext.OrganizationUser(organizationId))
+        {
+            return Error.Unauthorized();
+        }
+
+        var providerId = await businessUnitConverter.FinalizeConversion(
+            organization,
+            requestBody.UserId,
+            requestBody.Token,
+            requestBody.ProviderKey,
+            requestBody.OrganizationKey);
+
+        return TypedResults.Ok(providerId);
+    }
 }

src/Api/Billing/Controllers/OrganizationSponsorshipsController.cs

@@ -84,10 +84,27 @@ public class OrganizationSponsorshipsController : Controller
             throw new BadRequestException("Free Bitwarden Families sponsorship has been disabled by your organization administrator.");
         }
 
+        if (!_featureService.IsEnabled(Bit.Core.FeatureFlagKeys.PM17772_AdminInitiatedSponsorships))
+        {
+            if (model.SponsoringUserId.HasValue)
+            {
+                throw new NotFoundException();
+            }
+
+            if (!string.IsNullOrWhiteSpace(model.Notes))
+            {
+                model.Notes = null;
+            }
+        }
+
+        var targetUser = model.SponsoringUserId ?? _currentContext.UserId!.Value;
         var sponsorship = await _createSponsorshipCommand.CreateSponsorshipAsync(
             sponsoringOrg,
-            await _organizationUserRepository.GetByOrganizationAsync(sponsoringOrgId, _currentContext.UserId ?? default),
+            await _organizationUserRepository.GetByOrganizationAsync(sponsoringOrgId, targetUser),
-            model.PlanSponsorshipType, model.SponsoredEmail, model.FriendlyName);
+            model.PlanSponsorshipType,
+            model.SponsoredEmail,
+            model.FriendlyName,
+            model.Notes);
         await _sendSponsorshipOfferCommand.SendSponsorshipOfferAsync(sponsorship, sponsoringOrg.Name);
     }
 

src/Api/Billing/Controllers/OrganizationsController.cs

@@ -409,9 +409,9 @@ public class OrganizationsController(
             organizationId,
             OrganizationUserStatusType.Confirmed);
 
-        var organizationIdsManagingActiveUser = (await userService.GetOrganizationsManagingUserAsync(userId))
+        var organizationIdsClaimingActiveUser = (await userService.GetOrganizationsClaimingUserAsync(userId))
             .Select(o => o.Id);
 
-        return new ProfileOrganizationResponseModel(organizationUserDetails, organizationIdsManagingActiveUser);
+        return new ProfileOrganizationResponseModel(organizationUserDetails, organizationIdsClaimingActiveUser);
     }
 }

src/Api/Billing/Models/Requests/SetupBusinessUnitRequestBody.cs

@@ -0,0 +1,18 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Api.Billing.Models.Requests;
+
+public class SetupBusinessUnitRequestBody
+{
+    [Required]
+    public Guid UserId { get; set; }
+
+    [Required]
+    public string Token { get; set; }
+
+    [Required]
+    public string ProviderKey { get; set; }
+
+    [Required]
+    public string OrganizationKey { get; set; }
+}

src/Api/Controllers/DevicesController.cs

@@ -4,6 +4,7 @@ using Bit.Api.Models.Request;
 using Bit.Api.Models.Response;
 using Bit.Core.Auth.Models.Api.Request;
 using Bit.Core.Auth.Models.Api.Response;
+using Bit.Core.Auth.UserFeatures.DeviceTrust;
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
@@ -21,6 +22,7 @@ public class DevicesController : Controller
     private readonly IDeviceRepository _deviceRepository;
     private readonly IDeviceService _deviceService;
     private readonly IUserService _userService;
+    private readonly IUntrustDevicesCommand _untrustDevicesCommand;
     private readonly IUserRepository _userRepository;
     private readonly ICurrentContext _currentContext;
     private readonly ILogger<DevicesController> _logger;
@@ -29,6 +31,7 @@ public class DevicesController : Controller
         IDeviceRepository deviceRepository,
         IDeviceService deviceService,
         IUserService userService,
+        IUntrustDevicesCommand untrustDevicesCommand,
         IUserRepository userRepository,
         ICurrentContext currentContext,
         ILogger<DevicesController> logger)
@@ -36,6 +39,7 @@ public class DevicesController : Controller
         _deviceRepository = deviceRepository;
         _deviceService = deviceService;
         _userService = userService;
+        _untrustDevicesCommand = untrustDevicesCommand;
         _userRepository = userRepository;
         _currentContext = currentContext;
         _logger = logger;
@@ -165,6 +169,19 @@ public class DevicesController : Controller
             model.OtherDevices ?? Enumerable.Empty<OtherDeviceKeysUpdateRequestModel>());
     }
 
+    [HttpPost("untrust")]
+    public async Task PostUntrust([FromBody] UntrustDevicesRequestModel model)
+    {
+        var user = await _userService.GetUserByPrincipalAsync(User);
+
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        await _untrustDevicesCommand.UntrustDevices(user, model.Devices);
+    }
+
     [HttpPut("identifier/{identifier}/token")]
     [HttpPost("identifier/{identifier}/token")]
     public async Task PutToken(string identifier, [FromBody] DeviceTokenRequestModel model)

src/Api/Controllers/SelfHosted/SelfHostedOrganizationSponsorshipsController.cs

@@ -3,6 +3,7 @@ using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
 using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
@@ -20,6 +21,7 @@ public class SelfHostedOrganizationSponsorshipsController : Controller
     private readonly ICreateSponsorshipCommand _offerSponsorshipCommand;
     private readonly IRevokeSponsorshipCommand _revokeSponsorshipCommand;
     private readonly ICurrentContext _currentContext;
+    private readonly IFeatureService _featureService;
 
     public SelfHostedOrganizationSponsorshipsController(
         ICreateSponsorshipCommand offerSponsorshipCommand,
@@ -27,7 +29,8 @@ public class SelfHostedOrganizationSponsorshipsController : Controller
         IOrganizationRepository organizationRepository,
         IOrganizationSponsorshipRepository organizationSponsorshipRepository,
         IOrganizationUserRepository organizationUserRepository,
-        ICurrentContext currentContext
+        ICurrentContext currentContext,
+        IFeatureService featureService
     )
     {
         _offerSponsorshipCommand = offerSponsorshipCommand;
@@ -36,15 +39,29 @@ public class SelfHostedOrganizationSponsorshipsController : Controller
         _organizationSponsorshipRepository = organizationSponsorshipRepository;
         _organizationUserRepository = organizationUserRepository;
         _currentContext = currentContext;
+        _featureService = featureService;
     }
 
     [HttpPost("{sponsoringOrgId}/families-for-enterprise")]
     public async Task CreateSponsorship(Guid sponsoringOrgId, [FromBody] OrganizationSponsorshipCreateRequestModel model)
     {
+        if (!_featureService.IsEnabled(Bit.Core.FeatureFlagKeys.PM17772_AdminInitiatedSponsorships))
+        {
+            if (model.SponsoringUserId.HasValue)
+            {
+                throw new NotFoundException();
+            }
+
+            if (!string.IsNullOrWhiteSpace(model.Notes))
+            {
+                model.Notes = null;
+            }
+        }
+
         await _offerSponsorshipCommand.CreateSponsorshipAsync(
             await _organizationRepository.GetByIdAsync(sponsoringOrgId),
-            await _organizationUserRepository.GetByOrganizationAsync(sponsoringOrgId, _currentContext.UserId ?? default),
+            await _organizationUserRepository.GetByOrganizationAsync(sponsoringOrgId, model.SponsoringUserId ?? _currentContext.UserId ?? default),
-            model.PlanSponsorshipType, model.SponsoredEmail, model.FriendlyName);
+            model.PlanSponsorshipType, model.SponsoredEmail, model.FriendlyName, model.Notes);
     }
 
     [HttpDelete("{sponsoringOrgId}")]

src/Api/Models/Request/Organizations/OrganizationSponsorshipCreateRequestModel.cs

@@ -16,4 +16,14 @@ public class OrganizationSponsorshipCreateRequestModel
 
     [StringLength(256)]
     public string FriendlyName { get; set; }
+
+    /// <summary>
+    /// (optional) The user to target for the sponsorship.
+    /// </summary>
+    /// <remarks>Left empty when creating a sponsorship for the authenticated user.</remarks>
+    public Guid? SponsoringUserId { get; set; }
+
+    [EncryptedString]
+    [EncryptedStringLength(512)]
+    public string Notes { get; set; }
 }

src/Api/Models/Response/ProfileResponseModel.cs

@@ -15,7 +15,7 @@ public class ProfileResponseModel : ResponseModel
         IEnumerable<ProviderUserOrganizationDetails> providerUserOrganizationDetails,
         bool twoFactorEnabled,
         bool premiumFromOrganization,
-        IEnumerable<Guid> organizationIdsManagingUser) : base("profile")
+        IEnumerable<Guid> organizationIdsClaimingUser) : base("profile")
     {
         if (user == null)
         {
@@ -38,7 +38,7 @@ public class ProfileResponseModel : ResponseModel
         AvatarColor = user.AvatarColor;
         CreationDate = user.CreationDate;
         VerifyDevices = user.VerifyDevices;
-        Organizations = organizationsUserDetails?.Select(o => new ProfileOrganizationResponseModel(o, organizationIdsManagingUser));
+        Organizations = organizationsUserDetails?.Select(o => new ProfileOrganizationResponseModel(o, organizationIdsClaimingUser));
         Providers = providerUserDetails?.Select(p => new ProfileProviderResponseModel(p));
         ProviderOrganizations =
             providerUserOrganizationDetails?.Select(po => new ProfileProviderOrganizationResponseModel(po));

src/Api/Tools/Controllers/ImportCiphersController.cs

@@ -77,10 +77,9 @@ public class ImportCiphersController : Controller
 
         //An User is allowed to import if CanCreate Collections or has AccessToImportExport
         var authorized = await CheckOrgImportPermission(collections, orgId);
-
         if (!authorized)
         {
-            throw new NotFoundException();
+            throw new BadRequestException("Not enough privileges to import into this organization.");
         }
 
         var userId = _userService.GetProperUserId(User).Value;
@@ -103,21 +102,59 @@ public class ImportCiphersController : Controller
             .Select(c => c.Id)
             .ToHashSet();
 
-        //We need to verify if the user is trying to import into existing collections
+        // when there are no collections, then we can import
-        var existingCollections = collections.Where(tc => orgCollectionIds.Contains(tc.Id));
+        if (collections.Count == 0)
-
-        //When importing into existing collection, we need to verify if the user has permissions
-        if (existingCollections.Any() && !(await _authorizationService.AuthorizeAsync(User, existingCollections, BulkCollectionOperations.ImportCiphers)).Succeeded)
         {
-            return false;
-        };
-
-        //Users allowed to import if they CanCreate Collections
-        if (!(await _authorizationService.AuthorizeAsync(User, collections, BulkCollectionOperations.Create)).Succeeded)
-        {
-            return false;
-        }
-
             return true;
         }
+
+        // are we trying to import into existing collections?
+        var existingCollections = collections.Where(tc => orgCollectionIds.Contains(tc.Id));
+
+        // are we trying to create new collections?
+        var hasNewCollections = collections.Any(tc => !orgCollectionIds.Contains(tc.Id));
+
+        // suppose we have both new and existing collections
+        if (hasNewCollections && existingCollections.Any())
+        {
+            // since we are creating new collection, user must have import/manage and create collection permission
+            if ((await _authorizationService.AuthorizeAsync(User, collections, BulkCollectionOperations.Create)).Succeeded
+                && (await _authorizationService.AuthorizeAsync(User, existingCollections, BulkCollectionOperations.ImportCiphers)).Succeeded)
+            {
+                // can import collections and create new ones
+                return true;
+            }
+            else
+            {
+                // user does not have permission to import
+                return false;
+            }
+        }
+
+        // suppose we have new collections and none of our collections exist
+        if (hasNewCollections && !existingCollections.Any())
+        {
+            // user is trying to create new collections
+            // we need to check if the user has permission to create collections
+            if ((await _authorizationService.AuthorizeAsync(User, collections, BulkCollectionOperations.Create)).Succeeded)
+            {
+                return true;
+            }
+            else
+            {
+                // user does not have permission to create new collections
+                return false;
+            }
+        }
+
+        // in many import formats, we don't create collections, we just import ciphers into an existing collection
+
+        // When importing, we need to verify if the user has ImportCiphers permission
+        if (existingCollections.Any() && (await _authorizationService.AuthorizeAsync(User, existingCollections, BulkCollectionOperations.ImportCiphers)).Succeeded)
+        {
+            return true;
+        };
+
+        return false;
+    }
 }

src/Api/Utilities/ServiceCollectionExtensions.cs

@@ -1,4 +1,5 @@
-using Bit.Api.Tools.Authorization;
+using Bit.Api.AdminConsole.Authorization;
+using Bit.Api.Tools.Authorization;
 using Bit.Api.Vault.AuthorizationHandlers.Collections;
 using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Authorization;
 using Bit.Core.IdentityServer;
@@ -105,5 +106,7 @@ public static class ServiceCollectionExtensions
         services.AddScoped<IAuthorizationHandler, VaultExportAuthorizationHandler>();
         services.AddScoped<IAuthorizationHandler, SecurityTaskAuthorizationHandler>();
         services.AddScoped<IAuthorizationHandler, SecurityTaskOrganizationAuthorizationHandler>();
+
+        services.AddScoped<IAuthorizationHandler, OrganizationRequirementHandler>();
     }
 }

src/Api/Vault/Controllers/CiphersController.cs

@@ -177,12 +177,7 @@ public class CiphersController : Controller
         }
 
         await _cipherService.SaveDetailsAsync(cipher, user.Id, model.Cipher.LastKnownRevisionDate, model.CollectionIds, cipher.OrganizationId.HasValue);
-        var response = new CipherResponseModel(
+        return await Get(cipher.Id);
-            cipher,
-            user,
-            await _applicationCacheService.GetOrganizationAbilitiesAsync(),
-            _globalSettings);
-        return response;
     }
 
     [HttpPost("admin")]
@@ -1091,9 +1086,9 @@ public class CiphersController : Controller
             throw new BadRequestException(ModelState);
         }
 
-        // If Account Deprovisioning is enabled, we need to check if the user is managed by any organization.
+        // If Account Deprovisioning is enabled, we need to check if the user is claimed by any organization.
         if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
-            && await _userService.IsManagedByAnyOrganizationAsync(user.Id))
+            && await _userService.IsClaimedByAnyOrganizationAsync(user.Id))
         {
             throw new BadRequestException("Cannot purge accounts owned by an organization. Contact your organization administrator for additional details.");
         }

src/Api/Vault/Controllers/SyncController.cs

@@ -104,13 +104,13 @@ public class SyncController : Controller
 
         var userTwoFactorEnabled = await _userService.TwoFactorIsEnabledAsync(user);
         var userHasPremiumFromOrganization = await _userService.HasPremiumFromOrganization(user);
-        var organizationManagingActiveUser = await _userService.GetOrganizationsManagingUserAsync(user.Id);
+        var organizationClaimingActiveUser = await _userService.GetOrganizationsClaimingUserAsync(user.Id);
-        var organizationIdsManagingActiveUser = organizationManagingActiveUser.Select(o => o.Id);
+        var organizationIdsClaimingActiveUser = organizationClaimingActiveUser.Select(o => o.Id);
 
         var organizationAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync();
 
         var response = new SyncResponseModel(_globalSettings, user, userTwoFactorEnabled, userHasPremiumFromOrganization, organizationAbilities,
-            organizationIdsManagingActiveUser, organizationUserDetails, providerUserDetails, providerUserOrganizationDetails,
+            organizationIdsClaimingActiveUser, organizationUserDetails, providerUserDetails, providerUserOrganizationDetails,
             folders, collections, ciphers, collectionCiphersGroupDict, excludeDomains, policies, sends);
         return response;
     }

src/Api/Vault/Models/Response/SyncResponseModel.cs

@@ -23,7 +23,7 @@ public class SyncResponseModel : ResponseModel
         bool userTwoFactorEnabled,
         bool userHasPremiumFromOrganization,
         IDictionary<Guid, OrganizationAbility> organizationAbilities,
-        IEnumerable<Guid> organizationIdsManagingUser,
+        IEnumerable<Guid> organizationIdsClaimingingUser,
         IEnumerable<OrganizationUserOrganizationDetails> organizationUserDetails,
         IEnumerable<ProviderUserProviderDetails> providerUserDetails,
         IEnumerable<ProviderUserOrganizationDetails> providerUserOrganizationDetails,
@@ -37,7 +37,7 @@ public class SyncResponseModel : ResponseModel
         : base("sync")
     {
         Profile = new ProfileResponseModel(user, organizationUserDetails, providerUserDetails,
-            providerUserOrganizationDetails, userTwoFactorEnabled, userHasPremiumFromOrganization, organizationIdsManagingUser);
+            providerUserOrganizationDetails, userTwoFactorEnabled, userHasPremiumFromOrganization, organizationIdsClaimingingUser);
         Folders = folders.Select(f => new FolderResponseModel(f));
         Ciphers = ciphers.Select(cipher =>
             new CipherDetailsResponseModel(

src/Billing/Services/IStripeFacade.cs

@@ -16,6 +16,12 @@ public interface IStripeFacade
         RequestOptions requestOptions = null,
         CancellationToken cancellationToken = default);
 
+    Task<Customer> UpdateCustomer(
+        string customerId,
+        CustomerUpdateOptions customerUpdateOptions = null,
+        RequestOptions requestOptions = null,
+        CancellationToken cancellationToken = default);
+
     Task<Event> GetEvent(
         string eventId,
         EventGetOptions eventGetOptions = null,

src/Billing/Services/Implementations/PaymentMethodAttachedHandler.cs

@@ -1,4 +1,8 @@
 using Bit.Billing.Constants;
+using Bit.Core;
+using Bit.Core.Billing.Constants;
+using Bit.Core.Billing.Extensions;
+using Bit.Core.Services;
 using Stripe;
 using Event = Stripe.Event;
 
@@ -10,20 +14,114 @@ public class PaymentMethodAttachedHandler : IPaymentMethodAttachedHandler
     private readonly IStripeEventService _stripeEventService;
     private readonly IStripeFacade _stripeFacade;
     private readonly IStripeEventUtilityService _stripeEventUtilityService;
+    private readonly IFeatureService _featureService;
 
     public PaymentMethodAttachedHandler(
         ILogger<PaymentMethodAttachedHandler> logger,
         IStripeEventService stripeEventService,
         IStripeFacade stripeFacade,
-        IStripeEventUtilityService stripeEventUtilityService)
+        IStripeEventUtilityService stripeEventUtilityService,
+        IFeatureService featureService)
     {
         _logger = logger;
         _stripeEventService = stripeEventService;
         _stripeFacade = stripeFacade;
         _stripeEventUtilityService = stripeEventUtilityService;
+        _featureService = featureService;
     }
 
     public async Task HandleAsync(Event parsedEvent)
+    {
+        var updateMSPToChargeAutomatically =
+            _featureService.IsEnabled(FeatureFlagKeys.PM199566_UpdateMSPToChargeAutomatically);
+
+        if (updateMSPToChargeAutomatically)
+        {
+            await HandleVNextAsync(parsedEvent);
+        }
+        else
+        {
+            await HandleVCurrentAsync(parsedEvent);
+        }
+    }
+
+    private async Task HandleVNextAsync(Event parsedEvent)
+    {
+        var paymentMethod = await _stripeEventService.GetPaymentMethod(parsedEvent, true, ["customer.subscriptions.data.latest_invoice"]);
+
+        if (paymentMethod == null)
+        {
+            _logger.LogWarning("Attempted to handle the event payment_method.attached but paymentMethod was null");
+            return;
+        }
+
+        var customer = paymentMethod.Customer;
+        var subscriptions = customer?.Subscriptions;
+
+        // This represents a provider subscription set to "send_invoice" that was paid using a Stripe hosted invoice payment page.
+        var invoicedProviderSubscription = subscriptions?.Data.FirstOrDefault(subscription =>
+            subscription.Metadata.ContainsKey(StripeConstants.MetadataKeys.ProviderId) &&
+            subscription.Status != StripeConstants.SubscriptionStatus.Canceled &&
+            subscription.CollectionMethod == StripeConstants.CollectionMethod.SendInvoice);
+
+        /*
+         * If we have an invoiced provider subscription where the customer hasn't been marked as invoice-approved,
+         * we need to try and set the default payment method and update the collection method to be "charge_automatically".
+         */
+        if (invoicedProviderSubscription != null && !customer.ApprovedToPayByInvoice())
+        {
+            if (customer.InvoiceSettings.DefaultPaymentMethodId != paymentMethod.Id)
+            {
+                try
+                {
+                    await _stripeFacade.UpdateCustomer(customer.Id,
+                        new CustomerUpdateOptions
+                        {
+                            InvoiceSettings = new CustomerInvoiceSettingsOptions
+                            {
+                                DefaultPaymentMethod = paymentMethod.Id
+                            }
+                        });
+                }
+                catch (Exception exception)
+                {
+                    _logger.LogWarning(exception,
+                        "Failed to set customer's ({CustomerID}) default payment method during 'payment_method.attached' webhook",
+                        customer.Id);
+                }
+            }
+
+            try
+            {
+                await _stripeFacade.UpdateSubscription(invoicedProviderSubscription.Id,
+                    new SubscriptionUpdateOptions
+                    {
+                        CollectionMethod = StripeConstants.CollectionMethod.ChargeAutomatically
+                    });
+            }
+            catch (Exception exception)
+            {
+                _logger.LogWarning(exception,
+                    "Failed to set subscription's ({SubscriptionID}) collection method to 'charge_automatically' during 'payment_method.attached' webhook",
+                    customer.Id);
+            }
+        }
+
+        var unpaidSubscriptions = subscriptions?.Data.Where(subscription =>
+            subscription.Status == StripeConstants.SubscriptionStatus.Unpaid).ToList();
+
+        if (unpaidSubscriptions == null || unpaidSubscriptions.Count == 0)
+        {
+            return;
+        }
+
+        foreach (var unpaidSubscription in unpaidSubscriptions)
+        {
+            await AttemptToPayOpenSubscriptionAsync(unpaidSubscription);
+        }
+    }
+
+    private async Task HandleVCurrentAsync(Event parsedEvent)
     {
         var paymentMethod = await _stripeEventService.GetPaymentMethod(parsedEvent);
         if (paymentMethod is null)

src/Billing/Services/Implementations/StripeFacade.cs

@@ -33,6 +33,13 @@ public class StripeFacade : IStripeFacade
         CancellationToken cancellationToken = default) =>
         await _customerService.GetAsync(customerId, customerGetOptions, requestOptions, cancellationToken);
 
+    public async Task<Customer> UpdateCustomer(
+        string customerId,
+        CustomerUpdateOptions customerUpdateOptions = null,
+        RequestOptions requestOptions = null,
+        CancellationToken cancellationToken = default) =>
+        await _customerService.UpdateAsync(customerId, customerUpdateOptions, requestOptions, cancellationToken);
+
     public async Task<Invoice> GetInvoice(
         string invoiceId,
         InvoiceGetOptions invoiceGetOptions = null,

src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs

@@ -1,6 +1,5 @@
 using Bit.Billing.Constants;
 using Bit.Billing.Jobs;
-using Bit.Core;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
 using Bit.Core.Billing.Pricing;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
@@ -24,7 +23,6 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
     private readonly IPushNotificationService _pushNotificationService;
     private readonly IOrganizationRepository _organizationRepository;
     private readonly ISchedulerFactory _schedulerFactory;
-    private readonly IFeatureService _featureService;
     private readonly IOrganizationEnableCommand _organizationEnableCommand;
     private readonly IOrganizationDisableCommand _organizationDisableCommand;
     private readonly IPricingClient _pricingClient;
@@ -39,7 +37,6 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
         IPushNotificationService pushNotificationService,
         IOrganizationRepository organizationRepository,
         ISchedulerFactory schedulerFactory,
-        IFeatureService featureService,
         IOrganizationEnableCommand organizationEnableCommand,
         IOrganizationDisableCommand organizationDisableCommand,
         IPricingClient pricingClient)
@@ -53,7 +50,6 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
         _pushNotificationService = pushNotificationService;
         _organizationRepository = organizationRepository;
         _schedulerFactory = schedulerFactory;
-        _featureService = featureService;
         _organizationEnableCommand = organizationEnableCommand;
         _organizationDisableCommand = organizationDisableCommand;
         _pricingClient = pricingClient;
@@ -227,12 +223,6 @@ public class SubscriptionUpdatedHandler : ISubscriptionUpdatedHandler
 
     private async Task ScheduleCancellationJobAsync(string subscriptionId, Guid organizationId)
     {
-        var isResellerManagedOrgAlertEnabled = _featureService.IsEnabled(FeatureFlagKeys.ResellerManagedOrgAlert);
-        if (!isResellerManagedOrgAlertEnabled)
-        {
-            return;
-        }
-
         var scheduler = await _schedulerFactory.GetScheduler();
 
         var job = JobBuilder.Create<SubscriptionCancellationJob>()

src/Core/AdminConsole/Entities/Organization.cs

@@ -114,6 +114,11 @@ public class Organization : ITableObject<Guid>, IStorableSubscriber, IRevisable,
     /// </summary>
     public bool UseRiskInsights { get; set; }
 
+    /// <summary>
+    /// If set to true, admins can initiate organization-issued sponsorships.
+    /// </summary>
+    public bool UseAdminSponsoredFamilies { get; set; }
+
     public void SetNewId()
     {
         if (Id == default(Guid))

src/Core/AdminConsole/Entities/OrganizationIntegration.cs

@@ -12,7 +12,7 @@ public class OrganizationIntegration : ITableObject<Guid>
     public Guid OrganizationId { get; set; }
     public IntegrationType Type { get; set; }
     public string? Configuration { get; set; }
-    public DateTime CreationDate { get; set; } = DateTime.UtcNow;
+    public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
     public DateTime RevisionDate { get; set; } = DateTime.UtcNow;
     public void SetNewId() => Id = CoreHelpers.GenerateComb();
 }

src/Core/AdminConsole/Entities/OrganizationIntegrationConfiguration.cs

@@ -13,7 +13,7 @@ public class OrganizationIntegrationConfiguration : ITableObject<Guid>
     public EventType EventType { get; set; }
     public string? Configuration { get; set; }
     public string? Template { get; set; }
-    public DateTime CreationDate { get; set; } = DateTime.UtcNow;
+    public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
     public DateTime RevisionDate { get; set; } = DateTime.UtcNow;
     public void SetNewId() => Id = CoreHelpers.GenerateComb();
 }

src/Core/AdminConsole/Enums/Provider/ProviderType.cs

@@ -8,6 +8,6 @@ public enum ProviderType : byte
     Msp = 0,
     [Display(ShortName = "Reseller", Name = "Reseller", Description = "Creates Bitwarden Portal page for client organization billing management", Order = 1000)]
     Reseller = 1,
-    [Display(ShortName = "MOE", Name = "Multi-organization Enterprises", Description = "Creates provider portal for multi-organization management", Order = 1)]
+    [Display(ShortName = "Business Unit", Name = "Business Unit", Description = "Creates provider portal for business unit management", Order = 1)]
-    MultiOrganizationEnterprise = 2,
+    BusinessUnit = 2,
 }

src/Core/AdminConsole/Errors/Error.cs

@@ -1,3 +1,8 @@
 namespace Bit.Core.AdminConsole.Errors;
 
 public record Error<T>(string Message, T ErroredValue);
+
+public static class ErrorMappers
+{
+    public static Error<B> ToError<A, B>(this Error<A> errorA, B erroredValue) => new(errorA.Message, erroredValue);
+}

src/Core/AdminConsole/Errors/InvalidResultTypeError.cs

@@ -0,0 +1,6 @@
+namespace Bit.Core.AdminConsole.Errors;
+
+public record InvalidResultTypeError<T>(T Value) : Error<T>(Code, Value)
+{
+    public const string Code = "Invalid result type.";
+};

src/Core/AdminConsole/Models/Business/InviteOrganization.cs

@@ -0,0 +1,35 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Models.StaticStore;
+
+namespace Bit.Core.AdminConsole.Models.Business;
+
+public record InviteOrganization
+{
+    public Guid OrganizationId { get; init; }
+    public int? Seats { get; init; }
+    public int? MaxAutoScaleSeats { get; init; }
+    public int? SmSeats { get; init; }
+    public int? SmMaxAutoScaleSeats { get; init; }
+    public Plan Plan { get; init; }
+    public string GatewayCustomerId { get; init; }
+    public string GatewaySubscriptionId { get; init; }
+    public bool UseSecretsManager { get; init; }
+
+    public InviteOrganization()
+    {
+
+    }
+
+    public InviteOrganization(Organization organization, Plan plan)
+    {
+        OrganizationId = organization.Id;
+        Seats = organization.Seats;
+        MaxAutoScaleSeats = organization.MaxAutoscaleSeats;
+        SmSeats = organization.SmSeats;
+        SmMaxAutoScaleSeats = organization.MaxAutoscaleSmSeats;
+        Plan = plan;
+        GatewayCustomerId = organization.GatewayCustomerId;
+        GatewaySubscriptionId = organization.GatewaySubscriptionId;
+        UseSecretsManager = organization.UseSecretsManager;
+    }
+}

src/Core/AdminConsole/Models/Data/Organizations/OrganizationAbility.cs

@@ -26,6 +26,7 @@ public class OrganizationAbility
         LimitItemDeletion = organization.LimitItemDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
         UseRiskInsights = organization.UseRiskInsights;
+        UseAdminSponsoredFamilies = organization.UseAdminSponsoredFamilies;
     }
 
     public Guid Id { get; set; }
@@ -45,4 +46,5 @@ public class OrganizationAbility
     public bool LimitItemDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
     public bool UseRiskInsights { get; set; }
+    public bool UseAdminSponsoredFamilies { get; set; }
 }

src/Core/AdminConsole/Models/Data/Organizations/OrganizationUsers/OrganizationUserOrganizationDetails.cs

@@ -59,4 +59,5 @@ public class OrganizationUserOrganizationDetails
     public bool LimitItemDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
     public bool UseRiskInsights { get; set; }
+    public bool UseAdminSponsoredFamilies { get; set; }
 }

src/Core/AdminConsole/Models/Data/Permissions.cs

@@ -1,4 +1,5 @@
 using System.Text.Json.Serialization;
+using Bit.Core.Identity;
 
 namespace Bit.Core.Models.Data;
 
@@ -20,17 +21,17 @@ public class Permissions
     [JsonIgnore]
     public List<(bool Permission, string ClaimName)> ClaimsMap => new()
     {
-        (AccessEventLogs, "accesseventlogs"),
+        (AccessEventLogs, Claims.CustomPermissions.AccessEventLogs),
-        (AccessImportExport, "accessimportexport"),
+        (AccessImportExport, Claims.CustomPermissions.AccessImportExport),
-        (AccessReports, "accessreports"),
+        (AccessReports, Claims.CustomPermissions.AccessReports),
-        (CreateNewCollections, "createnewcollections"),
+        (CreateNewCollections, Claims.CustomPermissions.CreateNewCollections),
-        (EditAnyCollection, "editanycollection"),
+        (EditAnyCollection, Claims.CustomPermissions.EditAnyCollection),
-        (DeleteAnyCollection, "deleteanycollection"),
+        (DeleteAnyCollection, Claims.CustomPermissions.DeleteAnyCollection),
-        (ManageGroups, "managegroups"),
+        (ManageGroups, Claims.CustomPermissions.ManageGroups),
-        (ManagePolicies, "managepolicies"),
+        (ManagePolicies, Claims.CustomPermissions.ManagePolicies),
-        (ManageSso, "managesso"),
+        (ManageSso, Claims.CustomPermissions.ManageSso),
-        (ManageUsers, "manageusers"),
+        (ManageUsers, Claims.CustomPermissions.ManageUsers),
-        (ManageResetPassword, "manageresetpassword"),
+        (ManageResetPassword, Claims.CustomPermissions.ManageResetPassword),
-        (ManageScim, "managescim"),
+        (ManageScim, Claims.CustomPermissions.ManageScim),
     };
 }

src/Core/AdminConsole/Models/Data/Provider/ProviderUserOrganizationDetails.cs

@@ -45,5 +45,6 @@ public class ProviderUserOrganizationDetails
     public bool LimitItemDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
     public bool UseRiskInsights { get; set; }
+    public bool UseAdminSponsoredFamilies { get; set; }
     public ProviderType ProviderType { get; set; }
 }

src/Core/AdminConsole/Models/Data/Provider/ProviderUserProviderDetails.cs

@@ -17,4 +17,5 @@ public class ProviderUserProviderDetails
     public string Permissions { get; set; }
     public bool UseEvents { get; set; }
     public ProviderStatusType ProviderStatus { get; set; }
+    public ProviderType ProviderType { get; set; }
 }

src/Core/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs

@@ -154,6 +154,6 @@ public class VerifyOrganizationDomainCommand(
 
         var organization = await organizationRepository.GetByIdAsync(domain.OrganizationId);
 
-        await mailService.SendClaimedDomainUserEmailAsync(new ManagedUserDomainClaimedEmails(domainUserEmails, organization));
+        await mailService.SendClaimedDomainUserEmailAsync(new ClaimedUserDomainClaimedEmails(domainUserEmails, organization));
     }
 }

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedOrganizationUserAccountCommand.cs

@@ -15,11 +15,11 @@ using Bit.Core.Tools.Services;
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
 
-public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganizationUserAccountCommand
+public class DeleteClaimedOrganizationUserAccountCommand : IDeleteClaimedOrganizationUserAccountCommand
 {
     private readonly IUserService _userService;
     private readonly IEventService _eventService;
-    private readonly IGetOrganizationUsersManagementStatusQuery _getOrganizationUsersManagementStatusQuery;
+    private readonly IGetOrganizationUsersClaimedStatusQuery _getOrganizationUsersClaimedStatusQuery;
     private readonly IOrganizationUserRepository _organizationUserRepository;
     private readonly IUserRepository _userRepository;
     private readonly ICurrentContext _currentContext;
@@ -28,10 +28,10 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
     private readonly IPushNotificationService _pushService;
     private readonly IOrganizationRepository _organizationRepository;
     private readonly IProviderUserRepository _providerUserRepository;
-    public DeleteManagedOrganizationUserAccountCommand(
+    public DeleteClaimedOrganizationUserAccountCommand(
         IUserService userService,
         IEventService eventService,
-        IGetOrganizationUsersManagementStatusQuery getOrganizationUsersManagementStatusQuery,
+        IGetOrganizationUsersClaimedStatusQuery getOrganizationUsersClaimedStatusQuery,
         IOrganizationUserRepository organizationUserRepository,
         IUserRepository userRepository,
         ICurrentContext currentContext,
@@ -43,7 +43,7 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
     {
         _userService = userService;
         _eventService = eventService;
-        _getOrganizationUsersManagementStatusQuery = getOrganizationUsersManagementStatusQuery;
+        _getOrganizationUsersClaimedStatusQuery = getOrganizationUsersClaimedStatusQuery;
         _organizationUserRepository = organizationUserRepository;
         _userRepository = userRepository;
         _currentContext = currentContext;
@@ -62,10 +62,10 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
             throw new NotFoundException("Member not found.");
         }
 
-        var managementStatus = await _getOrganizationUsersManagementStatusQuery.GetUsersOrganizationManagementStatusAsync(organizationId, new[] { organizationUserId });
+        var claimedStatus = await _getOrganizationUsersClaimedStatusQuery.GetUsersOrganizationClaimedStatusAsync(organizationId, new[] { organizationUserId });
         var hasOtherConfirmedOwners = await _hasConfirmedOwnersExceptQuery.HasConfirmedOwnersExceptAsync(organizationId, new[] { organizationUserId }, includeProvider: true);
 
-        await ValidateDeleteUserAsync(organizationId, organizationUser, deletingUserId, managementStatus, hasOtherConfirmedOwners);
+        await ValidateDeleteUserAsync(organizationId, organizationUser, deletingUserId, claimedStatus, hasOtherConfirmedOwners);
 
         var user = await _userRepository.GetByIdAsync(organizationUser.UserId!.Value);
         if (user == null)
@@ -83,7 +83,7 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
         var userIds = orgUsers.Where(ou => ou.UserId.HasValue).Select(ou => ou.UserId!.Value).ToList();
         var users = await _userRepository.GetManyAsync(userIds);
 
-        var managementStatus = await _getOrganizationUsersManagementStatusQuery.GetUsersOrganizationManagementStatusAsync(organizationId, orgUserIds);
+        var claimedStatus = await _getOrganizationUsersClaimedStatusQuery.GetUsersOrganizationClaimedStatusAsync(organizationId, orgUserIds);
         var hasOtherConfirmedOwners = await _hasConfirmedOwnersExceptQuery.HasConfirmedOwnersExceptAsync(organizationId, orgUserIds, includeProvider: true);
 
         var results = new List<(Guid OrganizationUserId, string? ErrorMessage)>();
@@ -97,7 +97,7 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
                     throw new NotFoundException("Member not found.");
                 }
 
-                await ValidateDeleteUserAsync(organizationId, orgUser, deletingUserId, managementStatus, hasOtherConfirmedOwners);
+                await ValidateDeleteUserAsync(organizationId, orgUser, deletingUserId, claimedStatus, hasOtherConfirmedOwners);
 
                 var user = users.FirstOrDefault(u => u.Id == orgUser.UserId);
                 if (user == null)
@@ -129,7 +129,7 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
         return results;
     }
 
-    private async Task ValidateDeleteUserAsync(Guid organizationId, OrganizationUser orgUser, Guid? deletingUserId, IDictionary<Guid, bool> managementStatus, bool hasOtherConfirmedOwners)
+    private async Task ValidateDeleteUserAsync(Guid organizationId, OrganizationUser orgUser, Guid? deletingUserId, IDictionary<Guid, bool> claimedStatus, bool hasOtherConfirmedOwners)
     {
         if (!orgUser.UserId.HasValue || orgUser.Status == OrganizationUserStatusType.Invited)
         {
@@ -159,10 +159,9 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz
             throw new BadRequestException("Custom users can not delete admins.");
         }
 
-
+        if (!claimedStatus.TryGetValue(orgUser.Id, out var isClaimed) || !isClaimed)
-        if (!managementStatus.TryGetValue(orgUser.Id, out var isManaged) || !isManaged)
         {
-            throw new BadRequestException("Member is not managed by the organization.");
+            throw new BadRequestException("Member is not claimed by the organization.");
         }
     }
 

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/GetOrganizationUsersClaimedStatusQuery.cs

@@ -4,12 +4,12 @@ using Bit.Core.Services;
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
 
-public class GetOrganizationUsersManagementStatusQuery : IGetOrganizationUsersManagementStatusQuery
+public class GetOrganizationUsersClaimedStatusQuery : IGetOrganizationUsersClaimedStatusQuery
 {
     private readonly IApplicationCacheService _applicationCacheService;
     private readonly IOrganizationUserRepository _organizationUserRepository;
 
-    public GetOrganizationUsersManagementStatusQuery(
+    public GetOrganizationUsersClaimedStatusQuery(
         IApplicationCacheService applicationCacheService,
         IOrganizationUserRepository organizationUserRepository)
     {
@@ -17,11 +17,11 @@ public class GetOrganizationUsersManagementStatusQuery : IGetOrganizationUsersMa
         _organizationUserRepository = organizationUserRepository;
     }
 
-    public async Task<IDictionary<Guid, bool>> GetUsersOrganizationManagementStatusAsync(Guid organizationId, IEnumerable<Guid> organizationUserIds)
+    public async Task<IDictionary<Guid, bool>> GetUsersOrganizationClaimedStatusAsync(Guid organizationId, IEnumerable<Guid> organizationUserIds)
     {
         if (organizationUserIds.Any())
         {
-            // Users can only be managed by an Organization that is enabled and can have organization domains
+            // Users can only be claimed by an Organization that is enabled and can have organization domains
             var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId);
 
             // TODO: Replace "UseSso" with a new organization ability like "UseOrganizationDomains" (PM-11622).
@@ -31,7 +31,7 @@ public class GetOrganizationUsersManagementStatusQuery : IGetOrganizationUsersMa
                 // Get all organization users with claimed domains by the organization
                 var organizationUsersWithClaimedDomain = await _organizationUserRepository.GetManyByOrganizationWithClaimedDomainsAsync(organizationId);
 
-                // Create a dictionary with the OrganizationUserId and a boolean indicating if the user is managed by the organization
+                // Create a dictionary with the OrganizationUserId and a boolean indicating if the user is claimed by the organization
                 return organizationUserIds.ToDictionary(ouId => ouId, ouId => organizationUsersWithClaimedDomain.Any(ou => ou.Id == ouId));
             }
         }

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IDeleteClaimedOrganizationUserAccountCommand.cs

@@ -2,7 +2,7 @@
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 
-public interface IDeleteManagedOrganizationUserAccountCommand
+public interface IDeleteClaimedOrganizationUserAccountCommand
 {
     /// <summary>
     /// Removes a user from an organization and deletes all of their associated user data.

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IGetOrganizationUsersClaimedStatusQuery.cs

@@ -1,19 +1,19 @@
 namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 
-public interface IGetOrganizationUsersManagementStatusQuery
+public interface IGetOrganizationUsersClaimedStatusQuery
 {
     /// <summary>
-    /// Checks whether each user in the provided list of organization user IDs is managed by the specified organization.
+    /// Checks whether each user in the provided list of organization user IDs is claimed by the specified organization.
     /// </summary>
     /// <param name="organizationId">The unique identifier of the organization to check against.</param>
     /// <param name="organizationUserIds">A list of OrganizationUserIds to be checked.</param>
     /// <remarks>
-    /// A managed user is a user whose email domain matches one of the Organization's verified domains.
+    /// A claimed user is a user whose email domain matches one of the Organization's verified domains.
     /// The organization must be enabled and be on an Enterprise plan.
     /// </remarks>
     /// <returns>
-    /// A dictionary containing the OrganizationUserId and a boolean indicating if the user is managed by the organization.
+    /// A dictionary containing the OrganizationUserId and a boolean indicating if the user is claimed by the organization.
     /// </returns>
-    Task<IDictionary<Guid, bool>> GetUsersOrganizationManagementStatusAsync(Guid organizationId,
+    Task<IDictionary<Guid, bool>> GetUsersOrganizationClaimedStatusAsync(Guid organizationId,
         IEnumerable<Guid> organizationUserIds);
 }

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/ErrorMapper.cs

@@ -0,0 +1,37 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.Exceptions;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
+
+public static class ErrorMapper
+{
+
+    /// <summary>
+    /// Maps the ErrorT to a Bit.Exception class.
+    /// </summary>
+    /// <param name="error"></param>
+    /// <typeparam name="T"></typeparam>
+    /// <returns></returns>
+    public static Exception MapToBitException<T>(Error<T> error) =>
+        error switch
+        {
+            UserAlreadyExistsError alreadyExistsError => new ConflictException(alreadyExistsError.Message),
+            _ => new BadRequestException(error.Message)
+        };
+
+    /// <summary>
+    /// This maps the ErrorT object to the Bit.Exception class.
+    ///
+    /// This should be replaced by an IActionResult mapper when possible.
+    /// </summary>
+    /// <param name="errors"></param>
+    /// <typeparam name="T"></typeparam>
+    /// <returns></returns>
+    public static Exception MapToBitException<T>(ICollection<Error<T>> errors) =>
+        errors switch
+        {
+            not null when errors.Count == 1 => MapToBitException(errors.First()),
+            not null when errors.Count > 1 => new BadRequestException(string.Join(' ', errors.Select(e => e.Message))),
+            _ => new BadRequestException()
+        };
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/FailedToInviteUsersError.cs

@@ -0,0 +1,9 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
+
+public record FailedToInviteUsersError(InviteOrganizationUsersResponse Response) : Error<InviteOrganizationUsersResponse>(Code, Response)
+{
+    public const string Code = "Failed to invite users";
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/NoUsersToInviteError.cs

@@ -0,0 +1,9 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
+
+public record NoUsersToInviteError(InviteOrganizationUsersResponse Response) : Error<InviteOrganizationUsersResponse>(Code, Response)
+{
+    public const string Code = "No users to invite";
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Errors/UserAlreadyExistsError.cs

@@ -0,0 +1,9 @@
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
+
+public record UserAlreadyExistsError(ScimInviteOrganizationUsersResponse Response) : Error<ScimInviteOrganizationUsersResponse>(Code, Response)
+{
+    public const string Code = "User already exists";
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/IInviteOrganizationUsersCommand.cs

@@ -0,0 +1,22 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.Models.Commands;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+
+/// <summary>
+/// Defines the contract for inviting organization users via SCIM (System for Cross-domain Identity Management).
+/// Provides functionality for handling single email invitation requests within an organization context.
+/// </summary>
+public interface IInviteOrganizationUsersCommand
+{
+    /// <summary>
+    /// Sends an invitation to add an organization user via SCIM (System for Cross-domain Identity Management) system.
+    /// This can be a Success or a Failure. Failure will contain the Error along with a representation of the errored value.
+    /// Success will be the successful return object.
+    /// </summary>
+    /// <param name="request">
+    /// Contains the details for inviting a single organization user via email.
+    /// </param>
+    /// <returns>Response from InviteScimOrganiation<see cref="ScimInviteOrganizationUsersResponse"/></returns>
+    Task<CommandResult<ScimInviteOrganizationUsersResponse>> InviteScimOrganizationUserAsync(InviteOrganizationUsersRequest request);
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/ISendOrganizationInvitesCommand.cs

@@ -0,0 +1,16 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+
+/// <summary>
+/// This is for sending the invite to an organization user.
+/// </summary>
+public interface ISendOrganizationInvitesCommand
+{
+    /// <summary>
+    /// This sends emails out to organization users for a given organization.
+    /// </summary>
+    /// <param name="request"><see cref="SendInvitesRequest"/></param>
+    /// <returns></returns>
+    Task SendInvitesAsync(SendInvitesRequest request);
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/InviteOrganizationUsersCommand.cs

@@ -0,0 +1,282 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.AdminConsole.Errors;
+using Bit.Core.AdminConsole.Interfaces;
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.Shared.Validation;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Models.Business;
+using Bit.Core.Models.Commands;
+using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Tools.Enums;
+using Bit.Core.Tools.Models.Business;
+using Bit.Core.Tools.Services;
+using Microsoft.Extensions.Logging;
+using OrganizationUserInvite = Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models.OrganizationUserInvite;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+
+public class InviteOrganizationUsersCommand(IEventService eventService,
+    IOrganizationUserRepository organizationUserRepository,
+    IInviteUsersValidator inviteUsersValidator,
+    IPaymentService paymentService,
+    IOrganizationRepository organizationRepository,
+    IReferenceEventService referenceEventService,
+    ICurrentContext currentContext,
+    IApplicationCacheService applicationCacheService,
+    IMailService mailService,
+    ILogger<InviteOrganizationUsersCommand> logger,
+    IUpdateSecretsManagerSubscriptionCommand updateSecretsManagerSubscriptionCommand,
+    ISendOrganizationInvitesCommand sendOrganizationInvitesCommand,
+    IProviderOrganizationRepository providerOrganizationRepository,
+    IProviderUserRepository providerUserRepository
+    ) : IInviteOrganizationUsersCommand
+{
+
+    public const string IssueNotifyingOwnersOfSeatLimitReached = "Error encountered notifying organization owners of seat limit reached.";
+
+    public async Task<CommandResult<ScimInviteOrganizationUsersResponse>> InviteScimOrganizationUserAsync(InviteOrganizationUsersRequest request)
+    {
+        var result = await InviteOrganizationUsersAsync(request);
+
+        switch (result)
+        {
+            case Failure<InviteOrganizationUsersResponse> failure:
+                return new Failure<ScimInviteOrganizationUsersResponse>(
+                    failure.Errors.Select(error => new Error<ScimInviteOrganizationUsersResponse>(error.Message,
+                        new ScimInviteOrganizationUsersResponse
+                        {
+                            InvitedUser = error.ErroredValue.InvitedUsers.FirstOrDefault()
+                        })));
+
+            case Success<InviteOrganizationUsersResponse> success when success.Value.InvitedUsers.Any():
+                var user = success.Value.InvitedUsers.First();
+
+                await eventService.LogOrganizationUserEventAsync<IOrganizationUser>(
+                    organizationUser: user,
+                    type: EventType.OrganizationUser_Invited,
+                    systemUser: EventSystemUser.SCIM,
+                    date: request.PerformedAt.UtcDateTime);
+
+                return new Success<ScimInviteOrganizationUsersResponse>(new ScimInviteOrganizationUsersResponse
+                {
+                    InvitedUser = user
+                });
+
+            default:
+                return new Failure<ScimInviteOrganizationUsersResponse>(
+                    new InvalidResultTypeError<ScimInviteOrganizationUsersResponse>(
+                        new ScimInviteOrganizationUsersResponse()));
+        }
+    }
+
+    private async Task<CommandResult<InviteOrganizationUsersResponse>> InviteOrganizationUsersAsync(InviteOrganizationUsersRequest request)
+    {
+        var invitesToSend = (await FilterExistingUsersAsync(request)).ToArray();
+
+        if (invitesToSend.Length == 0)
+        {
+            return new Failure<InviteOrganizationUsersResponse>(new NoUsersToInviteError(
+                new InviteOrganizationUsersResponse(request.InviteOrganization.OrganizationId)));
+        }
+
+        var validationResult = await inviteUsersValidator.ValidateAsync(new InviteOrganizationUsersValidationRequest
+        {
+            Invites = invitesToSend.ToArray(),
+            InviteOrganization = request.InviteOrganization,
+            PerformedBy = request.PerformedBy,
+            PerformedAt = request.PerformedAt,
+            OccupiedPmSeats = await organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(request.InviteOrganization.OrganizationId),
+            OccupiedSmSeats = await organizationUserRepository.GetOccupiedSmSeatCountByOrganizationIdAsync(request.InviteOrganization.OrganizationId)
+        });
+
+        if (validationResult is Invalid<InviteOrganizationUsersValidationRequest> invalid)
+        {
+            return invalid.MapToFailure(r => new InviteOrganizationUsersResponse(r));
+        }
+
+        var validatedRequest = validationResult as Valid<InviteOrganizationUsersValidationRequest>;
+
+        var organizationUserToInviteEntities = invitesToSend
+            .Select(x => x.MapToDataModel(request.PerformedAt, validatedRequest!.Value.InviteOrganization))
+            .ToArray();
+
+        var organization = await organizationRepository.GetByIdAsync(validatedRequest!.Value.InviteOrganization.OrganizationId);
+
+        try
+        {
+            await organizationUserRepository.CreateManyAsync(organizationUserToInviteEntities);
+
+            await AdjustPasswordManagerSeatsAsync(validatedRequest, organization);
+
+            await AdjustSecretsManagerSeatsAsync(validatedRequest);
+
+            await SendAdditionalEmailsAsync(validatedRequest, organization);
+
+            await SendInvitesAsync(organizationUserToInviteEntities, organization);
+
+            await PublishReferenceEventAsync(validatedRequest, organization);
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, FailedToInviteUsersError.Code);
+
+            await organizationUserRepository.DeleteManyAsync(organizationUserToInviteEntities.Select(x => x.OrganizationUser.Id));
+
+            // Do this first so that SmSeats never exceed PM seats (due to current billing requirements)
+            await RevertSecretsManagerChangesAsync(validatedRequest, organization, validatedRequest.Value.InviteOrganization.SmSeats);
+
+            await RevertPasswordManagerChangesAsync(validatedRequest, organization);
+
+            return new Failure<InviteOrganizationUsersResponse>(
+                new FailedToInviteUsersError(
+                    new InviteOrganizationUsersResponse(validatedRequest.Value)));
+        }
+
+        return new Success<InviteOrganizationUsersResponse>(
+            new InviteOrganizationUsersResponse(
+                invitedOrganizationUsers: organizationUserToInviteEntities.Select(x => x.OrganizationUser).ToArray(),
+                organizationId: organization!.Id));
+    }
+
+    private async Task<IEnumerable<OrganizationUserInvite>> FilterExistingUsersAsync(InviteOrganizationUsersRequest request)
+    {
+        var existingEmails = new HashSet<string>(await organizationUserRepository.SelectKnownEmailsAsync(
+                request.InviteOrganization.OrganizationId, request.Invites.Select(i => i.Email), false),
+            StringComparer.OrdinalIgnoreCase);
+
+        return request.Invites
+            .Where(invite => !existingEmails.Contains(invite.Email))
+            .ToArray();
+    }
+
+    private async Task RevertPasswordManagerChangesAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult, Organization organization)
+    {
+        if (validatedResult.Value.PasswordManagerSubscriptionUpdate.SeatsRequiredToAdd > 0)
+        {
+            // When reverting seats, we have to tell payments service that the seats are going back down by what we attempted to add.
+            // However, this might lead to a problem if we don't actually update stripe but throw any ways.
+            // stripe could not be updated, and then we would decrement the number of seats in stripe accidentally.
+            var seatsToRemove = validatedResult.Value.PasswordManagerSubscriptionUpdate.SeatsRequiredToAdd;
+            await paymentService.AdjustSeatsAsync(organization, validatedResult.Value.InviteOrganization.Plan, -seatsToRemove);
+
+            organization.Seats = (short?)validatedResult.Value.PasswordManagerSubscriptionUpdate.Seats;
+
+            await organizationRepository.ReplaceAsync(organization);
+            await applicationCacheService.UpsertOrganizationAbilityAsync(organization);
+        }
+    }
+
+    private async Task RevertSecretsManagerChangesAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult, Organization organization, int? initialSmSeats)
+    {
+        if (validatedResult.Value.SecretsManagerSubscriptionUpdate?.SmSeatsChanged is true)
+        {
+            var smSubscriptionUpdateRevert = new SecretsManagerSubscriptionUpdate(
+                organization: organization,
+                plan: validatedResult.Value.InviteOrganization.Plan,
+                autoscaling: false)
+            {
+                SmSeats = initialSmSeats
+            };
+
+            await updateSecretsManagerSubscriptionCommand.UpdateSubscriptionAsync(smSubscriptionUpdateRevert);
+        }
+    }
+
+    private async Task PublishReferenceEventAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult,
+        Organization organization) =>
+        await referenceEventService.RaiseEventAsync(
+            new ReferenceEvent(ReferenceEventType.InvitedUsers, organization, currentContext)
+            {
+                Users = validatedResult.Value.Invites.Length
+            });
+
+    private async Task SendInvitesAsync(IEnumerable<CreateOrganizationUser> users, Organization organization) =>
+        await sendOrganizationInvitesCommand.SendInvitesAsync(
+            new SendInvitesRequest(
+                users.Select(x => x.OrganizationUser),
+                organization));
+
+    private async Task SendAdditionalEmailsAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult, Organization organization)
+    {
+        await SendPasswordManagerMaxSeatLimitEmailsAsync(validatedResult, organization);
+    }
+
+    private async Task SendPasswordManagerMaxSeatLimitEmailsAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult, Organization organization)
+    {
+        if (!validatedResult.Value.PasswordManagerSubscriptionUpdate.MaxSeatsReached)
+        {
+            return;
+        }
+
+        try
+        {
+            var ownerEmails = await GetOwnerEmailAddressesAsync(validatedResult.Value.InviteOrganization);
+
+            await mailService.SendOrganizationMaxSeatLimitReachedEmailAsync(organization,
+                validatedResult.Value.PasswordManagerSubscriptionUpdate.MaxAutoScaleSeats!.Value, ownerEmails);
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, IssueNotifyingOwnersOfSeatLimitReached);
+        }
+    }
+
+    private async Task<IEnumerable<string>> GetOwnerEmailAddressesAsync(InviteOrganization organization)
+    {
+        var providerOrganization = await providerOrganizationRepository
+            .GetByOrganizationId(organization.OrganizationId);
+
+        if (providerOrganization == null)
+        {
+            return (await organizationUserRepository
+                    .GetManyByMinimumRoleAsync(organization.OrganizationId, OrganizationUserType.Owner))
+                .Select(x => x.Email)
+                .Distinct();
+        }
+
+        return (await providerUserRepository
+                .GetManyDetailsByProviderAsync(providerOrganization.ProviderId, ProviderUserStatusType.Confirmed))
+            .Select(u => u.Email).Distinct();
+    }
+
+    private async Task AdjustSecretsManagerSeatsAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult)
+    {
+        if (validatedResult.Value.SecretsManagerSubscriptionUpdate?.SmSeatsChanged is true)
+        {
+            await updateSecretsManagerSubscriptionCommand.UpdateSubscriptionAsync(validatedResult.Value.SecretsManagerSubscriptionUpdate);
+        }
+
+    }
+
+    private async Task AdjustPasswordManagerSeatsAsync(Valid<InviteOrganizationUsersValidationRequest> validatedResult, Organization organization)
+    {
+        if (validatedResult.Value.PasswordManagerSubscriptionUpdate.SeatsRequiredToAdd <= 0)
+        {
+            return;
+        }
+
+        await paymentService.AdjustSeatsAsync(organization, validatedResult.Value.InviteOrganization.Plan, validatedResult.Value.PasswordManagerSubscriptionUpdate.SeatsRequiredToAdd);
+
+        organization.Seats = (short?)validatedResult.Value.PasswordManagerSubscriptionUpdate.UpdatedSeatTotal;
+
+        await organizationRepository.ReplaceAsync(organization); // could optimize this with only a property update
+        await applicationCacheService.UpsertOrganizationAbilityAsync(organization);
+
+        await referenceEventService.RaiseEventAsync(
+            new ReferenceEvent(ReferenceEventType.AdjustSeats, organization, currentContext)
+            {
+                PlanName = validatedResult.Value.InviteOrganization.Plan.Name,
+                PlanType = validatedResult.Value.InviteOrganization.Plan.Type,
+                Seats = validatedResult.Value.PasswordManagerSubscriptionUpdate.UpdatedSeatTotal,
+                PreviousSeats = validatedResult.Value.PasswordManagerSubscriptionUpdate.Seats
+            });
+    }
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/CreateOrganizationUser.cs

@@ -0,0 +1,15 @@
+using Bit.Core.Entities;
+using Bit.Core.Models.Data;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+/// <summary>
+/// Object for associating the <see cref="OrganizationUser"/> with their assigned collections
+/// <see cref="CollectionAccessSelection"/> and Group Ids.
+/// </summary>
+public class CreateOrganizationUser
+{
+    public OrganizationUser OrganizationUser { get; set; }
+    public CollectionAccessSelection[] Collections { get; set; } = [];
+    public Guid[] Groups { get; set; } = [];
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/CreateOrganizationUserExtensions.cs

@@ -0,0 +1,30 @@
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+public static class CreateOrganizationUserExtensions
+{
+    public static CreateOrganizationUser MapToDataModel(this OrganizationUserInvite organizationUserInvite,
+        DateTimeOffset performedAt,
+        InviteOrganization organization) =>
+        new()
+        {
+            OrganizationUser = new OrganizationUser
+            {
+                Id = CoreHelpers.GenerateComb(),
+                OrganizationId = organization.OrganizationId,
+                Email = organizationUserInvite.Email.ToLowerInvariant(),
+                Type = organizationUserInvite.Type,
+                Status = OrganizationUserStatusType.Invited,
+                AccessSecretsManager = organizationUserInvite.AccessSecretsManager,
+                ExternalId = string.IsNullOrWhiteSpace(organizationUserInvite.ExternalId) ? null : organizationUserInvite.ExternalId,
+                CreationDate = performedAt.UtcDateTime,
+                RevisionDate = performedAt.UtcDateTime
+            },
+            Collections = organizationUserInvite.AssignedCollections,
+            Groups = organizationUserInvite.Groups
+        };
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUserErrorMessages.cs

@@ -0,0 +1,7 @@
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+public static class InviteOrganizationUserErrorMessages
+{
+    public const string InvalidEmailErrorMessage = "The email address is not valid.";
+    public const string InvalidCollectionConfigurationErrorMessage = "The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.";
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersRequest.cs

@@ -0,0 +1,22 @@
+using Bit.Core.AdminConsole.Models.Business;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+public class InviteOrganizationUsersRequest
+{
+    public OrganizationUserInvite[] Invites { get; } = [];
+    public InviteOrganization InviteOrganization { get; }
+    public Guid PerformedBy { get; }
+    public DateTimeOffset PerformedAt { get; }
+
+    public InviteOrganizationUsersRequest(OrganizationUserInvite[] invites,
+        InviteOrganization inviteOrganization,
+        Guid performedBy,
+        DateTimeOffset performedAt)
+    {
+        Invites = invites;
+        InviteOrganization = inviteOrganization;
+        PerformedBy = performedBy;
+        PerformedAt = performedAt;
+    }
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersResponse.cs

@@ -0,0 +1,42 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+public class InviteOrganizationUsersResponse(Guid organizationId)
+{
+    public IEnumerable<OrganizationUser> InvitedUsers { get; } = [];
+    public Guid OrganizationId { get; } = organizationId;
+
+    public InviteOrganizationUsersResponse(InviteOrganizationUsersValidationRequest usersValidationRequest)
+        : this(usersValidationRequest.InviteOrganization.OrganizationId)
+    {
+        InvitedUsers = usersValidationRequest.Invites.Select(x => new OrganizationUser { Email = x.Email });
+    }
+
+    public InviteOrganizationUsersResponse(IEnumerable<OrganizationUser> invitedOrganizationUsers, Guid organizationId)
+        : this(organizationId)
+    {
+        InvitedUsers = invitedOrganizationUsers;
+    }
+}
+
+public class ScimInviteOrganizationUsersResponse
+{
+    public OrganizationUser InvitedUser { get; init; }
+
+    public ScimInviteOrganizationUsersResponse()
+    {
+
+    }
+
+    public ScimInviteOrganizationUsersResponse(InviteOrganizationUsersRequest request)
+    {
+        var userToInvite = request.Invites.First();
+
+        InvitedUser = new OrganizationUser
+        {
+            Email = userToInvite.Email,
+            ExternalId = userToInvite.ExternalId
+        };
+    }
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/Models/InviteOrganizationUsersValidationRequest.cs

@@ -0,0 +1,40 @@
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.PasswordManager;
+using Bit.Core.Models.Business;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+
+public class InviteOrganizationUsersValidationRequest
+{
+    public InviteOrganizationUsersValidationRequest()
+    {
+    }
+
+    public InviteOrganizationUsersValidationRequest(InviteOrganizationUsersValidationRequest request)
+    {
+        Invites = request.Invites;
+        InviteOrganization = request.InviteOrganization;
+        PerformedBy = request.PerformedBy;
+        PerformedAt = request.PerformedAt;
+        OccupiedPmSeats = request.OccupiedPmSeats;
+        OccupiedSmSeats = request.OccupiedSmSeats;
+    }
+
+    public InviteOrganizationUsersValidationRequest(InviteOrganizationUsersValidationRequest request,
+        PasswordManagerSubscriptionUpdate subscriptionUpdate,
+        SecretsManagerSubscriptionUpdate smSubscriptionUpdate)
+        : this(request)
+    {
+        PasswordManagerSubscriptionUpdate = subscriptionUpdate;
+        SecretsManagerSubscriptionUpdate = smSubscriptionUpdate;
+    }
+
+    public OrganizationUserInvite[] Invites { get; init; } = [];
+    public InviteOrganization InviteOrganization { get; init; }
+    public Guid PerformedBy { get; init; }
+    public DateTimeOffset PerformedAt { get; init; }
+    public int OccupiedPmSeats { get; init; }
+    public int OccupiedSmSeats { get; init; }
+    public PasswordManagerSubscriptionUpdate PasswordManagerSubscriptionUpdate { get; set; }
+    public SecretsManagerSubscriptionUpdate SecretsManagerSubscriptionUpdate { get; set; }
+}